Quebec’s EFVP explained: the Law 25 privacy impact assessment for English-speaking businesses
Law 25’s privacy impact assessment has a French name and mostly French documentation. If you serve Quebec from anywhere else, here’s what it asks of you.
What it boils down to
An EFVP — évaluation des facteurs relatifs à la vie privée — is Quebec’s statutory privacy impact assessment. If your business holds personal information about people in Quebec, Law 25 makes the exercise mandatory in specific situations, and nearly everything explaining how to do one is written in French. Here’s the whole picture in English.
- Two triggers: any project that acquires, develops or overhauls an information system handling personal information, and any communication of personal information outside Quebec — Ontario included.
- The law scales the effort to the project: sensitivity, purpose, quantity, distribution and medium of the information decide how deep you go.
- The deliverable is a written record you keep on file, built with your privacy officer (RPRP) from the start of the project — not a form you file with a regulator.
What an EFVP actually is
Strip away the acronym and the question underneath is plain: before you commit to a project that touches personal information, have you looked at what could go wrong for the people that information describes — and can you show your work? An EFVP is the structured answer. It describes the project, inventories the data involved, tests whether the project genuinely needs that data, names the risks and records what you’re doing about them.
The term comes from Quebec’s private-sector privacy act, as modernized by Law 25. The rest of Canada says privacy impact assessment, or PIA; Quebec wrote its own term into the statute, along with defined triggers and a mandatory role for the privacy officer. If you’ve run a PIA before, the muscle memory transfers.
The Commission d’accès à l’information publishes a formal companion guide to conducting an EFVP (PDF) — thorough, careful, and available only in French. That’s a real barrier for the Ottawa software firm signing its first Quebec customer, or the Toronto retailer opening a Montreal location. What follows is the practical version: the same obligations, sized for a business where the privacy office is one person wearing three hats.
When Law 25 requires one
The first trigger is any project to acquire, develop or overhaul an information system — or an electronic service — that involves personal information. The wording is broad on purpose. A new CRM, a payroll platform, a client portal, a rebuild of your e-commerce site: each of these lands inside the rule the moment it touches data that can identify a person.
The second trigger is communicating personal information outside Quebec. That covers far more than selling data — putting your records on a US-hosted SaaS platform, consolidating files at a Toronto head office, giving an offshore support team access. Before the information moves, the assessment has to weigh its sensitivity, the purposes it will serve, the protections in place and the legal regime of the destination. And if the transfer goes ahead, it must be covered by a written agreement that reflects what the assessment found.
One note on biometrics, because the question comes up: it isn’t a third EFVP trigger, strictly speaking, but a neighbouring duty. Any system that verifies identity using biometric characteristics must be disclosed to the Commission d’accès à l’information, and a database of biometric characteristics must be declared at least 60 days before it goes into service. The Commission recommends running an EFVP for these projects — given how sensitive the data is, that recommendation is easy to take.
Sized to the project: what proportionality means
This is the nuance that reassures most SMB owners: the law itself says the assessment must be proportionate to the sensitivity of the information, the purpose of its use, its quantity, its distribution and its medium. The legislator does not expect the same document from a ten-person firm adopting a booking tool and from a clinic centralizing patient files.
For a small project with ordinary data — names, contact details, order history — a few honest pages are enough, provided they show the reasoning: what you collect, why, what you checked, what you decided. No template is imposed. What matters is that the thinking happened before the decisions did, and that a trace of it survives.
A step-by-step you can run in-house
Here is the sequence we use with clients, reduced to six steps. For a simple project it fits inside one or two working sessions.
- Describe the project and its data flows. Which system, which personal information, where it comes from, where it goes, who can reach it. A one-page diagram beats a long memo.
- Identify the privacy risks. Unauthorized access, use beyond the original purpose, data kept too long, a destination outside Quebec — seen from the perspective of the people described, not just the business.
- Test necessity and proportionality. Every data field has to earn its place. If the project works without dates of birth, don’t collect them.
- Choose mitigation measures. Encryption, tighter access, Canadian hosting, contractual clauses, shorter retention — concrete measures, each tied to a risk you named.
- Document it and keep it on file. The assessment, the vendor’s answers, the decision and its justification. This is the document someone will ask for after a complaint or an incident.
- Revisit when the project changes. A new module, a new subcontractor, a data-centre move: any significant change reopens the assessment.
Your RPRP must be consulted from the start — for system projects that’s a requirement of the law, not a courtesy. In practice, that means inviting them to the first working session, not to the final proofread.
The mistakes we keep seeing
The first, and the most expensive: running the EFVP after the contract is signed. Once the deal is done, your negotiating leverage is gone — you can’t insist on Canadian hosting or better clauses when the vendor knows you’re already committed. The law puts the assessment before acquisition and before communication for a reason: it’s the only moment when what you find can still change anything.
The second: treating the EFVP as a one-time event. Projects drift — the vendor adds an AI feature, swaps a subcontractor, moves its servers. An assessment frozen in 2024 says nothing about the system you’re actually running in 2026. The third follows from the other two: keeping no record. Diligence done out loud, with nothing written down, doesn’t exist as far as an investigator is concerned. The file is the deliverable.
A worked example: adopting a US-based CRM
Take a Gatineau distributor, twenty employees, choosing an American CRM to manage its Quebec customer base: names, emails, order history, sales-rep notes. Both triggers fire at once — this is the acquisition of a system handling personal information, and US hosting is a communication of that information outside Quebec.
The EFVP starts with the inventory: which fields will the CRM actually receive? Sales-rep notes often hold more than anyone expects — family situations, health details picked up in conversation. This is the moment to decide what goes in and what stays out. Then come the vendor questions: where is the data hosted, is a Canadian region available, which subcontractors touch the data, what protection and breach-notification clauses sit in the contract?
The typical ending: the vendor offers a Canadian region for a modest premium, the business trims the fields it collects, the written agreement carries the assessment’s conclusions, and the whole thing — diagram, answers, decision — fits in a short document filed with the contract. Six months later, when the vendor announces a new AI-powered analytics feature, the reflex already exists: reopen the file.
When to bring in help
Plenty of SMBs can run their first EFVP internally: one system, ordinary data, one person who takes the file seriously. If that’s you, the CAI’s guide and the sequence above will probably carry you through.
Outside help is worth it when the stakes climb: sensitive information, several systems trading the same data, a first cross-border cloud stack, or nobody internal with time to carry the RPRP role. Our Law 25 compliance service covers EFVPs, governance and the outsourced privacy-officer role; and if you’re in the region, our Law 25 help in the Outaouais is delivered in person, on both sides of the river.
Frequently asked questions
Is an EFVP mandatory?
Yes, whenever a trigger applies. Law 25 requires a privacy impact assessment before any project to acquire, develop or overhaul an information system that handles personal information, and before communicating personal information outside Quebec. There is no small-business exemption — but the law does say the assessment must be proportionate to the sensitivity, quantity and use of the information involved. A modest project calls for a short, documented assessment, not a hundred-page report.
Who has to sign off on an EFVP?
The law requires your privacy officer — the RPRP, the Responsable de la protection des renseignements personnels — to be consulted from the start of a covered system project. In practice, the RPRP is the person who reviews the assessment, challenges what isn’t necessary and keeps the final record on file. The business itself stays accountable for the outcome: an EFVP nobody responsible has read protects no one.
How long does an EFVP take?
For a typical SMB project — one system, ordinary customer or employee data — think days, not months: a working session to map the data flows, a check on the vendor and the destination, then the write-up. What stretches an EFVP is sensitive information, several systems touching the same data, or a vendor slow to answer basic questions about hosting and subcontractors. Starting early costs nothing; starting after the contract is signed is what turns the exercise into a crisis.
Is an EFVP the same thing as a PIA?
Same exercise, two labels. EFVP stands for évaluation des facteurs relatifs à la vie privée — the term Quebec’s law uses for what the rest of Canada calls a privacy impact assessment, or PIA. If your organization already runs PIAs under PIPEDA or for federal work, most of the reflex carries over; Law 25 adds Quebec-specific requirements, including the assessment before any communication outside the province and the mandatory consultation of your RPRP.
Do transfers to Ontario count as outside Quebec?
Yes. The law says outside Quebec, not outside Canada: communicating personal information to Ontario, or to any other province, triggers the same assessment as sending it to the United States. The analysis usually goes faster, because the receiving province’s privacy regime is familiar and broadly comparable — but the exercise, and the written record it produces, are still required.
The CLOUD Act and Canadian Data: What It Means
A US-controlled provider answers to US law wherever your data sits. What that means for your M365 or AWS tenant — and what actually mitigates it.
How Much Does a Penetration Test Cost in Canada?
Real CAD ranges by test type, what moves the price up or down, and the red flags in quotes that look too cheap to be true.
Facing your first EFVP?
We run the assessment with you — data flows, vendor questions, the record to keep — and you end up with a file that stands up to scrutiny.