Privacy Rules and AI, Jurisdiction by Jurisdiction

The fastest-growing privacy risk in small firms is quiet: staff pasting client information into public AI tools. Whether that breaks a rule — and which rule — depends on where you are and what data you handle. What doesn't vary: when the AI runs on your own hardware, the "did we just disclose personal information to a third party?" question mostly disappears, because there is no third party in the loop.

How These Guides Work

Each guide covers one jurisdiction or one law, cites the statute text or the regulator's own guidance directly, and carries a last verified date. None of this is legal advice — it's the map you bring to a conversation with your lawyer or privacy officer, so that conversation is shorter and cheaper.

What You'll Find Here

  • The general pattern: what privacy laws ask of you when a third party processes your client data — and what changes when no third party is involved
  • Jurisdiction guides (Canada's PIPEDA and Ontario's PHIPA first — where our deployment experience is deepest — with peers to follow)
  • The questions to ask any AI vendor about where your data goes

External Resources

Authoritative references and tools related to this documentation type.

AI that works here. Data that stays here.

Talk to an engineer about what a local AI setup looks like for your office — scope, hardware, and a real number.

Assess your readiness →