Quebec's Law 25 — and how I handle it
Most cloud AI tools send your data to a server in the United States. For a lot of Quebec businesses, that is a problem they don't know they have yet. Here is how I handle it.
The short version, in plain language
Quebec's Act to modernize legislative provisions as regards the protection of personal information — universally known as Law 25 — is the provincial equivalent of Europe's GDPR. It came into force in three waves between 2022 and 2024. If you are a business operating in Quebec and you handle any personal information about your customers, employees, or candidates, it applies to you.
The part that matters for AI is this: personal information that crosses the Quebec border into a third-party cloud service gets caught by the cross-border-transfer rules. Most popular AI tools — ChatGPT, Claude web, Gemini, Copilot — run in data centres outside Quebec. The moment you paste a resume, a client email, or an interview transcript into one of them, you have made a cross-border transfer of personal information. Your company is responsible for that transfer. The tool is not.
A lot of Quebec businesses are doing this right now without realizing it. When they realize it, the usual reaction is to ban AI entirely. That is not the right answer either.
The right answer is almost always "process the sensitive part locally first"
The trick to using AI on Law-25-sensitive work is not to avoid the cloud — it's to make sure the data that reaches the cloud has already been stripped of anything identifying. Names, phone numbers, addresses, employer identity, client numbers, anything that lets a human or a subpoena tie the content back to a specific real person. Strip that part on your own machine, or on a server you control in Quebec, and only then send the sanitized version to the AI.
This is the same pattern every privacy-aware technology operation uses. It's how I build every tool that touches private data. It's boring, it works, and it gives you the speed of cloud AI without the compliance headache.
The two tools I built on this pattern
CV Anonymizer
Recruiting agencies get candidate resumes every day. They want to use AI to write the summary a hiring manager actually reads, but they can't send raw resumes to the cloud. The tool I built sits on a Montreal server, strips names and contact details and employer identity from the incoming resume, and only then hands the sanitized skills and experience to the cloud AI. The raw resume never leaves Quebec.
I built this for fun, originally. It is now the proof of concept for an anonymization method of my own that I use on every project that touches private data.
Interview Transcript Anonymizer
Academic researchers and consulting firms run interviews under a consent form that says the transcripts will be anonymized before they're shared, analyzed, or fed to any AI. Doing that by hand across a batch of fifteen interviews is hours of tedious work — and it's brittle. Miss one mention and the whole anonymization fails.
The tool I built runs as a Windows desktop app. Drop in a folder, get back the scrubbed transcripts in seconds, with every person reliably replaced by a consistent pseudonym across the whole batch. Nothing ever leaves your laptop.
How this shows up in consulting engagements
When you hire me for a short project that touches personal data, here is what you get by default:
- Processing on a server I control in Quebec whenever the task involves raw personal information
- Cloud AI only after the data has been stripped of anything identifying
- A clear explanation of what moves where, in plain language, so the person responsible for privacy on your side can sign off
- No vendor name-dropping for compliance theatre — I won't pretend a checkbox answers the actual risk
This is not a separate "Law 25 compliance service." It's how I work by default.
What I don't do
- I don't write privacy impact assessments. I'm not a lawyer. If you need a formal assessment, you need a privacy lawyer and I can point you at one.
- I don't certify your tools as Law 25 compliant. Nobody can; there is no certification body. What I can do is build tools that handle personal data correctly by design.
Further reading
If you want to go deeper on the law itself, the Commission d'accès à l'information du Québec publishes good plain-language guidance. If you want to talk about how any of this applies to a specific task you're trying to do, one message is enough.