PIPEDA & Law 25: Using AI Tools in Quebec Classrooms

Quebec's privacy laws are among the strictest in North America. For schools considering AI tools, understanding Law 25 and PIPEDA isn't optional — it's the starting point. Getting this wrong doesn't just risk fines. It risks the trust of parents, students, and communities that schools depend on every day.

Law 25 in Plain Language

Quebec's Law 25 — formally the Act to modernize legislative provisions as regards the protection of personal information — came into force in stages beginning September 2022, with full enforcement as of September 2024. It applies to every organization in Quebec that collects personal information, including school boards, private schools, and any EdTech vendor serving Quebec students [1].

The law requires four things that matter most for schools. First, express consent: organizations must obtain clear, informed consent before collecting personal data, and the purpose must be stated in plain language. Second, transparency obligations: privacy policies must be published and accessible, describing what data is collected, why, and how long it is retained. Third, breach notification: any privacy incident involving personal information must be reported to the Commission d'accès à l'information (CAI) and to affected individuals if there is a risk of serious harm. Fourth, every organization must designate a privacy officer responsible for compliance — by default, this is the highest-ranking person in the organization [1].

For schools, this means that deploying any new technology that touches student data — including AI-powered tutoring, assessment, or communication tools — triggers a formal set of obligations. This is not a checkbox exercise. The CAI has the authority to impose administrative monetary penalties of up to $10 million or 2% of worldwide turnover, whichever is greater.

PIPEDA and How It Intersects

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal private-sector privacy law [2]. It governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activity. At the federal level, PIPEDA establishes ten fair information principles: accountability, identifying purposes, consent, limiting collection, limiting use, accuracy, safeguards, openness, individual access, and challenging compliance.

Here is where jurisdiction matters. Quebec's privacy legislation has been declared substantially similar to PIPEDA by the federal government. This means that for organizations operating entirely within Quebec, the provincial law takes precedence over PIPEDA for intra-provincial commercial activities. However, PIPEDA still applies to federally regulated organizations operating in Quebec and to any cross-border transfer of personal information [2]. If a school uses an AI tool whose servers are in Ontario or the United States, PIPEDA may apply to the data in transit — even if Law 25 governs the collection at the school level.

The practical implication: schools cannot assume that compliance with one law satisfies both. A thorough privacy assessment must account for where data travels, not just where it originates.

What This Means for AI Tools

AI tools present privacy challenges that traditional EdTech does not. A learning management system stores grades; an AI tutor analyzes learning patterns, infers cognitive strengths and weaknesses, and generates personalized content based on behavioural data. The volume and sensitivity of the data involved is categorically different.

Data residency is the first question. Law 25 does not strictly require data to be stored in Canada, but it does require that any transfer outside Quebec be subject to a privacy impact assessment and that the receiving jurisdiction offer adequate protection [1]. In practice, this makes Canadian-hosted solutions significantly easier to justify from a compliance perspective. Tools that route student data through US servers face additional scrutiny, particularly given the broad surveillance authorities under US law.

Consent for minors is the second complexity. Students under 14 in Quebec cannot consent on their own behalf — parental consent is required. For students 14 and older, consent rules vary depending on the nature of the data. AI tools that collect behavioural data, learning analytics, or biometric inputs (such as voice for speech recognition) demand a higher standard of consent than tools that merely store assignment submissions [3].

Purpose limitation means that data collected for one purpose — say, tracking reading progress — cannot be repurposed for another, such as training a machine learning model or profiling students for marketing. Many AI vendors use student interaction data to improve their algorithms. Under Law 25, this requires a separate, explicit consent. And algorithmic transparency requirements mean that schools must be able to explain to parents, in plain language, how an AI system makes decisions that affect their children [4].

The Checklist

Before adopting any AI tool, every school in Quebec should be able to answer these seven questions with confidence:

1. Where is the data stored? Confirm the physical location of servers and any third-party sub-processors. Canadian hosting simplifies compliance. US or offshore hosting requires a formal privacy impact assessment under Law 25.

2. Who has access to student data? Map every entity — the vendor, their subcontractors, cloud providers — that can access personal information. Under Law 25, the school remains accountable even when a vendor processes the data.

3. Can individual students be deleted? The right to erasure is fundamental. Verify that the tool supports complete deletion of a student's data upon request, not just account deactivation.

4. Has a privacy impact assessment been conducted? Law 25 requires a PIA for any project involving the collection of personal information, especially when new technologies are involved. This is not optional for AI deployments [1].

5. Is the tool available in both official languages? Quebec's Charter of the French Language requires that software used in schools be available in French. A tool that only operates in English will face adoption barriers and may not meet regulatory expectations.

6. Does it align with the Quebec Education Program (QEP)? Compliance alone is not enough. The tool should support pedagogical objectives defined by the QEP, not impose a foreign curriculum model onto Quebec classrooms.

7. Is there a data processing agreement (DPA)? A signed DPA between the school and the vendor is essential. It should specify data handling procedures, breach notification timelines, data retention periods, and the right to audit.

Getting It Right

Privacy compliance is often framed as a burden — another layer of bureaucracy slowing down innovation. That framing misses the point. Schools that take data privacy seriously are schools that take their students seriously. When a parent asks how their child's data is being used, having a clear, honest answer builds trust that no technology can replace.

The schools that will lead in AI adoption are not the ones that move fastest. They are the ones that move thoughtfully — that vet their tools, train their staff, and communicate transparently with families. Law 25 and PIPEDA are not obstacles to innovation. They are the guardrails that make responsible innovation possible [4].

Quebec has chosen to hold organizations to a high standard when it comes to personal information. For schools, meeting that standard is both a legal obligation and an opportunity to demonstrate what responsible technology adoption looks like in practice.