Privacy Impact Assessment (PIA) Under Quebec Law
Art. 3.3, 3.4, 17, LPRPSP
What the law requires
A Privacy Impact Assessment (PIA, called "EFVP" in French) is a mandatory risk analysis in two specific situations defined by the Act respecting the protection of personal information in the private sector.
Situation 1 — IT Systems (Art. 3.3): Before acquiring, developing, or overhauling an information system or electronic service delivery system involving personal information, you must conduct a PIA.
Situation 2 — Transfers Outside Quebec (Art. 17): Before communicating personal information outside Quebec, you must conduct a PIA. This includes using American cloud services like Google, Microsoft, Mailchimp, Shopify, etc.
The PIA must be proportionate to the sensitivity of the information, the purposes of its use, its quantity, distribution, and medium (Art. 3.4). A small business using a standard service doesn't need an analysis as exhaustive as a financial institution processing sensitive data.
Legal reference
"Any person carrying on an enterprise must conduct a privacy impact assessment for any project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of personal information."
"For the purposes of such an assessment, the person must consult the person in charge of the protection of personal information within the enterprise from the outset of the project."
"The person must also ensure that the project allows computerized personal information collected from the person concerned to be communicated to him in a structured, commonly used technological format."
"The conduct of a privacy impact assessment under this Act must be proportionate to the sensitivity of the information concerned, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored."
— Art. 3.3, Act respecting the protection of personal information in the private sector
What you must do
The PIA is not a standard form imposed by the CAI, it's an analysis process that you document according to your needs. Here's how to proceed:
- Identify if a PIA is required. Ask yourself two questions: Am I acquiring, developing, or overhauling a system that processes personal information? Will personal information be transferred outside Quebec?
- Describe the context. What is the project or service? What personal information is involved (names, emails, payment data, health data)? Who will have access?
- Identify the risks. What are the privacy risks? For a transfer to the United States, consider: the CLOUD Act, the provider's privacy policies, security measures in place.
- Document protective measures. Is the provider SOC 2 or ISO 27001 certified? Is data encrypted? Is there a data processing agreement (DPA)?
- Conclude. Can the project proceed? Under what conditions? Document your decision and keep the PIA on file.
Example — Mailchimp: An online store wants to use Mailchimp for newsletters. The PIA documents: (1) the information transferred (emails, first names), (2) the risk of transfer to the United States, (3) Mailchimp's measures (encryption, certifications, DPA available), (4) the conclusion that the risk is acceptable for non-sensitive data with measures in place.
Example — New accounting software: A firm acquires new accounting software hosted in Canada. The PIA documents: (1) the information processed (client financial data), (2) the risk of unauthorized access, (3) the provider's measures and internal access controls, (4) the conclusion that the project can proceed.
Common mistakes
- Not doing a PIA at all. Many SMEs use American services without ever documenting the required assessment. The absence of a PIA is a breach of the law.
- Confusing PIA with privacy policy. The PIA is an internal risk analysis. The privacy policy is a public document. They are two different things.
- Making a disproportionate PIA. The PIA must be proportionate to the actual risk. The higher the risk, the more thorough the analysis should be.
- Not keeping the PIA. Even though you don't have to submit it to the CAI, you must be able to present it in case of an audit. Keep it with your compliance documents.
- Forgetting "free" services. Google Analytics, Facebook Pixel, chat widgets — all these services may involve a transfer of personal information outside Quebec and require a PIA.
Frequently asked questions
When is a Privacy Impact Assessment required?
A PIA is required in two situations: (1) before acquiring, developing, or overhauling an information system that processes personal information, and (2) before transferring personal information outside Quebec.
Do I need a PIA to use Google Analytics?
Yes, if Google Analytics collects personal information (such as IP addresses) and that data is transferred to the United States. The PIA must document the risks and protective measures in place.
Do I need a PIA to use Mailchimp?
Yes. Mailchimp stores data in the United States. Before transferring your customers' emails and names there, you must conduct a PIA documenting the risks of this cross-border transfer.
Is a PIA required for software hosted in Canada?
If you're acquiring a new system that processes personal information, a PIA is required, even if the provider is in Canada.
What is the proportionality principle?
The PIA must be proportionate to the sensitivity of the information, the purposes of its use, its quantity, distribution, and medium. An SME using Mailchimp for newsletters doesn't need a 50-page PIA.
How long does a PIA take?
For an SME with a simple case (e.g., using an American cloud service), a PIA can be completed in 1 to 2 hours. Complex cases involving sensitive data or multiple systems may take longer.
Do I need to submit the PIA to the CAI?
No. The PIA does not need to be submitted to the Commission d'accès à l'information (CAI). However, you must keep it on file and be able to present it in case of an inquiry or audit.
Next step
Once your PIAs are completed for your main services and systems, make sure you have appropriate agreements with your vendors (data processing agreements) and that your consent practices are compliant.