AI Agents

Do You Need a Privacy Impact Assessment Before Deploying an AI Agent?

May 14, 2026
Xavier PeichBy Xavier Peich

Yes, Law 25 requires a PIA before any AI agent project. For a Quebec SMB, it's a few structured hours of work. The CAI even publishes a free guide.

Do You Need a Privacy Impact Assessment Before Deploying an AI Agent?

When people talk about Law 25 obligations and AI agents, the PIA is almost always the first thing business owners set aside. Either they've never heard the term, or they picture a 150-page report billed by the hour at a law firm.

The privacy impact assessment, or PIA (in Quebec French, "évaluation des facteurs relatifs à la vie privée" -- ÉFVP), is mandatory, it is triggered by your AI agent project, and for an SMB it looks more like a structured few-hour meeting than a legal construction site. The full picture of all four Law 25 obligations is covered in the hub article: AI Agents and Law 25: What a Quebec SMB Needs to Know Before Deploying. This article focuses on one obligation only: the PIA, from start to finish.

The direct answer

Yes, a PIA is mandatory before deploying an AI agent in a Quebec SMB. Law 25 requires it before any project to acquire, develop, or overhaul an information system that handles personal information, and projects using artificial intelligence are explicitly covered. If the agent sends data to a model hosted in the United States, a second PIA obligation applies to cover that transfer outside Quebec. For an SMB, the PIA is not an 80-page document. It is a structured exercise that asks you to honestly answer four questions: what data the system touches, where that data goes, who has access to it, and what happens if something goes wrong. The Commission d'accès à l'information (the CAI) publishes a free accompaniment guide and a generic report template to help organizations complete it. Done seriously, a PIA takes a few hours. And it forces you to look at the risks squarely before a complaint does it for you.

What the law actually says

Law 25 has been in force since September 22, 2023 for the obligations that apply to AI agents. It applies to any business that holds personal information in Quebec, with no size threshold. A fifteen-person SMB has the same obligations as a 500-person company.

Two situations specifically trigger a PIA.

The first: you are starting an information system project that involves personal information. A new AI agent falls directly into that category. The text explicitly covers projects using artificial intelligence, profiling, or surveillance.

The second: you are communicating personal information outside Quebec. This applies as soon as your agent sends data to a model hosted on American servers -- which is the case for the major models from OpenAI, Anthropic, or Google. The law does not prohibit it. It conditions it on a PIA and on adequate protection of the information. That second case is covered in detail in the dedicated article on data transfers outside Quebec and AI agents.

There is also an adjacent case to keep in mind. If your agent makes decisions in an exclusively automated way, article 12.1 of the law imposes additional obligations: informing the person affected, giving them access to the factors that influenced the decision, and allowing them to have it reviewed by a human. The PIA is the right moment to identify whether your agent falls into that scenario. This is covered in depth in the article on automated decisions and Law 25.

Why this is not bureaucracy

The usual resistance to a PIA comes from a distorted image of what it is. People think legal audit, external consultant, sixty-page report that ends up in a drawer before it's even printed. For a large organization with a legal department, that can be what it looks like. For an SMB, the law itself states that the PIA must be proportionate to the sensitivity of the information involved and to the level of risk.

In other words: if your agent handles internal emails or client submissions, the exercise is straightforward. If your agent touches health records or sensitive financial data, the level of rigor goes up. The law does not ask the same effort from everyone.

The CAI has also published two concrete resources to help organizations navigate this: an accompaniment guide for conducting a PIA, and a generic, non-mandatory report template that you adapt to your context. Both are free, both are on the CAI website, and both are written for organizations of any size.

The four questions at the core of the exercise

In practice, a PIA for an AI agent comes down to answering four blocks of questions, in order.

What data does the agent touch? List the categories of personal information the agent will read, process, or produce. Names, addresses, emails, client numbers, behavioral data, internal communications -- be exhaustive. This is also where you identify whether sensitive data enters the picture (health data, financial information, information about minors).

Where does that data go? Map the full journey. Which system does the agent read from, which does it write to, what does it send to which external service? If an external AI model is involved, this is where you document which vendor, which country, and which contractual terms apply. This is also where the outside-Quebec transfer obligation either materializes or doesn't.

Who has access? Identify the people, systems, and third parties that can view or modify the data processed by the agent. A software development subcontractor, a cloud hosting provider (meaning data stored on remote servers rather than locally), an API provider (the technical interface through which two pieces of software communicate) -- all of these access points need to be documented.

What happens if something goes wrong? Assess the residual risks. What would a data breach cause to the people affected? Who would be impacted, and to what degree? What detection and notification mechanisms are in place? This is where you estimate the risk level and decide on measures to reduce it: encryption, anonymization, minimizing the data sent to the model, access controls.

What the PIA actually changes in how you build the agent

Many SMBs treat the PIA as a box to check after deployment. That is the opposite of the right approach, and the opposite of what the law requires: the exercise must be done before the project, not after.

When the PIA is done upfront, it directly influences technical decisions. You send to the external model only the data that is strictly necessary, never a full file when an internal identifier will do. You choose a vendor that offers contractual guarantees against using your data to train their models. You document when and how the agent escalates a decision to a human, because you identified during the PIA that certain cases fall under article 12.1.

An agent that minimizes the data it handles is also a faster agent, cheaper to run, and simpler to maintain. Compliance and good design have the same requirements.

The real cost of skipping it

The CAI can impose administrative monetary penalties, without going through a court, of up to the greater of $10 million or 2% of worldwide turnover. On the penal side, before the courts, fines go up to the greater of $25 million or 4% of worldwide turnover.

For an SMB, the realistic risk is not the eight-figure fine. It is the complaint from a client or employee, the CAI investigation that follows, the management time it consumes, and the reputation it damages. The PIA is insurance against that scenario. It is also one of the law's obligations: not doing it is a non-compliance in itself, regardless of what the agent does with the data.

Where to start

Block two to three hours with the person responsible for personal information protection in your organization. If you don't have that role formally defined, designate someone -- that itself is also a Law 25 obligation. Download the CAI's accompaniment guide. Work through the four blocks of questions for your agent project. Document the mitigation measures you are putting in place.

If your project involves a transfer outside Quebec or automated decisions, incorporate those topics into the exercise rather than treating them separately.

And if you want to work through this together before a single line of code is written, the first conversation is free. Thirty minutes to review the use case, identify the data involved, and name the compliance issues honestly.

-> Free 30-minute first conversation

This is plain-language education, not legal advice. For any project involving sensitive information or high-stakes decisions, consult a legal advisor. The Commission d'accès à l'information and the legislation on LégisQuébec are the references that prevail.

Xavier Peich

Written by

Xavier Peich

Back to articles