Artificial intelligence (AI) regulation may be coming to Canada.
Bill C-27 (otherwise known as The Digital Charter Implementation Act, 2022) was introduced in Parliament for its first reading on June 16, and is Canada’s second attempt at reforming federal privacy law. (The first attempt, Bill C-11, died on paper when the 2021 federal election was called.) While a lot of the new bill comes from its predecessor, it contains a few significant changes – one which is the Artificial Intelligence and Data Act (AIDA).
As per McCarthy Tetrault LLP, AIDA is “an entirely new law which aims to regulate the development and use of AI in Canada. If adopted, the AIDA would become Canada’s first law specifically dedicated to regulating AI.”
At present, Canada has relied on privacy laws (such as Quebec’s Bill 64) to regulate AI systems. The public sector has used the Directive on Automated Decision-Making as a guidepost; it imposes requirements (primarily related to risk management) on the federal government and its use of automated decision systems. AIDA, however, recognizes the importance of trust in the data-driven economy, and creates significant new governance and transparency requirements for businesses that use and develop these systems. It will also give the federal government extensive regulatory powers over the AI sector.
AIDA’s specific requirements include:
- Governance – system and risk assessments, monitoring, data anonymization, and record-keeping,
- Transparency – publication requirements for developers, which include details on how the system will be used, the types of content it will generate, risk management mitigation measures, and other info, as well as rules around “notification in the event of harm”,
- Ministerial orders – the Minister is granted significant powers to make orders and regulations around record collection, auditing, use cessation, information publication and disclosure, and
- Penalties for non-compliance, which includes administrative monetary penalties, significant fines, and criminal charges.
Bill C-27 also includes the Consumer Privacy Protection Act, which requires organizations to show “a general account of the organization’s use of any automated decision system to make predictions, recommendations or decisions about individuals that could have a significant impact on them.”
The aforementioned McCarthy Tetrault article (and this one from Mathews Dinsdale) provide a good look at the details of the tabled legislation. If adopted, it will have a significant impact on businesses, and we recommend seeking legal advice when clarification is required.
Follow this blog (and our social media channels) for updates on this and other matters.