Quebec's Law 25 gets the headlines — the CA$25-million penalties, the mandatory privacy impact assessments, the data-portability right. If you're a developer or founder in Toronto, Vancouver, or Calgary, it's easy to file all of it under “a Quebec problem.”
It isn't. The privacy statute changes when you cross a provincial line. The sovereignty problem doesn't. Here's the map for the rest of Canada — and why the answer is the same coast to coast.
The patchwork, briefly
Federal and most provinces: PIPEDA. The Personal Information Protection and Electronic Documents Act governs private- sector data handling federally and in every province that hasn't passed its own substantially-similar law. That includes Ontario — Canada's largest market — which has no general private-sector privacy statute of its own.
British Columbia and Alberta: PIPA.Both have their own Personal Information Protection Act, each declared “substantially similar” to PIPEDA and applying instead of it to activity that stays inside the province. Alberta has been actively modernizing its regime; a 2025 legislative review recommended administrative penalties and stronger rules, and consultation continued into 2026.
Quebec: Law 25. The strictest of the bunch, now fully in force, with the largest fines and the explicit cross-border transfer assessment.
One clarification worth making, because the confusion is common: Ontario's Bill 194 is not a private-sector privacy law. It reforms the public-sector regime (FIPPA) for government bodies. Ontario businesses are still under PIPEDA.
Different statutes, identical exposure
Here's the part that doesn't change at the border. Every one of these regimes makes you accountable for the personal information you hand to a processor — and every one of them is undercut the same way by the US CLOUD Act.
If your hosting provider is US-owned, US authorities can compel your data regardless of which Canadian city the server is in. That's true whether your accountability runs through PIPEDA in Ottawa, PIPA in Victoria, or Law 25 in Montreal. A Canadian region doesn't fix it, because the exposure comes from who controls the operator, not where the disk spins.
Which means the sovereignty fix is also identical everywhere: a platform that is itself wholly Canadian-owned and operated falls outside the CLOUD Act, and satisfies the cross-border-accountability concern that anchors all of these regimes at once. You don't need a different vendor for each province. You need one that's actually Canadian.
Lead with the jurisdiction-neutral case
If you're selling to customers across the country, a Law-25-only pitch speaks to one province and leaves the rest cold. The hook that works everywhere is the one underneath all of it: Canadian-owned, Canadian-operated, outside the US CLOUD Act. That sentence is true for an Ontario PIPEDA buyer, a BC PIPA buyer, and a Quebec Law-25 buyer equally — and it's the sentence federal procurement is now writing into its own requirements.
What this means for you
Wherever in Canada you operate, the compliance posture is the same: keep the data in Canada, and keep the operator Canadian. Canner does both — Quebec-hosted, 100% Canadian-owned — and backs it with the paperwork your regime asks for: a Data Processing Agreement built for PIPEDA and Law 25, and a written residency attestation for your privacy file, available on any plan or included on Enterprise. The full mechanism lives on our sovereignty page.