FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatoryprivacydata protectionQuebec Law 25

Quebec Law 25 and the AI Privacy Impact Assessment Requirement

By Basel IsmailMay 17, 2026

Quebec Law 25 and the AI Privacy Impact Assessment Requirement

Quebec's Law 25 (formally, An Act to modernize legislative provisions as regards the protection of personal information) has been rolling out in phases since September 2022, and the final batch of provisions took effect on September 22, 2024. If your organization does business in Quebec or processes personal information of Quebec residents, you are now subject to one of the most prescriptive privacy regimes in North America. And if you are deploying AI tools that touch personal information, there is a specific obligation you need to understand: the privacy impact assessment requirement.

What Law 25 Actually Requires

Law 25 amended both Quebec's Act respecting the protection of personal information in the private sector and the Act respecting access to documents held by public bodies. The law introduced a set of obligations that will feel familiar if you have worked with GDPR, but with some distinctly Quebec-flavored additions.

The key obligations include:

Designation of a privacy officer. Every organization must appoint a person responsible for the protection of personal information. By default, this is the person exercising the highest authority within the organization, but it can be delegated. The title and contact information of this person must be published on the organization's website.
Mandatory breach notification. Since September 2022, organizations must notify the Commission d'accès à l'information du Québec (CAI) and affected individuals of any confidentiality incident involving personal information that presents a risk of serious injury. The CAI can impose administrative monetary penalties of up to $10 million CAD or 2% of worldwide turnover for violations.
Consent and transparency requirements. Consent must be obtained for each specific purpose of collection, and organizations must publish a plain-language privacy policy. The provisions around consent for minors under 14 are particularly strict.
Right to data portability. As of September 2024, individuals can request their personal information in a structured, commonly used technological format.
De-identification and anonymization standards. Law 25 distinguishes between de-identified and anonymized information, with specific criteria for each. Anonymized data must be anonymized according to "generally accepted best practices," and the CAI has signaled it will be looking at whether organizations can demonstrate their methodology.
Privacy impact assessments (PIAs). This is the big one for AI deployments.

The PIA Requirement and Why It Matters for AI

Section 3.3 of the amended private sector act requires organizations to conduct a PIA before personal information is communicated outside Quebec. But the obligation goes further than cross-border transfers. Under Section 3.2, organizations must conduct a PIA for any "project involving the acquisition, development, or redesign of an information system or electronic service delivery system involving the collection, use, communication, keeping, or destruction of personal information."

Read that again. Any project involving the acquisition or development of a system that processes personal information triggers a PIA. That covers virtually every AI tool you might deploy that ingests, processes, or outputs personal information. A new customer service chatbot trained on client interactions? PIA. An HR analytics platform that processes employee data? PIA. A clinical decision support tool in a healthcare setting? Definitely PIA.

The PIA must be proportionate to the sensitivity of the information, the purpose for which it is to be used, the quantity and distribution of the information, and the medium on which it is stored. For AI systems, this proportionality analysis gets interesting quickly, because the sensitivity calculus changes when you introduce machine learning models that can infer new information from seemingly innocuous data points.

What the PIA Must Cover

The CAI has published guidance on PIA content, and while it is not as granular as, say, the UK ICO's DPIA framework, the expectations are clear. Your PIA should address:

A description of the project and the personal information involved
The purposes for collection and processing
An analysis of the necessity and proportionality of the processing
Identification of privacy risks, including risks related to automated decision-making
Measures to mitigate identified risks
An assessment of residual risk after mitigation

For AI systems specifically, you should also be documenting how the model was trained, what data was used, whether personal information was included in training data, and how you handle model outputs that may constitute new personal information. The CAI has not yet issued AI-specific PIA guidance, but given Quebec's broader regulatory trajectory, including the federal Artificial Intelligence and Data Act (AIDA) that remains under development at the federal level, it is reasonable to expect more prescriptive requirements.

Automated Decision-Making Provisions

Law 25 also introduced Section 12.1, which requires organizations to inform individuals when a decision is made about them based exclusively on automated processing. The individual has the right to be informed of the personal information used in the decision, the reasons and principal factors that led to the decision, and the right to have the decision reviewed by a person within the organization. This is functionally similar to GDPR Article 22, but the scope is worth watching. The CAI has not yet tested the boundaries of "exclusively" in enforcement, and there is a real question about whether hybrid systems where a human rubber-stamps an AI recommendation qualify.

If you are deploying AI in areas like credit decisioning, insurance underwriting, hiring, or clinical triage, Section 12.1 is directly relevant. You need a mechanism to explain the decision, identify the inputs, and route appeals to a human with actual authority to override the system.

Enforcement and Penalties

The CAI has real teeth under Law 25. Administrative monetary penalties can reach $10 million CAD or 2% of worldwide turnover, whichever is greater. Penal penalties for individuals can reach $100,000 CAD, and for organizations, up to $25 million CAD or 4% of worldwide turnover. These are GDPR-scale numbers applied at the provincial level.

The CAI has been building enforcement capacity since 2022. In its 2023-2024 annual report, the Commission noted a significant increase in breach notifications and complaints, and it has been clear that AI-related processing is an area of focus. The private right of action under Law 25 also allows individuals to seek damages, which opens a litigation vector that compliance teams should be modeling.

Practical Considerations

A few things worth flagging for organizations working through Law 25 compliance for AI deployments:

PIAs are not one-and-done. If your AI system is retrained, if the data inputs change, or if you expand its use to new contexts, you should be reassessing. The obligation attaches to the project lifecycle, not just the initial deployment.
Cross-border transfers compound the analysis. If your AI vendor processes data outside Quebec (which is almost always the case with cloud-based AI services), you need a PIA for the transfer itself under Section 3.3, in addition to the system-level PIA under Section 3.2. The transfer PIA must consider whether the receiving jurisdiction provides "adequate protection," and the CAI has not published an adequacy list analogous to the EU's.
Vendor contracts matter. Your PIA should document the contractual safeguards in place with AI vendors, including data processing agreements, sub-processor restrictions, and audit rights. Law 25 does not let you outsource accountability.
Document everything. The CAI can request your PIA at any time. If you cannot produce one, the penalty exposure is straightforward.

How FirmAdapt Addresses This

FirmAdapt's architecture was built for exactly this kind of regulatory environment. The platform processes data within compliance boundaries that can be configured to respect Quebec's transfer restrictions, and it maintains auditable records of how personal information flows through AI-assisted workflows. When a PIA requires you to document what data an AI system touches, how it processes that data, and what safeguards are in place, FirmAdapt provides that documentation as a function of how it operates, not as a retrofit.

For organizations subject to Law 25's automated decision-making provisions, FirmAdapt's explainability features support the transparency obligations under Section 12.1. The platform can surface the inputs and logic paths that contributed to a given output, which gives compliance teams what they need to respond to individual requests and to demonstrate accountability to the CAI.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free