Transfers
Cross-border data transfers under PIPEDA
Last reviewed 2026-06-29 · Plain-language summary, not legal advice.
"Where does the data live?" is one of the first questions a Canadian buyer asks, and the answer trips up vendors who assume PIPEDA forbids foreign hosting. It does not. PIPEDA permits cross-border transfers — it just makes you accountable and transparent about them. The full Act is at laws-lois.justice.gc.ca/eng/acts/P-8.6.
Transfer for processing is a "use," not a "disclosure"
The Office of the Privacy Commissioner treats handing personal information to a processor — a cloud host, a sub-processor — as a use of that information for the purpose it was collected, not a fresh disclosure to a new party. That distinction matters: because it is a continuation of the original use, the original consent generally carries it, as long as the processor only uses the data for your stated purpose and you remain accountable for it.
Accountability follows the data across the border
The accountability principle is the heart of cross-border handling. You stay responsible for personal information you transfer for processing, and must use contractual or other means to ensure the processor provides comparable protection. A data-processing agreement covering permitted use, safeguards, breach notice back to you, sub-processing controls, and return-or-destruction is how that accountability is documented.
Openness: tell people their data may leave Canada
The OPC expects transparency. Individuals should be told that their personal information may be processed in a foreign jurisdiction and may be accessible to that country's courts, law enforcement, and national-security authorities. This belongs in your privacy policy in plain terms — and your questionnaire answers should mirror it exactly. An answer that contradicts your published policy is the inconsistency reviewers are paid to find.
Data residency is a contract question, not a PIPEDA question
If a buyer requires that data stay in Canada, that is a contractual or procurement requirement on their side — common in some public-sector and health contexts — not something PIPEDA itself imposes. Treat it as a scoping conversation, not a compliance failure. Note that other Canadian regimes are stricter: Quebec's Law 25 requires a privacy impact assessment before communicating personal information outside Quebec, which is a materially higher bar than PIPEDA's.
For the wider picture see what is PIPEDA? and the privacy-law hub. To answer the cross-border rows on a real questionnaire, use the PIPEDA questionnaire guide.
Common questions.
Does PIPEDA allow personal data to be stored in the United States?
Yes. PIPEDA does not prohibit storing or processing personal information outside Canada. It treats a cross-border transfer to a processor as a 'use', not a 'disclosure', and holds you accountable for the information wherever it is processed. You must safeguard it through your contract with the processor and be transparent that it may be handled in a foreign jurisdiction.
Do I need consent to transfer personal data outside Canada under PIPEDA?
The Office of the Privacy Commissioner's position is that a transfer to a third party for processing does not, by itself, require separate consent — the original consent for the use covers it — provided the information is used only for the original purpose. What you do need is openness: tell individuals that their information may be processed in another country and could be accessible to that country's courts and law enforcement.
Is data residency the same thing as PIPEDA compliance?
No. Data residency — keeping data physically in Canada — is not a PIPEDA requirement. It usually comes from a contract, a procurement rule, or a sector-specific regime (some public-sector and health contexts impose it). PIPEDA's concern is accountability and transparency, not location. Conflating the two leads vendors to over-promise Canadian residency they do not actually need.
What must my contract with a foreign processor cover?
Under the accountability principle you must use contractual or other means to ensure the processor provides a comparable level of protection. In practice that means a data-processing agreement covering permitted use, security safeguards, breach notification back to you, restrictions on sub-processing, and return or destruction of the data when the engagement ends.