Law 25’s automated-decision transparency rights and mandatory privacy assessments, and what they mean for AI used on Québec residents’ data.
dgm is an independent osFoundry integration partner — not affiliated with osFoundry’s maker (OS LLC), and dgm has no completed client integrations yet.
Quebec’s Law 25 is the strongest private-sector privacy law in Canada, and it has specific rules for AI that makes decisions about people. If you handle Quebec residents’ data, this is the one to understand.
| Item | Detail |
|---|---|
| Status | Fully phased in (2022 / 2023 / 2024) |
| Auto-decisions | Transparency + human review on request (Art. 12.1, in force 2023-09-22) |
| Assessments | Privacy impact assessments (PIAs) for new systems & outside-Quebec transfers |
| Penalties | Administrative monetary penalties up to $10M or 2% of worldwide turnover |
The automated-decision rule
Under Law 25, when a business makes a decision based exclusively on automated processing of personal information, it must inform the individual; on request, communicate the personal information used and the principal factors that led to the decision; and let the individual submit observations to a staff member who can review it. For AI that decides on credit, hiring or service for Quebec residents, this is a concrete obligation.
Privacy impact assessments and transfers
Law 25 requires a privacy impact assessment before acquiring, developing or overhauling an information system involving personal information, and before transferring personal information outside Quebec — the transfer is permitted only if the assessment shows adequate protection. This is stricter and more explicit than PIPEDA.
What it means for AI projects
Practically, an AI system touching Quebec residents’ data needs: disclosure that automated processing occurred, an explanation of principal factors, a human-review path, and a completed PIA before deployment or outside-Quebec transfer. osFoundry’s managed cloud pins data to US, EU or Japan — it does not currently offer a Canadian managed region. For data that must stay in Canada, the honest path is self-hosting osFoundry (BYO Cloud) inside a Canadian cloud region such as AWS Canada (Montréal/Calgary), Azure (Toronto/Quebec City) or Google Cloud (Montréal), or running models locally on-device. Audit logs and explainability features map directly to these duties.
Where dgm fits
dgm is an independent integration partner that helps Canadian businesses adopt osFoundry — scoping a first use case, handling the build, and connecting AI to the systems you already run. dgm is independent of osFoundry’s maker (OS LLC) and has no completed client integrations yet, so everything described here is a service offered, not a past result. If you want to scope a practical first project, dgm can help you map it out.