Many Quebec SMBs hesitate to use AI tools for fear of Law 25 or, conversely, already use them without asking any questions. Both reflexes are risky. The law doesn't prohibit AI: it governs how personal information is collected, used and shared, whatever the tool.

What Law 25 expects from you, in brief

Without claiming to replace legal advice, here are the obligations that most directly affect AI projects in SMBs:

  • A person in charge of the protection of personal information. By default, it's the person at the head of the company; the role can be delegated in writing.
  • Transparency. Your clients must be able to know what information you collect and for what purposes including when processing is automated.
  • Consent. Using personal information for a new purpose (for example, feeding an AI tool) may require new consent.
  • A privacy impact assessment (PIA). It is required, among other cases, before communicating personal information outside Quebec which happens as soon as a tool hosts its servers elsewhere.
  • Incident management. Keep a register of confidentiality incidents and notify the persons concerned when there is a risk of serious injury.

The questions to ask before sending your data to an AI tool

Compliance starts with four simple questions, to put to any vendor:

  1. Where is the data stored and processed? Quebec, Canada, the United States, elsewhere? The answer changes your obligations.
  2. Is your data used to train the vendor's models? If so, your information may end up beyond your control in ways that are hard to reverse.
  3. Who can access it, and how long is it kept?
  4. Can you have it deleted, and how?

A serious vendor answers these questions in writing, contract in hand. A vendor who dodges them has already given you their real answer.

Simple practices that change a lot

The good news: for most projects, a few design principles are enough to considerably reduce the risk.

  • Minimize. A system should only receive the data strictly necessary for its task. Names, contact details and identifiers can often be removed without losing anything useful.
  • Anonymize or pseudonymize data before it leaves your systems, when the use case allows it.
  • Favour local hosting in Quebec, in Canada, or directly on your own servers when the data is sensitive.
  • Put it in the contract. Data processing agreements exist for this; demand them.

Compliance is a design requirement, not a brake

Treating Law 25 as a checkbox at the end of a project is the recipe for redoing everything. Addressing it from the diagnostic onward which data, which flows, which accesses, which vendors costs a few hours and saves months of corrections.

That's the approach we stand for: protecting personal information is part of a system's architecture, just like its reliability. An AI project that can't be compliant isn't a good AI project.