Law · in force · Quebec

Law 25, explained for people who use AI.

The moment personal information enters an AI tool, Quebec law applies. Here is what it requires, straight to the point.

The essentials

Law 25 modernizes the protection of personal information in Quebec. Adopted in 2021, it came into force in phases between 2022 and 2024. It applies to any business that collects or processes information about people in Quebec, regardless of size.

For AI, the trigger is straightforward: if a name, an email, a client file, or an employee record enters an AI tool, you are processing personal information. The law then asks you to know why, to be able to demonstrate it, and to keep control of it.

This is not an AI law. It is a law that AI causes organizations to trip over when no one is watching what goes into the tools.

Who oversees

The Commission d'acces a l'information (CAI), Quebec's privacy regulator, with real powers of investigation and sanction.

Penalties

Administrative penalties up to $10 M or 2% of worldwide revenue; penal penalties up to $25 M or 4%.

For whom

Any organization, private or public, that processes personal information about people in Quebec.

Five obligations that directly affect your AI uses

A named person in charge

Every organization must designate a person responsible for the protection of personal information. By default, that is the most senior person in the organization. They are accountable for what enters your AI tools.

Minimization and purpose limitation

You collect and use only what is necessary, for a defined purpose. Pasting a complete client file into a chatbot to draft an email fails this test.

Privacy impact assessment (PIA)

Before any project that processes personal information, including acquiring an AI tool, a PIA is required. It is also required before communicating information outside Quebec.

Transparency in automated decisions

If a decision is based exclusively on automated processing, you must inform the person and allow them to present their observations. AI that screens job applications falls squarely in this zone.

Privacy incidents

Any incident presenting a risk of serious harm must be reported to the CAI and to the affected individuals, and recorded in a register. A data leak through an AI tool is an incident like any other.

In the AI id framework, Law 25 weighs most heavily on the Sovereign, Accountable, and Governed properties. Alignment note: precise compliance is confirmed with legal counsel.

How identifiable gets you ready

identifiable offers a Law 25 program applied to AI: team training, advisory support, and attestation, so that compliance becomes a practice, not a pile of documents.

TrainingLaw 25 applied to AI literacy for your teams and your leadership
AdvisoryConsulting support to close the gaps, practice by practice
AttestationEvaluation against the AI id framework and a trajectory toward the standard
See corporate training The AI id framework

Three questions that keep coming up

Does Law 25 really apply to my small business?

Yes. Law 25 applies with no size threshold. A five-person company that pastes client emails into an AI tool is processing personal information under the law.

Is using ChatGPT or Copilot prohibited?

No. What matters is what you put in and what you can demonstrate: purpose, minimization, consent where required, and control over where the data resides.

What is the first step to take?

The inventory: which tools, which data, which country. The Flash Diagnostic gives you personalized iD Tips in five minutes, aligned with Law 25 and the NIST AI RMF.

Would your AI uses pass the Law 25 test?

The diagnostic locates your Sovereign property and your accountability in twelve questions. What comes next is measured on evidence.

Get your AI Index Talk to identifiable