Developments in Canadian AI Regulation

In recent years, the rapid advancement of artificial intelligence (AI) has necessitated comprehensive regulatory framework to address the ethical, legal, and social implications of these technologies. This article summarizes key developments in the Canadian government’s efforts to establish a robust regulatory framework for the use of AI, as it continues to evolve and integrate across various sectors.

The two key legislative developments shaping the landscape of AI regulation in Canada are  the Artificial Intelligence and Data Act (AIDA) arising from the omnibus Bill C-27, and the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (Bill 194).

The proposed legislations aim to address the complexities and challenges posed by AI technologies, with implications for businesses, public institutions, and individuals alike.

The Artificial Intelligence and Data Act

AIDA is designed to govern AI development and usage across the country. It is a significant step towards ensuring that AI technologies re developed and implemented responsibly, transparently, and in ways that respect human rights. AIDA aims to:

• create a comprehensive framework for the ethical and responsible development and deployment of AI technologies;
• ensure accountability for risks associated with high-impact AI systems used in the course of international and interprovincial trade and commerce; and
• prohibit conduct (including discriminatory conduct) that may harm individuals (including physical harm, psychological, harm, damage to property, and/or economic loss),

all while bringing Canada at the forefront of international standards of AI governance.

Key principles and provisions of AIDA include:

For businesses and organizations involved in AI development, AIDA represents both a challenge and an opportunity. Compliance with the Act requires investment in robust governance frameworks, ongoing monitoring, and continuous improvement processes.  However, adherence to these standards can also enhance reputation, build consumer trust, and open up new markets.

• Transparency and Accountability: AIDA mandates that AI systems be transparent and explainable. Specifically, developers and operators must provide clear documentation on how their AI systems function, make decisions, and ensure that these decisions can be understood by non-experts. This includes the proactive documentation of policies, processes, and measures implemented.
• Risk Management Framework: AIDA adopts a risk-based approach to AI regulation. This means that the level of oversight and control is proportional to the potential risks posed by the AI system. AIDA mandates that AI systems be categorized based on the level of risk they pose to individuals and society. Higher-risk systems will be subject to stricter oversight and compliance requirements. Private entities under the scope of AIDA will need to routinely conduct and monitor risk assessments of their AI platforms, set up measures to mitigate those risks, and – in line with transparency principles – share information with the public about how these high-impact AI systems work, what they’re intended for, and how risks are managed. High-risk AI applications, such as those used in healthcare or law enforcement, are subject to more stringent requirements compared to lower-risk applications.
• Human Oversight: AIDA requires that AI systems, especially those classified as “high-risk”, be designed and developed to incorporate human oversight mechanisms, with a goal for meaningful human judgment and intervention to assist in mitigating and reducing any potential harm caused by AI-only decisions.
• Penalties and Enforcement: AIDA provides for two types of penalties for regulatory non-compliance – administrative monetary penalties and prosecution of regulatory offences – as well as a separate mechanism for true criminal offences. The proposed scope of penalties is substantial, (including fines up to CAD 10 million and 3% of gross global revenues in the preceding financial year for corporations) and is meant to deter malicious conduct and repeat offences.

For the public, AIDA provides reassurance that AI technologies will be developed and used in ways that are safe, ethical, and respectful of human rights. This can increase acceptance and adoption of AI across various sectors, driving innovation and economic growth in Canada.

Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024

In an era where cyber threats are becoming increasingly sophisticated and prevalent, the introduction of Bill 194 by the Ontario provincial government marks a significant step to enhance cybersecurity and lay a regulatory foundation for the use of AI within public institutions.  Schedule 1 of Bill 194 would enact the Enhancing Digital Security and Trust Act, 2024 (EDSTA) and amend the Freedom of Information and Protection of Privacy Act to address cyber security and artificial intelligence systems at public sector entities.

Bill 194 was introduced in response to growing concerns about the vulnerability of public sector institutions to cyberattacks, Public sectors hold vast amounts of sensitive data and are increasingly targeted by cybercriminals. This bill represents a proactive approach to mitigate these risks and protect public information. The proposed legislation regulates use of AI by public sectors and its key provisions include:

• Mandatory Cybersecurity Standards: Public sector organizations must adhere to standardized cybersecurity protocols, ensuring a uniform level of protection across the board;
• Regular Audits and Assessments: Institutions are required to conduct regular cybersecurity audits and vulnerability assessments to identify and address potential weaknesses;
• Incident Reporting: Bill 194 mandates timely reporting of cybersecurity incidents to a central authority, facilitating a coordinated response to breaches; and
• Data Privacy Measures: Alongside cybersecurity, Bill 194 emphasizes data privacy, requiring organizations to implement robust data protection measures and ensuring compliance with privacy regulations. 

Of note, the EDSTA also addresses the potential impact of AI on minors under the age of 18 and would provide the government with the power to enact accompanying regulations regarding the collection, use, retention and disclosure of digital information relating to minors by children’s aid societies and school boards.

While Bill 194 sets out a framework for AI and cybersecurity in the public sector, the majority of its key provisions are to be released and determined by parliamentary debate of Bill 194, public submissions, and the proposed future accompanying regulations, if passed.

Practical Considerations for Stakeholders

With the introduction of AIDA and Bill 194, it’s important for businesses, public institutions, and individuals to understand how these regulations will affect their operations and responsibilities. Stakeholders falling under the purview of the anticipated AI legislation should:

• Monitor Developments: Staying informed and proactive regarding  Canada’s budding AI legislation will help everyone navigate the complexities of AI regulation and ensure compliance with the new legal standards.
• Compliance Readiness: Entities developing or deploying AI systems should conduct, monitor, and record thorough risk assessments to ensure future compliance with AIDA or EDSTA (as applicable). This includes implementing transparency measures and human oversight where necessary.
• Policy Development: Reviewing and bolstering internal AI policies and frameworks in anticipation of the legislation will facilitate minimizing risks while allowing for a smoother transition of compliance when the legislation is released.
• Privacy Practices: Strengthening data privacy practices is always recommended. Businesses must align their AI systems with existing privacy laws and prepare for enhanced scrutiny.
• Training and Awareness: Staff training on AI ethics, privacy, and security will be essential. Building internal expertise will help institutions navigate the complexities of AI regulation.

Conclusion

Canada’s evolving regulatory landscape will present both challenges and opportunities for various stakeholders as AIDA and Bill 194 mark a significant milestone in Canada’s forefront approach to regulating AI. While AIDA and Bill 94 have yet to come into force, one thing is clear: business owners and public institutions alike with a presence in Canada must assess their current business practices, AI and privacy protection strategies, oversight mechanisms, and general practices to confirm their compliance with AI legislation as it unfolds in Canada.

Cozen O’Connor will closely monitor AIDA and Bill 194’s progress through parliament.

If you have any questions about this article or if you need assistance navigating the proposed legislation, or AI regulation in Canada, please feel free to contact Atoussa Mahmoudpour and Any Obando Ospina of Canada’s Privacy and Technology team.