What You Need to Know About Canada’s AI Law Proposals
Regulations

What You Need to Know About Canada’s AI Law Proposals

November 17, 2022

Digital technologies are being adopted across all sectors and are transforming businesses. While this can free workers from mundane tasks, improve efficiency, and open the door for innovation, there are growing concerns about the risks of these technologies.

To address this, Canada has introduced the Digital Charter Implementation Act (Bill C-27), which proposes three acts that have been described as a holistic package of legislation for trust and privacy: the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence & Data Act (AIDA). This blog summarises all three Acts, focusing on AIDA and its implications for AI risk management.

Canada’s AI Law Proposal Key Takeaways

  • Canada’s Digital Charter Implementation Act introduces the Consumer Privacy Protection Act, The Personal Information and Data Protection Tribunal, and the Artificial Intelligence and Data Act (AIDA)
  • If passed, AIDA would be Canada’s first AI law and would complement its Algorithmic Impact Assessment Tool
  • AIDA would establish requirements for the design, development, and use of AI systems
  • Requirements would relate to bias, systems transparency, risk mitigation, and record-keeping

Consumer Privacy Protection Act

One of the major contributions of the Consumer Privacy Act (CPA) is the protections it proposed for minors regarding collecting and processing their personal information, similar to California’s Age Appropriate Design Code Act.

While the CPA’s requirements are not as comprehensive as the EU’s GDPR, which is currently the global gold standard for privacy regulation, the legislation would have important implications for Canadians if passed, including:

  • The right to ask for personal information to be disposed of when no longer needed
  • The right to securely move information from one organization to another
  • The broad prowess of the Privacy Commissioner of Canada, including the power to order companies to stop collecting data or personal information

Penalties for non-compliance could be up to 5% of global revenue or CA$25 million, whichever is greater. There are also penalties of up to 3% of global revenue or CA$10 million for other violations.

The Personal Information & Data Protection Tribunal Act

This act would establish the Personal Information & Data Protection Tribunal, which would review ongoing recommendations by the Privacy Commissioner of Canada. In addition, this tribunal would focus on looking at the Commissioner's administrative penalty recommendations.

Canada’s AI Law: The Artificial Intelligence & Data Act

If the AIDA is passed, this will entail significant governance and transparency requirements for the businesses that use or develop AI in Canada. For example:

  • Requirements to adhere to data obtained lawfully versus unlawfully to train and build these systems will be developed
  • Specific requirements are aimed at high-impact systems, which must be deployed to mitigate the risk of harm and bias. However, how high-impact systems will be defined is still being determined.
  • Creating the role of an AI & Data Commissioner to monitor company compliance and order third-party audits as required.

While the meaning of high-impact systems has yet to be defined in the Act, in the interim, the Algorithmic Impact Assessment tool, developed by the Government of Canada for use by state agencies in their procurement and use of AI, can be used as a guide to understanding Canada’s approach to regulating AI more widely.

Other AI Regulatory Initiatives in Canada

Canada’s trio of laws follows from its Directive on Automated Decision-Making, which focuses on risk management concerning the federal government’s use of AI & decision making.

In addition, a recent report presented to the House of Commons corroborates Canada’s commitment to AI regulation from privacy and security verticals. This report looks at facial recognition technology and AI, focusing on the regulation and implications of the potential banning of such technologies.

What Does This Mean for You?

If passed, businesses that develop AI for the collection and procession of personal information and those that use these tools could have to answer to federal transparency and privacy protection expectations.

The packages of legislation could also apply pertinently to businesses that use biometric and facial recognition technology, who use AI in any consumer information collection capacity, as well as to the design stage of AI in how human activities are being used to develop these systems.

There are speculations that the AIDA is unlikely to pass but is instead a skeletal placeholder until the formal passing of the EU AI Act, which is anticipated to become the global standard. However, the AIDA would set a precedent for provinces and territories across Canada to introduce and potentially enact legislation towards regulating AI across different verticals, as seen in the US.

Taking steps early is the best way to get ahead of this and other global AI regulations. At Holistic AI, our software platform combined by a team of AI experts who, informed by relevant policy, can help you manage the risks of your AI. Schedule a demo to find out more about how we can help you embrace your AI with confidence.

Subscribe to our Newsletter!

Join our mailing list to receive the latest news and updates.

Manage risks. Embrace AI.

Our automated AI Risk Management platform empowers your enterprise to confidently embrace AI

Get Started