Your team is already using AI tools. ChatGPT to draft an email, Copilot to summarize a meeting, Gemini to analyze a spreadsheet, Claude to prepare a presentation. In most internal surveys we see, usage is widespread, and most Quebec organizations have no policy in place to govern these tools.
Law 25 has no chapter dedicated to AI. It still applies directly any time personal information goes into an AI tool, and any time an important decision is made by an automated system. For a Quebec SME, the main risk lies in the lack of internal guardrails around these tools.
This guide walks through how Law 25 applies to generative AI tools, which obligations get triggered, and what a minimum internal policy needs to cover.
What Law 25 Says (and Does Not Say) About AI
The Commission d'accès à l'information (CAI) has not published an AI-specific regulation as of 2026. Its public position is that Law 25 obligations apply in full to any tool or technology that handles personal information, regardless of what the tool is.
In practice, four situations trigger clear obligations:
- Entering personal information into a prompt sent to a public AI tool.
- Sharing confidential documents that contain personal information with a cloud-based AI service.
- Errors or "hallucinations" from an AI tool that lead to a harmful decision based on inaccurate information.
- Decisions made exclusively by automated systems that produce significant effects on a person, governed by section 12.1 of Law 25 since September 2023.
Each one deserves separate attention.
Risk 1: Personal Information in Prompts
When an employee pastes a resume, an HR file, a customer complaint with contact details, or a customer database into ChatGPT, Copilot, or Gemini, two things happen at once.
First, you are processing personal information. Law 25 requires you to apply the principle of minimization: collect and share only the information strictly necessary for the stated purpose. Pasting an entire database to ask a simple question runs against that principle.
Second, you are sending that personal information outside Quebec. OpenAI, Microsoft, and Google host their servers almost exclusively outside Quebec territory. Section 17 of Law 25 requires a privacy impact assessment (PIA) before this kind of transfer, along with a written agreement with the vendor. For consumer versions of these tools, those conditions are rarely met by default.
Practical measures:
- Block personal information by default from any consumer version of an AI tool
- Use enterprise versions (Microsoft 365 Copilot, ChatGPT Enterprise, Google Workspace with Gemini) that offer contractual safeguards, opt-out options for model training, and tighter access controls
- Pseudonymize or anonymize information before using it whenever possible
- Run a PIA for any AI deployment that touches significant personal information
Risk 2: Confidential Documents and Trade Secrets
Law 25 covers personal information, and the documents employees share with AI often contain much more: client contracts, proposals, quotes, source code, business strategies, financial data.
The terms of service for consumer AI tools generally allow the vendor to reuse some of the data to improve their models, unless settings are configured otherwise. Once data has been used for training, removing it is very difficult.
The risk goes beyond Law 25. It touches trade secrets, contractual commitments to your clients, and the organization's intellectual property.
Practical measures:
- Internal policy stating clearly that client contracts, critical source code, and strategic documents stay out of public AI tools
- For legitimate use cases, switch to enterprise versions with isolated environments (dedicated tenant, controlled logging)
- Regular deletion of conversation history when the tool allows it
Risk 3: Errors, Hallucinations, and Decisions Built on Invented Content
Several recent cases have shown professionals (lawyers, accountants) relying on AI responses without verification, with serious consequences: court decisions invented out of thin air, fictional citations, incorrect calculations.
For Law 25, the risk becomes direct when a decision about a person rests on content invented by an AI. If that decision affects an employee, a candidate, or a customer, and it relies on inaccurate information, you are potentially in breach of the obligation to maintain accurate personal information.
Practical measures:
- AI is an assistant, never an autonomous decision-maker
- Systematic human verification before any important decision, especially in HR, customer service, or professional advisory work
- Documentation of the sources used to support any decision
Risk 4: Decisions Made Exclusively by Automated Systems (Section 12.1)
This is the obligation most directly tied to AI. Since September 2023, section 12.1 of Law 25 governs decisions "based exclusively on automated processing" that produce significant effects on a person.
When section 12.1 applies, the organization must:
- Inform the person that the decision is based exclusively on automated processing
- Allow the person to know the personal information used in the decision
- Allow the person to understand the main factors and parameters that led to the decision
- Allow the person to present observations to a staff member with authority to review the decision
Situations that trigger section 12.1:
- Automated screening or ranking of job candidates
- Automated approval or denial of credit, discounts, or payment limits
- Automated selection of which customers to contact or serve first
- Automated identification of positions to eliminate during a restructuring
The key test is whether meaningful human intervention exists. Clicking "approve" without real review does not count as human intervention under Law 25.
Practical measures:
- Avoid 100% automated decisions whenever possible
- Document the algorithms: which data goes in, which business rules apply, which factors weigh in the result
- Set up real human review with the authority to override the recommendation
- Provide a contestation mechanism that is accessible to affected individuals
What the CAI Looks At in a Complaint
Few published CAI decisions specifically address AI to date. When an AI-related complaint or incident reaches the CAI, the analysis will likely cover:
- Whether an internal AI usage policy exists
- The designation and active involvement of the privacy officer
- PIAs completed for AI projects involving personal information
- Contractual agreements with AI vendors
- Evidence that employees have been trained on permitted and prohibited uses
- Documentation of AI-related incidents in the incident register
A Quebec SME that can show a structured approach, even an imperfect one, is in a stronger position than an organization with no guardrails at all.
AI Usage Policy: The Minimum to Cover
A one- to two-page internal policy is generally enough for an SME. It should cover:
- Approved and prohibited tools. Which AI tools can be used, in which version (consumer or enterprise), and for which purposes.
- Data prohibited in inputs. Categories of data that should never be pasted into a consumer AI tool (personal information, client contracts, financial data, passwords).
- Mandatory human review. Categories of decisions that require human validation before being applied.
- Account management. Multi-factor authentication, work accounts only, no sharing.
- Incident handling. What to do when sensitive information has been pasted into an AI tool by mistake.
- Training. Schedule for employee training on the policy and its rationale.
The policy benefits from an annual review. Tool capabilities and regulatory expectations evolve quickly.
How Observantia Supports This Work
Observantia centralizes the PIAs you complete for AI projects, the vendor register (including ChatGPT Enterprise, Microsoft 365 Copilot, Google Workspace), and the documentation tied to each deployment. The dashboard helps the privacy officer keep a clear view of which tools are in use, their compliance status, and the residual risks. Start your 14-day free trial.
Related articles
- Personal Information Outside Quebec: What Section 17 of Law 25 Requires
- PIA: When and How to Conduct a Privacy Impact Assessment
- Privacy Incident Registry: What Law 25 Actually Requires
This content is provided for informational purposes only and does not constitute legal advice. For questions specific to your situation, consult a qualified legal professional.