Law 25 and AI: What Quebec Businesses Need to Know Before Using Artificial Intelligence
If you're a business owner in Quebec using AI tools — or thinking about it — there's something you need to understand first. Quebec's privacy law, Law 25, has real implications for how you can use artificial intelligence with your business data. And most businesses are getting this wrong without realizing it.
Key Takeaways
- Law 25 is one of the strictest privacy laws in North America — fines up to $10M or 2% of worldwide turnover
- Most cloud AI tools send client data to external servers, creating compliance risks under Law 25
- AI and privacy aren't mutually exclusive — local/on-device AI keeps data under your control
- The businesses that figure out compliant AI gain a trust advantage competitors can't match
This isn't a legal scare piece. It's a practical breakdown of where AI and Law 25 intersect, what the actual risks are, and how to use AI without putting your business in a compliance gray zone.
What Is Law 25?
Law 25 (formally known as the Act to modernize legislative provisions as regards the protection of personal information) is Quebec's updated privacy law. It's one of the strictest data privacy frameworks in North America — on par with Europe's GDPR.
The key requirements that matter for AI:
Businesses must know where personal data is stored and who has access to it
Personal information can only be used for the purpose it was collected for
Data must be protected with appropriate security measures
Individuals have the right to know what data you hold and request its deletion
Businesses must conduct privacy impact assessments for any project involving personal information
Significant fines for non-compliance — up to $10 million or 2% of worldwide turnover
Where AI Creates a Problem
Here's where things get complicated. Most AI tools that businesses use today — ChatGPT, cloud-based AI assistants, AI features built into SaaS platforms — work by sending your data to external servers for processing.
When you paste client information into ChatGPT to draft an email, that data leaves your control. When your CRM's AI feature analyzes customer behavior, it's likely processing that data on servers you don't own and can't control. When you use a cloud AI tool to summarize meeting notes that contain client details, those details are being transmitted to and processed by a third party.
Under Law 25, this raises serious questions:
Do your clients know their data is being sent to an AI provider?
Probably not. Law 25 requires transparency about how personal information is used and who it's shared with.
Did you collect consent for this specific use?
If a client gave you their information for a service engagement, using it to query an AI model hosted by a third party may not fall within the original purpose of collection.
Where is the data being processed?
Many AI providers process data on servers outside of Canada. Law 25 has specific provisions around cross-border data transfers.
Can you guarantee deletion?
If a client requests their data be deleted under their Law 25 rights, can you ensure it's removed from every AI system it touched? With cloud AI, that's often impossible.
This doesn't mean AI is off-limits. It means the way most businesses are currently using AI needs to be reconsidered.
The Real Risk
Most Quebec businesses using AI aren't doing anything malicious. They're just trying to be more efficient. But the gap between good intentions and actual compliance is where the risk lives.
Consider a few scenarios:
Law firm
Uses an AI tool to review contracts. Those contracts contain client names, financial details, and confidential terms. Every document processed through a cloud AI service means sensitive data is leaving the firm's control.
Accounting firm
Uses AI to categorize expenses from client records. Client financial data — names, transactions, account numbers — is being sent to external servers for processing.
Real estate agency
Uses an AI assistant to draft personalized follow-up emails. Client preferences, budgets, property interests, and contact details are all fed into a tool the client never consented to.
None of these businesses intended to violate anyone's privacy. But under Law 25, the question isn't intent — it's whether proper protections and consent are in place. The fines are real. And beyond fines, there's the trust factor. For professional services firms, a data breach or privacy complaint can be devastating to client relationships.
What "Compliant AI" Actually Looks Like
The good news is that AI and privacy aren't mutually exclusive. You don't have to choose between using AI and respecting Law 25. You just need to use AI differently.
There are three principles that make AI Law 25-friendly:
1. Keep data local
AI that runs on your own infrastructure — your servers, your devices — means data never leaves your control. There's no third-party processor to worry about, no cross-border transfer, no question of who has access.
2. Build for your workflow, not everyone's
Generic AI tools are designed to serve millions of users. Your data is processed alongside everyone else's, on shared infrastructure, under terms that prioritize the provider's needs. Custom AI built specifically for your business operates in isolation. Your data, your models, your rules.
3. Own the system
When you own the AI system, you control every aspect of how data is handled. That's not just good privacy practice — it's good business. If a client requests deletion, you have complete control.
On-device AI — models that run directly on your hardware without sending data to the cloud — is the strongest approach for Law 25 compliance. The data never leaves your environment. There's nothing to consent to because nothing is being shared.
What You Should Do Right Now
If you're a Quebec business using or considering AI, here's a practical starting point:
Audit your current AI usage
Make a list of every AI tool your business uses. For each one, ask: where does the data go? Is it processed on external servers?
Check your consent mechanisms
When you collected client information, did your privacy policy mention AI processing? If not, you may need to update it.
Conduct a privacy impact assessment
Law 25 requires this for projects involving personal information. If you're implementing AI that touches client data, this step isn't optional.
Consider your architecture
The most privacy-safe approach to AI is local processing — on-device or on-premise. This eliminates third-party risk entirely.
Talk to your privacy officer
Law 25 requires businesses to designate a person responsible for the protection of personal information. That person should be involved in any AI decisions.
The Bigger Picture
AI is transforming how businesses operate. Quebec businesses shouldn't be left behind because of privacy concerns — but they also shouldn't ignore those concerns in the rush to adopt new technology.
The businesses that will win are the ones that figure out how to use AI effectively while keeping client data private and staying compliant. That's not a limitation. It's a competitive advantage. When you can tell your clients that their data never leaves your systems, that your AI is private and built exclusively for your business, that's a trust signal that competitors using generic cloud AI simply can't match.
Law 25 isn't an obstacle to AI adoption. It's a framework that, when followed, makes your AI implementation stronger, more trustworthy, and more sustainable. The question isn't whether Quebec businesses should use AI. It's whether they'll use it in a way that respects the privacy their clients expect and the law requires.
Frequently Asked Questions
What is Law 25 in Quebec?
Law 25 is Quebec's updated privacy law — one of the strictest in North America, on par with GDPR. It requires businesses to know where personal data is stored, use it only for its collected purpose, protect it with appropriate security measures, and conduct privacy impact assessments. Fines can reach up to $10 million or 2% of worldwide turnover.
Can Quebec businesses use AI under Law 25?
Yes — AI and privacy aren't mutually exclusive. The key is to use AI differently: keep data local, build custom solutions for your workflows, and own the system so you control every aspect of data handling.
What are the risks of using ChatGPT with client data in Quebec?
When you use cloud AI tools with client data, that data leaves your control. Under Law 25, this raises issues around consent, purpose limitation, cross-border data transfers, and the right to deletion. Non-compliance fines can reach $10 million or 2% of worldwide turnover.
What is the most privacy-safe way to use AI in Quebec?
On-device or on-premise AI — models that run directly on your hardware without sending data to the cloud — is the strongest approach for Law 25 compliance. The data never leaves your environment and you have complete control over deletion requests.
Need AI that keeps your data private?
We build custom AI solutions that run on your infrastructure — so your client data never leaves your control. Law 25 compliant by design.