Quebec Law 25 and AI Tools: What Every Business Operating in Quebec Must Know

Who Law 25 Applies To

Law 25 applies to any enterprise that collects, holds, uses, or communicates personal information about individuals in Quebec in the course of carrying on an enterprise. This definition is intentionally broad. It covers Quebec-based businesses, businesses outside Quebec that collect information from Quebec residents, and businesses that operate websites or apps used by Quebec residents — even if the business has no physical presence in Quebec.

If your e-commerce store ships to Quebec, your SaaS platform has Quebec subscribers, or your website collects email addresses from Quebec visitors, Law 25 applies to the personal information you collect from those Quebec individuals. The territorial reach is similar to GDPR's extraterritorial reach, which is deliberate — Quebec explicitly modeled aspects of Law 25 on GDPR.

The Key Requirements That AI Usage Triggers

Privacy Impact Assessments (PIAs)

Law 25 requires businesses to conduct a Privacy Impact Assessment before implementing any project involving personal information — including acquiring technology that will process personal information. If you're adopting a new AI tool that will process information about employees, customers, or Quebec residents, a PIA is required before you deploy it.

A PIA under Law 25 isn't a simple checkbox exercise. It requires identifying what personal information will be collected, how it will be used, who will have access to it, what risks exist, and what measures are in place to mitigate those risks. For AI tools, this includes understanding where data processing occurs and whether data leaves Quebec or Canada.

Many businesses have adopted AI tools in the last two years without conducting PIAs. This is a compliance gap that's very common and very real.

Automated Decision-Making Disclosure

When a business uses personal information to make an automated decision that significantly affects a person, Law 25 requires that the person be informed of this, given the opportunity to submit observations, and in some cases, given the right to have a human review the decision.

This provision isn't triggered by every use of AI — using AI to draft marketing emails doesn't require automated decision disclosure. But using AI to score job applicants, assess creditworthiness, or make decisions about service eligibility does.

Privacy by Default

Law 25 requires privacy by default — meaning that the default settings of your technology systems must be those that offer the highest level of privacy protection.

Data Minimization

Law 25's data minimization principle requires businesses to collect only the personal information that is necessary for the stated purpose. AI tools that request broad data access permissions when they only need specific types of data create a Law 25 compliance issue.

Cross-Border Data Transfers

Law 25 has specific requirements for personal information being communicated outside Quebec. Before personal information is transferred outside Quebec, the business must conduct a privacy impact assessment that includes a comparative analysis of the destination jurisdiction's privacy law. Almost all major AI platforms process data on servers outside Quebec — typically in the United States, which does not have comprehensive federal privacy legislation equivalent to what Quebec requires.

The Penalties for Non-Compliance

For violations of its provisions, businesses face administrative monetary penalties of up to $10 million or 2% of worldwide turnover, whichever is higher — for less severe violations. For more serious violations, penalties can reach $25 million or 4% of worldwide turnover.

These numbers are GDPR-scale. Quebec's Commission d'accès à l'information (CAI) is the oversight body and has been active in enforcement.

The AI-Specific Gaps Most Businesses Have Right Now

No PIAs for AI tool adoption: The most widespread issue. Businesses adopted AI tools without conducting the required assessments.

No cross-border transfer documentation: Personal information about Quebec residents is flowing to US-based AI tools without the required comparative privacy analysis or contractual safeguards.

Privacy policy hasn't been updated: Most policies were written before AI tools became part of business operations and don't mention AI processing at all.

No privacy officer designated: Law 25 requires businesses to designate a person responsible for the protection of personal information and to publish their title and contact information.

No data breach response plan: Law 25 requires breach notification to the CAI within 72 hours of becoming aware of a breach involving personal information that presents a risk of serious injury.

What Compliance Actually Looks Like

First, designate your privacy officer and publish their contact information.

Second, update your privacy policy to reflect how you actually collect and use personal information, including AI tool usage.

Third, conduct PIAs for any AI tools already in use that process Quebec personal information — retroactive PIAs are better than no PIAs.

Fourth, implement minimum-necessary data access for AI tools.

Fifth, put data processing agreements in place with AI tool vendors.

For businesses that want to continue using US-based AI tools with Quebec personal information, the most practical path to compliance is anonymization before the data leaves your systems. If the data reaching the AI tool doesn't contain personal information, the cross-border transfer requirements of Law 25 don't apply in the same way.

The Broader Trend This Represents

Law 25 is the clearest signal yet that Canada's privacy landscape is moving toward the European model: stronger individual rights, higher penalties, more prescriptive requirements, and active enforcement. Quebec led, but federal legislation is following.

The businesses that treat privacy compliance as a strategic function — building it into how they adopt technology, not retrofitting it after the fact — will be better positioned as this landscape evolves.