Law 25 compliance checklist for AI tools in 2026

Law 25 compliance for AI tools requires specific attention to data residency, consent mechanisms, and algorithmic transparency. Québec organizations using AI platforms must conduct privacy impact assessments under Section 3.3, ensure Canadian data residency per Section 17, and implement consent frameworks under Section 14. Non-compliance penalties reach $25 million under Section 93.

The Commission d'accès à l'information du Québec (CAI) has increased enforcement activity since Law 25's full implementation. Organizations need concrete compliance frameworks, not aspirational privacy policies.

---

Data residency and transfer requirements

Law 25 Section 17 mandates privacy impact assessments for any transfer of personal information outside Québec. This creates compliance challenges for AI platforms hosted on US infrastructure or operated by companies subject to foreign surveillance laws.

The assessment must evaluate the legal framework of the destination jurisdiction, including surveillance authorities and data access requirements. US-based AI providers trigger these requirements automatically due to the CLOUD Act and FISA Section 702.

Organizations using AI platforms hosted outside Canada face mandatory transfer impact assessments under Law 25 Section 17, creating ongoing compliance overhead and potential enforcement risk exceeding $25 million in penalties under Section 93.

Canadian-hosted platforms like Augure eliminate this requirement entirely by maintaining 100% Canadian data residency. The CAI has indicated that domestic processing reduces compliance complexity.

Practical compliance requires documenting where AI model inference occurs, where conversation data is stored, and which jurisdictions have legal access to that data. Many organizations discover their "Canadian" AI provider actually processes data through US cloud infrastructure.

---

Consent and purpose limitation frameworks

Law 25 Section 14 requires clear, informed consent before processing personal information through AI tools. Generic privacy policies don't satisfy this standard — organizations need specific consent mechanisms for AI processing.

The consent must specify the purpose for AI analysis, data retention periods, and any sharing with third parties. For conversational AI platforms, this means explaining how chat history is used for model improvement, personalization, or team collaboration features.

Organizations must also implement Section 12's purpose limitation requirements. Personal information collected for one purpose cannot be used for AI training or analysis without additional consent.

Key consent implementation requirements include:

• Granular control over conversation retention and deletion per Section 27 • Clear explanation of AI model training practices under Section 14 • Opt-out mechanisms for data sharing and improvement programs • Regular consent renewal for ongoing AI processing

The CAI's 2025 guidance emphasized that AI processing often constitutes a secondary use requiring fresh consent under Section 12, even when the original collection was lawful.

---

Privacy impact assessment requirements

Law 25 Section 3.3 mandates privacy impact assessments (PIAs) for AI implementations that present high risk to personal information protection. The CAI considers most AI tools to meet this threshold due to automated decision-making capabilities and data aggregation potential.

PIAs must be completed before implementing AI tools and updated when processing purposes change. The assessment covers data minimization practices under Section 25, security measures, and algorithmic transparency provisions.

AI implementations typically trigger mandatory privacy impact assessments under Law 25 Section 3.3 due to automated processing capabilities. Organizations failing to conduct PIAs face administrative penalties up to $10,000,000 for SMEs and $25,000,000 for enterprises under Section 93.

Required PIA elements for AI tools include:

• Description of personal information categories processed per Section 25.0.1 • Explanation of AI model training and inference practices
• Assessment of automated decision-making impacts under Section 12.1 • Documentation of security and encryption measures per Section 3.5 • Analysis of data retention and deletion procedures under Section 27

Organizations must maintain PIAs as living documents. Updates are required when adding new AI capabilities, changing data retention policies, or expanding user access to AI tools.

The assessment must also address Law 25 Section 25's data minimization requirements. AI platforms processing extensive conversation history or document libraries often struggle with proportionality requirements.

---

Security and breach notification obligations

Law 25 Section 3.5 requires security measures appropriate to the sensitivity of personal information processed by AI tools. Conversation data often contains highly sensitive business and personal information requiring enhanced protection.

Encryption requirements apply both to data in transit and at rest. AI platforms must implement end-to-end encryption for conversation data and ensure model training occurs on encrypted datasets.

Section 3.5.1's breach notification requirements create additional compliance obligations. Organizations have 72 hours to notify the CAI of any incident involving AI platforms that poses serious injury risk to affected persons.

Breach notification triggers for AI tools include:

• Unauthorized access to conversation histories or uploaded documents • Data exposure through model training or inference processes • Cross-tenant data leakage in multi-organization AI platforms • Extraction of personal information through prompt injection attacks

The notification must specify the AI platform involved, personal information categories affected, and remediation measures implemented. Organizations often struggle with breach detection in AI systems due to complex data flows and processing architectures.

Practical security compliance requires regular penetration testing of AI platforms, audit logs for all data access per Section 25.0.1, and incident response procedures specific to AI-related breaches.

---

Record keeping and audit obligations

Law 25 Section 25.0.1 requires maintaining records of personal information processing activities, including AI tool usage. These records must document the purposes for AI processing, categories of personal information involved, and retention periods applied.

Organizations must track which employees access AI platforms, what information they process, and how long conversation data is retained. This creates administrative overhead for platforms without built-in audit capabilities.

The CAI can request these records during compliance investigations under Section 70. Organizations using multiple AI tools often struggle to aggregate the required documentation across different platforms and vendors.

Comprehensive audit trails for AI tool usage are mandatory under Law 25 Section 25.0.1, requiring detailed records of personal information processing activities and retention decisions. Failure to maintain adequate records constitutes a violation subject to penalties up to $25,000,000 under Section 93.

Required documentation includes:

• User access logs with timestamps and data categories • Conversation retention and deletion records per Section 27 • Third-party data sharing agreements and purposes under Section 17 • Security incident reports and remediation measures per Section 3.5.1 • Training records for staff using AI tools with personal information

Platforms with built-in compliance features reduce administrative burden. Augure's sovereign architecture includes automatic audit logging and retention management to support Law 25 record-keeping requirements without US data exposure.

---

Automated decision-making transparency

Law 25 Section 12.1 grants individuals rights regarding automated decision-making that significantly affects them. AI tools used for hiring, performance evaluation, or client assessment trigger these requirements.

Organizations must explain the logic behind automated decisions, provide information about the consequences of such processing, and implement human review mechanisms. This extends beyond simple AI chat to include any automated analysis or recommendation systems.

The transparency obligation requires explaining AI model behavior in accessible language per Section 8. Technical documentation about neural network architectures doesn't satisfy this standard — organizations need plain-language explanations of how AI tools analyze personal information.

Practical compliance measures include:

• Clear documentation of AI decision-making processes under Section 12.1 • Human oversight for any automated recommendations affecting individuals
• Appeals processes for AI-assisted decisions per Section 40 • Regular auditing of AI model outputs for bias or discrimination

Organizations using AI for document analysis, contract review, or research must consider whether their use case constitutes automated decision-making under Section 12.1.

---

Enforcement trends and penalty exposure

The CAI issued $2.3 million in administrative penalties during 2025, with AI-related violations representing 15% of enforcement actions. Common violations include inadequate consent mechanisms under Section 14, missing privacy impact assessments per Section 3.3, and insufficient data residency documentation under Section 17.

Section 93's penalty structure scales with organization size. Enterprises face penalties up to $25,000,000 for serious violations, while smaller organizations face maximums of $10,000,000. The CAI considers AI compliance failures to be serious violations due to the scale and sensitivity of processing involved.

Recent enforcement actions have focused on:

• US-hosted AI platforms without proper transfer impact assessments under Section 17 • Missing or inadequate privacy impact assessments for AI implementations per Section 3.3 • Insufficient consent mechanisms for AI training and personalization under Section 14 • Inadequate breach notification for AI-related incidents per Section 3.5.1

Organizations should conduct compliance audits before enforcement actions escalate. The CAI's investigation process under Section 70 can extend 12-18 months and requires extensive documentation of AI processing activities.

---

Building compliant AI infrastructure

Law 25 compliance requires architectural decisions, not just policy updates. Organizations need AI platforms designed with Canadian regulatory requirements as foundational elements.

Key infrastructure requirements include Canadian data residency per Section 17, granular consent management under Section 14, comprehensive audit logging per Section 25.0.1, and built-in privacy impact assessment tools for Section 3.3 compliance. Retrofitting compliance onto existing AI tools often proves more expensive than selecting compliant platforms initially.

Augure's sovereign AI architecture addresses these requirements systematically — 100% Canadian data residency, integrated audit trails, and compliance frameworks built for Law 25, PIPEDA, and CPCSC requirements.

For detailed compliance guidance and Canadian-built AI tools, visit augureai.ca to explore how sovereign infrastructure supports regulatory compliance without compromising AI capabilities.