{"id":37,"date":"2025-11-12T09:30:00","date_gmt":"2025-11-12T09:30:00","guid":{"rendered":"https:\/\/numriq.com\/law-25-ai-quebec-smb\/"},"modified":"2025-11-12T09:30:00","modified_gmt":"2025-11-12T09:30:00","slug":"law-25-ai-quebec-smb","status":"publish","type":"post","link":"https:\/\/numriq.com\/en\/law-25-ai-quebec-smb\/","title":{"rendered":"Quebec’s Law 25 and AI: what’s changing for SMBs"},"content":{"rendered":"

“We use a Canadian server, so we’re compliant.” That’s the most common phrase we hear when discussing AI and Law 25. It’s also the most wrong.<\/p>\n

Quebec’s Law 25 isn’t limited to data residency. It changes how you must manage every AI project that touches personal information. Here are the four blind spots.<\/p>\n

1. Explicit consent<\/h2>\n

If your AI solution processes personal information (customer emails, medical records, call transcripts), you need clear, free, and informed consent for that specific use. A general consent to your privacy policy doesn’t cover AI. You have to name it: “We use a language model to categorize your requests.”<\/p>\n

2. Privacy impact assessments<\/h2>\n

For any high-risk project (and most AI projects fall there), a PIA is required BEFORE deployment. It’s not a formality: it’s a documented analysis of risks, mitigation measures, and decisions made. If you’re audited and this analysis doesn’t exist, you have a problem.<\/p>\n

3. The right to erasure vs trained models<\/h2>\n

If you train or fine-tune a model with client data, and a client requests erasure, you also need to remove their data’s influence from the model. In practice, this often means retraining. Better to design with this constraint from day one.<\/p>\n

4. The role of the PIPO<\/h2>\n

The Personal Information Protection Officer isn’t just a title on an org chart. They must be consulted on AI projects, and their name must appear publicly (typically in your privacy policy).<\/p>\n

What to do<\/h2>\n

Before launching an AI project that touches personal information: map the data being processed, conduct a PIA, update consent notices, document the decision chain, and involve the PIPO. It’s less heavy than it sounds when done at the diagnostic phase. It’s unmanageable when added at the end.<\/p>\n","protected":false},"excerpt":{"rendered":"

Canadian hosting isn’t enough. Here’s what Law 25 actually requires when you deploy AI solutions, and what you need to do before going to production.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2],"tags":[],"class_list":["post-37","post","type-post","status-publish","format-standard","hentry","category-strategie"],"acf":[],"_links":{"self":[{"href":"https:\/\/numriq.com\/en\/wp-json\/wp\/v2\/posts\/37","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/numriq.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/numriq.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/numriq.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/numriq.com\/en\/wp-json\/wp\/v2\/comments?post=37"}],"version-history":[{"count":0,"href":"https:\/\/numriq.com\/en\/wp-json\/wp\/v2\/posts\/37\/revisions"}],"wp:attachment":[{"href":"https:\/\/numriq.com\/en\/wp-json\/wp\/v2\/media?parent=37"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/numriq.com\/en\/wp-json\/wp\/v2\/categories?post=37"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/numriq.com\/en\/wp-json\/wp\/v2\/tags?post=37"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}