Law 25 compliance checklist for AI tools in 2026

Law 25 compliance for AI tools requires specific attention to data residency, consent mechanisms, privacy impact assessments, and vendor due diligence. Organizations using AI tools to process Quebec residents' personal information must meet heightened privacy requirements under sections 17-18 of Quebec's private sector privacy law, with administrative monetary penalties reaching $10 million for enterprises under section 90.15.

---

Data residency and cross-border transfers

Law 25 sections 17-18 establish strict requirements for personal information transfers outside Quebec. AI tools hosted on foreign infrastructure must demonstrate adequate protection levels or obtain explicit consent from Quebec residents.

The Commission de protection de la vie privée du Québec (CPCSC) issued guidance in September 2024 clarifying that AI model training, inference processing, and persistent memory features all constitute "processing" under Law 25. Organizations cannot rely on contractual safeguards alone when using AI tools hosted in jurisdictions with government surveillance authorities.

"Law 25's data residency requirements apply to all AI processing activities, including model inference, training data, and conversation histories. Organizations must verify where their AI provider processes Quebec residents' data and ensure section 17 adequacy standards are met."

Key compliance requirements include:

• Document the geographic location of all AI processing activities • Assess adequacy of privacy protections in the destination jurisdiction under section 17 • Obtain explicit consent per section 14 for transfers to inadequate jurisdictions • Implement additional safeguards for sensitive personal information under section 12

Platforms like Augure, which maintain 100% Canadian data residency with no US corporate exposure, help Quebec organizations meet these requirements without complex transfer impact assessments under sections 17-18.

---

Consent and transparency obligations

Law 25 section 14 requires clear, specific consent for AI processing that goes beyond the original collection purpose. Generic privacy policies don't satisfy this standard when AI tools analyze personal information for new uses.

Organizations must provide specific information about AI processing activities under section 8:

• The nature and purpose of AI analysis • Categories of personal information processed • Identity of AI service providers • Data retention periods for training and inference

The CPCSC's 2025 enforcement guidance emphasizes that "AI for productivity" isn't sufficient purpose specification under section 8. Organizations must explain specific AI functionalities like document analysis, pattern recognition, or automated decision-making.

"Consent for AI processing must be specific to the AI functionality under Law 25 section 14. General consent for 'improving services' doesn't cover document analysis, automated decision-making, or predictive analytics that exceed the original collection purpose."

For AI tools with learning capabilities, organizations must disclose whether personal information contributes to model training or shared knowledge bases per section 8 transparency requirements. This includes chatbots with persistent memory, document analysis tools, and collaborative AI platforms.

---

Privacy impact assessments for AI

Law 25 section 3.3 requires privacy impact assessments (PIAs) for processing that presents "high risk to privacy." The CPCSC considers most AI applications to meet this threshold, particularly those involving:

• Automated decision-making affecting individuals (section 11 considerations) • Analysis of sensitive personal information under section 12 • Profiling or behavioral analysis • Cross-border data processing under sections 17-18

Your PIA must address specific AI risks under the CPCSC's framework:

• Model training on personal information • Inference accuracy and bias potential • Data minimization compliance with section 9 • Security of AI-generated insights

Document your AI tool's data flow from input through processing to output. Include training data sources, model update frequencies, and retention periods for prompts and responses as required under section 10.

The CPCSC expects organizations to demonstrate necessity and proportionality under section 9. Generic productivity benefits don't justify extensive personal information processing through AI tools.

---

Vendor due diligence requirements

Law 25 section 18.2 makes organizations responsible for their AI service providers' compliance. Due diligence extends beyond contractual terms to actual processing practices and infrastructure controls.

Essential due diligence elements include:

• Verification of data processing locations per sections 17-18 • Assessment of provider's privacy governance under section 3.1 • Review of security controls and incident response per section 7 • Evaluation of data subject rights implementation under sections 27-41

Request detailed information about your AI provider's architecture. Where are servers located? Who has administrative access? How is data encrypted in transit and at rest per section 7 security requirements?

"Organizations remain liable for their AI service providers' Law 25 compliance under section 18.2. Due diligence requires verifying actual processing practices, not just reviewing vendor privacy policies, particularly for cross-border transfers under sections 17-18."

Pay particular attention to AI providers with US parent companies or investors. The CLOUD Act creates disclosure obligations that may conflict with Law 25's adequacy standards under section 17, requiring additional safeguards or consent mechanisms under section 14.

---

Data minimization and purpose limitation

Law 25 section 9 requires processing personal information only to the extent necessary for the stated purpose. AI tools often encourage extensive data input that exceeds compliance requirements under this principle.

Apply data minimization principles per section 9:

• Limit AI processing to necessary personal information • Configure tools to exclude unnecessary personal details • Regular review of data retention in AI systems per section 10 • Segregate AI processing by sensitivity level under section 12

Many AI productivity tools accept unlimited document uploads or conversation histories. Evaluate whether this broad data collection serves specific business purposes under Law 25 section 9.

The CPCSC's 2025 guidance emphasizes that AI efficiency gains don't justify collecting additional personal information under section 9. Organizations must demonstrate that expanded AI processing serves the original collection purpose or obtain new consent under section 14.

---

Employee training and governance

Law 25 section 3.5 requires organizations to ensure staff understand privacy obligations when using AI tools. This includes both privacy professionals and end-users who interact with AI systems processing personal information.

Training should cover:

• Identifying personal information in AI inputs • Understanding consent requirements under section 14 for AI processing • Recognizing when privacy impact assessments are needed per section 3.3 • Reporting AI-related privacy incidents under section 3.7

Establish clear governance around AI tool procurement and deployment. Require privacy review before implementing new AI capabilities, particularly those processing Quebec residents' personal information under Law 25 jurisdiction.

Document your decision-making process for AI tool selection, including privacy considerations and compliance assessments. The CPCSC expects organizations to demonstrate systematic privacy protection rather than ad-hoc compliance efforts under section 3.1.

---

Incident response and breach notification

AI tools create unique incident response challenges under Law 25 section 3.7. Breaches may involve training data exposure, model inversion attacks, or unauthorized access to AI-generated insights containing personal information.

Your incident response plan should address:

• Detection of AI-related privacy incidents • Assessment of personal information exposure through AI • Notification obligations for AI service provider breaches under section 3.7 • Remediation of compromised AI systems

Document AI-specific incident scenarios in your response procedures. Include contact information for your AI service providers' security teams and escalation procedures for cross-border incidents affecting sections 17-18 compliance.

The CPCSC expects organizations to report AI-related breaches within 72 hours under section 3.7 when they present serious injury risk. This includes unauthorized access to sensitive personal information processed through AI tools.

---

Law 25 compliance for AI tools requires systematic attention to data residency under sections 17-18, consent mechanisms per section 14, and vendor oversight under section 18.2. Organizations processing Quebec residents' personal information through AI must demonstrate adequate protection throughout the entire processing lifecycle.

Start with a comprehensive inventory of your current AI tools and their data processing practices. Prioritize compliance efforts based on sensitivity of personal information and scope of AI processing activities under Law 25's risk-based framework.

Augure's Canadian-hosted AI platform helps organizations meet Law 25 requirements by eliminating cross-border transfer concerns and providing transparent data governance for Quebec compliance.

For detailed guidance on implementing Law 25-compliant AI workflows, explore the compliance resources at augureai.ca.