EN FR

Quebec's Law 25 — and how I handle it

Most cloud AI tools send your data to a server in the United States. For a lot of Quebec businesses, that is a problem they don't know they have yet. Here is how I handle it.

Editorial illustration — a document with personal details on the left sits on a Quebec server in Montreal. An arrow leads into a fleur-de-lys shield labeled LOI 25 / LAW 25 where the details are replaced by orange redaction bars. On the right, the cleaned document rises into a cloud labeled CLOUD AI.

The short version, in plain language

Quebec's Act to modernize legislative provisions as regards the protection of personal information — universally known as Law 25 — is the provincial equivalent of Europe's GDPR. It came into force in three waves between 2022 and 2024. If you are a business operating in Quebec and you handle any personal information about your customers, employees, or candidates, it applies to you.

The part that matters for AI is this: personal information that crosses the Quebec border into a third-party cloud service gets caught by the cross-border-transfer rules. Most popular AI tools — ChatGPT, Claude web, Gemini, Copilot — run in data centres outside Quebec. The moment you paste a resume, a client email, or an interview transcript into one of them, you have made a cross-border transfer of personal information. Your company is responsible for that transfer. The tool is not.

A lot of Quebec businesses are doing this right now without realizing it. When they realize it, the usual reaction is to ban AI entirely. That is not the right answer either.

The right answer is almost always "process the sensitive part locally first"

The trick to using AI on Law-25-sensitive work is not to avoid the cloud — it's to make sure the data that reaches the cloud has already been stripped of anything identifying. Names, phone numbers, addresses, employer identity, client numbers, anything that lets a human or a subpoena tie the content back to a specific real person. Strip that part on your own machine, or on a server you control in Quebec, and only then send the sanitized version to the AI.

This is the same pattern every privacy-aware technology operation uses. It's how I build every tool that touches private data. It's boring, it works, and it gives you the speed of cloud AI without the compliance headache.

Where this pattern shows up in real tools

I've used the same pattern to build the CV Anonymizer (recruiting agencies; raw resume stops on a Montreal server, only the sanitized skills and experience reach the cloud AI) and the Interview Transcript Anonymizer (academic researchers and consulting firms; nothing leaves the laptop). Different documents, same principle. The deep dives are on the work pages.

A note on what this page is and isn't

This is an explainer, not a compliance service. I'm not a lawyer. If you need a formal privacy impact assessment, you need a privacy lawyer — I can point you at one. Nobody can certify a tool as "Law 25 compliant" either; there is no certification body. What I can do is build tools that handle personal data correctly by design.

Further reading

The Commission d'accès à l'information du Québec publishes good plain-language guidance on the law itself. If you want to talk about how any of this applies to a specific task you're trying to do, one message is enough.

Get in touch →