Picture one of your employees who, one Monday morning, opens ChatGPT to draft a meeting summary more quickly. They paste in the names of the clients who attended, a few financial figures, perhaps a strategic decision. Five minutes later, they close the session, satisfied. What they do not realise: that data has just left your organisation, crossed borders, and potentially fed the training of OpenAI's next model. Without consent. Without notice. And perhaps in direct breach of Law 25.
This scenario is not hypothetical. It is happening right now within your teams, within your suppliers' teams, within the public bodies around you. According to the Cloud Security Alliance, cited by La Presse, four employees out of five (82%) worldwide practise some form of shadow AI — that is, the use of artificial intelligence tools without their organisation's explicit authorisation.
The Privacy Commissioner of Canada, Philippe Dufresne, and his counterparts in Quebec (CAI), Alberta and British Columbia jointly concluded that OpenAI breached several Canadian and Quebec laws on the protection of personal information when developing ChatGPT — notably by collecting data excessively without valid consent. Sources: Le Devoir · Radio-Canada.
This report is a wake-up call that leaders can no longer ignore. At the head of a municipality, an SME or a non-profit, you are personally responsible for the personal information your organisation collects, processes and entrusts to third parties — including third parties your employees use without your knowledge.
What do these AI tools really do with your data?
All large language models (LLMs) work on the same principle: you submit text to them (a question, a document, a request), and they generate a response. What the consumer interfaces do not say clearly is what happens to your text once it is sent.
Three fundamental issues arise for any organisation:
- Model training — depending on the platform and the plan (free, individual, enterprise), your conversations may be reused to improve the model, potentially exposing your data in future responses to other users.
- American hosting and the CLOUD Act — data passes through and is stored on servers owned by American companies. The 2018 American CLOUD Act authorises the United States government to demand access to this data, even when it is physically hosted in Canada.
- Extended retention — according to each vendor's published policies, your exchanges may be kept from 30 days to several years.
The 4 major platforms put to the test
Here is what each major player says — and does not say — about how it handles your data.
ChatGPT (OpenAI) — the must-have that collects widely
OpenAI states in its privacy policy that conversations from the free and paid individual versions may be used to train its models, unless the user explicitly objects. An opt-out exists, but it is hard to find. In January 2025, the Italian data protection authority (Garante) fined OpenAI 15 million euros for breaching the GDPR. In the Teams or Enterprise version, data is not used for training — but this presupposes an active contract and a correct configuration.
Claude (Anthropic) — the best structured, but not free of risk
According to a 2026 comparative analysis, Claude is considered the most GDPR-compliant LLM. In the for Work or Enterprise version, Anthropic contractually guarantees that it will never use client data to train its models — a guarantee audited by Ernst & Young in September 2025. However, since August 2025, the free and individual versions (Pro, Max) allow conversations to be used for training unless the user objects before the stated deadline. As with the other platforms, ungoverned use (shadow AI) remains the Achilles heel.
Microsoft Copilot — powerful, but a revealer of your internal weaknesses
Microsoft guarantees that Microsoft 365 Copilot data is not used to train the foundation models. Good news. The problem lies elsewhere: Copilot acts like a powerful flashlight pointed at all of your files. It accesses everything the user can see in Microsoft 365 — emails, SharePoint, Teams, OneDrive. According to a Concentric AI study (2025), Copilot accesses on average about 3 million confidential files per organisation — thousands of which are shared without access restrictions. If your internal permissions are poorly configured, Copilot becomes a data-leak amplifier — without any data ever leaving your tenant.
Google Gemini — the hungriest for personal information
According to a Surfshark study, Google Gemini is the AI assistant that collects the most information among the major models analysed. In the free version (a personal Gmail account), your conversations, your files, your location and your history may feed Gemini's training. The Google Workspace version with a signed data processing agreement (DPA) offers stronger guarantees — but this presupposes an organisation that has taken that step, which is far from universal.
"When an employee sends client data to ChatGPT without explicit authorisation, the company is liable to a fine under Law 25." — Nick Dooley, The Altercation Company · La Presse, May 1, 2026
Law 25: what it concretely changes for you
Law 25 (the Act respecting the protection of personal information in the private sector) imposes precise obligations on any organisation that collects or transmits the personal information of Quebec residents. These obligations also apply to data sent to AI services.
Five obligations that apply directly to AI
Shadow AI creates a dual constraint. The American CLOUD Act lets American authorities access data held by American companies, even in Canada. Law 25, in turn, requires that same data to be protected. Organisations are caught in a vice between two incompatible regimes — and it is their responsibility to manage the risk. Penalties can reach $25M or 4% of worldwide turnover (s. 93).
Samsung, 2023 — the textbook case every organisation should know
Within a single month, three Samsung Semiconductor engineers inadvertently sent proprietary source code, internal meeting notes and information about equipment defects to ChatGPT. That data became OpenAI's property and was potentially incorporated into the training corpus. Samsung immediately banned ChatGPT on all of its corporate devices. But the data itself will never come back.
Six concrete levers to protect your data
Protecting your data does not mean giving up AI. It means using AI intelligently, by choosing the right tool for the right use, and putting the necessary safeguards in place. Here are six complementary levers.
Enterprise versions with a processing agreement
ChatGPT Teams/Enterprise, Claude for Work, Microsoft 365 Copilot, Google Workspace pro — all offer contractual guarantees (DPA) that data will not be used for training. This is the first barrier to put in place.
Local AI on GPU (Ollama, LM Studio)
Tools such as Ollama or LM Studio let you deploy an LLM directly on a server or workstation equipped with a GPU. No data leaves your infrastructure — the ultimate solution for highly sensitive data.
A written AI usage policy
Define in writing which tools are authorised, for which uses, with which data — and train all of your employees. Without a written policy, you have no recourse in the event of an incident.
Access governance (before Copilot)
Before any deployment of Microsoft 365 Copilot, audit and restrict internal permissions. What Copilot can read, your employees (or a compromised account) can extract. The prior audit is not negotiable.
A PIA for each AI tool
Formally document the risks associated with each AI tool that processes personal information — required by Law 25 for any data transfer outside Quebec.
Shadow AI detection (CASB / DLP)
Put network monitoring tools in place to detect the use of unauthorised AI tools — before a leak forces a mandatory report to the CAI.
Focus: local AI on GPU — sovereignty within your reach
The most radical — and most secure — alternative is locally deployed AI. Tools such as Ollama or LM Studio let you install and run open source models (Llama 3, Mistral, Qwen, DeepSeek) directly on your own hardware.
No data leaves your network, no subscription to a third-party platform, no dependence on the American CLOUD Act, simplified Law 25 compliance, and possible offline operation. In 2026, deploying a sovereign LLM takes less than an hour and costs $0 per request once the hardware is in place.
For everyday professional uses — drafting, summaries, analysis of internal documents, code generation — a workstation equipped with a recent NVIDIA GPU (RTX 4070 or better) is enough to run models of 7 to 14 billion parameters with excellent performance. For a multi-user deployment (5 to 50 employees), a dedicated server with a GPU lets the whole team benefit from an in-house AI, without any data leaving the premises.
Synéra supports your organisation in evaluating, selecting and deploying a local AI solution suited to your context — from the individual workstation to the shared server.
Action plan: what to do this quarter
The window for acting proactively is closing. Regulatory investigations are multiplying, the CAI has powers to issue orders and fines, and your peers are starting to put their AI governance in place. Here is an immediate action plan for leaders.
Officially and unofficially (shadow AI). You cannot manage what you cannot see.
If not already done. Required by Law 25 since September 2022. The Privacy Officer on demand is an economical option for SMEs.
Written, communicated to all employees and signed. It is your primary line of defence in the event of an inspection.
For any tool processing the data of clients, users or employees. It documents your due diligence.
For the cloud tools you keep. Or evaluate a local AI solution for the most sensitive uses.
A well-informed employee is your best defence against shadow AI. Training is documented, like everything else.
Take stock of your AI exposure and your Law 25 compliance
Synéra supports Quebec municipalities, SMEs and non-profits in assessing their AI exposure, drafting their usage policy and putting in place governance scaled to their size — without jargon and without overengineering.
Further reading
- La Presse — "Your use of AI at work could be illegal" (May 1, 2026)
- Le Devoir — "ChatGPT breaches several Canadian laws" (May 2026)
- Radio-Canada — "OpenAI did not comply with the personal data law" (May 2026)
- Leto Legal — Claude and GDPR 2026: compliance, security, DPA
- FredZone — Microsoft Copilot and the handling of sensitive data (2025)
- Mon Carnet — Google Gemini, the hungriest for data (2025)
- Local LLM and GDPR 2026: hosting your AI in full sovereignty
- Commission d'accès à l'information du Québec — Law 25
- Ollama — open source local AI platform
Synéra packages mentioned in this article
- Synéra Conforme — Law 25 compliance and PIA support
- Synéra Vigile — ongoing monitoring and compliance
- Privacy Officer on demand — outsourced certified officer, from $750/month
Follow the author and Synéra
This article is written for general information and awareness purposes. It does not constitute legal advice. For any question relating to your specific situation, contact Synéra or your legal advisor.