Status of the AI Regulations

AIDA was introduced in June 2022 and successfully passed its second reading, and was referred to the Standing Committee on Industry Science and Technology ("the Committee") on April 24, 2023.³ The original version of AIDA contained limited substantive content as it left most key elements of the legal regime to be set out at a later date in regulations (including the main compliance obligations and the definition of "high-impact systems," which are the primary focus of the Bill). The Minister of Innovation, Science and Industry, François-Philippe Champagne, subsequently presented the Committee with proposed amendments on November 28, 2023 ("the Proposed Amendments") which are substantial and have addressed some of the concerns regarding the first iteration of AIDA.⁴ The Proposed Amendments have not yet been officially adopted.

It is unclear when AIDA will come into effect; it is yet to be voted out of committee, and there is some doubt whether it will pass before October 2025 (the deadline to hold a federal election).⁵ Others have called for AIDA to be stripped out of Bill C-27 and overhauled.⁶

Other laws affecting AI

There are various laws that do not directly seek to regulate AI, but that may affect the development or use of AI in Canada, whether federal, provincial or territorial. A non-exhaustive list of related laws affecting AI includes: 

• At the federal level, the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA).⁷
• At a provincial level, the Personal Information Protection Act, SA 2003 (in Alberta); the Personal Information Protection Act (in British Columbia); and the Act Representing the Protection of Personal Information in the Private Sector (in Quebec). Amendments to the Quebec Act that entered into force in September 2023 now regulate automated decision-making based on the processing of personal information, and require disclosure of the occurrence of processing and the provision of information about the reasons and factors that have led to a decision. This new obligation is inspired by Article 22 of the GDPR.
• Intellectual property laws may affect several aspects of AI development and use.
• Competition law may have influence over the structure of the AI market in Canada. In March 2024, the Competition Bureau of Canada has launched a call for comments on the intersection of AI and competition law. 
• Although no specific changes have been proposed at this moment, the Innovation Council of Quebec has recommended amending Quebec labor law to account for the impacts of AI.⁸
• Existing human rights and anti-discrimination laws (including the Canadian Human Rights Act) regulate discriminatory outcomes and practices, such as those that may result from biased outputs and decisions from AI systems.

Definition of “AI”

Further to the Proposed Amendments, AIDA currently adopts the following definitions:

• "Artificial intelligence system" means a "system that, using a model, makes inferences in order to generate output, including predictions, recommendations or decisions".⁹
• "General-purpose system" means an "artificial intelligence system that is designed for use, or that is designed to be adapted for use, in many fields and for many purposes and activities, including fields, purposes and activities not contemplated during the system's development".¹⁰
• "Machine-learning model" means a "digital representation of patterns identified in data through the automated processing of the data using an algorithm designed to enable the recognition or replication of those patterns".¹¹

The Proposed Amendments clarify that an AI system may be a general-purpose system and a high-risk system at the same time.¹²

Territorial scope

AIDA has a wide territorial scope. Per the Proposed Amendments, Part 1 of AIDA applies in respect of: (i) AI systems or machine learning models made available in the course of international or interprovincial trade and commerce (cross-border trade); and (ii) the management of the operations of AI systems used in the course of cross-border trade.¹³

In the event a provincial legislation would adopt its own AI law, it remains unclear to what extent AIDA would apply to activities inside this province. Per the Canadian Constitution, federal and provincial government have specific fields of competence where they have authority to legislate. It is possible that the AI law may follow the same path as privacy law: Where some provinces (like Quebec, Alberta and British Columbia) have adopted their own privacy laws, PIPEDA does not apply in their field of competence (but may regulate sectors under federal jurisdiction, like banking). However, in provinces with no general privacy laws (like Ontario), PIPEDA fully applies.

Sectoral scope

While "high-impact systems" (see below) are defined by reference to their potential use in certain classes (some of which relate to sectors), AIDA does not generally adopt a sector-specific approach. Instead, AIDA imposes different obligations on certain persons depending on: (i) the type of AI system they are involved with (i.e., general-purpose, machine-learning models, or high-impact systems); and (ii) their position along the AI value chain.¹⁴

Compliance roles

As per the Proposed Amendments, obligations are tailored to each organization's role in the AI value chain. Specifically, the following persons have obligations under AIDA:

• In relation to general-purpose AI systems¹⁵ and high-impact systems¹⁶ – persons who manage such systems; persons who make such systems available; and persons who make such systems available for the first time in the course of cross-border trade. 
• In relation to machine-learning models¹⁷ – persons who first make a machine-learning model available, for incorporation into a high-impact system, in the course of cross-border trade.

Core issues that the AI Regulations seek to address

AIDA's stated purposes are: (i) to regulate cross-border trade in AI systems by establishing common requirements applicable across Canada, for the design, development and use of those systems; and (ii) to prohibit certain conduct in relation to AI systems that may result in serious harm to individuals or harm to their interests (in particular, biased outputs).¹⁸

Risk categorization

If an AI system's intended use(s) falls within one of seven classes identified in the Proposed Amendments, that AI system will be considered to be a "high-impact system."¹⁹ Specifically, an AI system will be considered "high-impact" if it is used:

1. To determine employment matters (i.e., to determine employment, recruitment, referral, hiring, remuneration, promotion, training, apprenticeship, transfer or termination). 
2. In matters relating to service access, specifically, AI systems used: (i) to determine whether to provide services to an individual, or the type or cost of services to be provided to an individual; or (ii) to prioritize services to be provided to individuals.
3. To process biometric information in matters relating to: (i) the identification of an individual, except where such information is processed with the individual's consent to authenticate their identity; or (ii) the assessment of an individual's behavior or state of mind.
4. In matters relating to content moderation and prioritisation, specifically, AI systems used in: (i) the moderation of content that is found on an online communications platform, including a search engine or social media service; or (ii) the prioritization of the presentation of such content.
5. In healthcare or emergency services matters, with certain exceptions, pursuant to the Food and Drugs Act.
6. By a court or administrative body in determinations relating to an individual who is a party to proceedings.
7. To assist a peace officer, as defined in the Criminal Code, in the exercise and performance of their law enforcement powers, duties, and functions.²⁰

Key compliance requirements

AIDA adopts a detailed approach to compliance requirements.²¹ Some of these requirements (such as those relating to risk management measures) are specific to particular roles in the AI value chain. For example:

• Persons who first make a machine-learning model available for incorporation into a high-impact system, in the course of cross-border trade (i.e., developers), must establish measures to identify, assess and mitigate against the risks of biased output before the model is made available.²²
• In contrast, persons who first make high-impact systems available must ensure that risk mitigation measures are in place, and that they have been tested.²³ Those who manage the high-impact systems are responsible for actually conducting tests to establish the mitigation measures effectiveness.²⁴

Other AIDA requirements are tailored to the distinct challenges and objectives at each point in the AI value chain:

• Persons who first make a machine-learning model available for incorporation into a high-impact system, in the course of cross-border trade, must ensure that measures respecting the data used in developing the model have been established in accordance with regulations.²⁵
• In contrast, high-impact system operators must establish measures that allow for users to provide feedback on the system's performance.²⁶

One of the key obligations introduced by the Proposed Amendments is the establishment and maintenance of written accountability frameworks by persons who make a general-purpose system or high-impact system available, or who manage the operations of such systems. Written accountability frameworks shall include (among other things): (i) a description of the roles, responsibilities, and reporting structure for all personnel who contribute to making the system available or managing its operations; (ii) policies and procedures respecting the management of risks relating to the system and the data used by the system; and (iii) anything else required by regulation.²⁷

Regulators

Under the Proposed Amendments, the Artificial Intelligence and Data Commissioner ("the Commissioner") nominated by the minister in charge of the Act has central responsibility for enforcing AIDA. If the Commissioner is absent or incapacitated, or if no Commissioner is designated, the relevant minister will fulfil the role of the Commissioner.²⁸

Enforcement powers and penalties

The Commissioner has the power to:

• Compel the provision of an accountability framework, and provide guidance or recommendations as to corrective measures that need to be taken in relation to that framework.²⁹
• Compel a person who makes available or manages any AI system to provide an assessment as to whether the AI system is one of those subject to AIDA.³⁰
• Conduct an audit, require any person to conduct an audit, or require any person to engage the services of an independent auditor if the Commissioner has reasonable grounds to believe that a person has contravened or is likely to contravene certain sections of AIDA.³¹
• Disclose and receive information to and from other regulators, including (among others) the Privacy Commissioner, the Canadian Human Rights Commission, the Commissioner of Competition, and the Financial Consumer Agency of Canada.³²

The penalties available under AIDA were unchanged by the Proposed Amendments, although further revisions will likely be necessary.³³ Currently, contravention of sections 6 through 12 and certain other offences are punishable as follows:³⁴

• On a conviction on indictment, by: (i) a fine of not more than the greater of CAD 10 million and 3 percent of gross global revenues in the preceding financial year for companies; and (ii) a fine at the discretion of the court, for individuals.
• On a summary conviction, by: (i) a fine of not more than the greater of CAD 5 million and 2 percent of gross global revenues in the preceding financial year for companies; and (ii) a fine of not more than CAD 50,000 for individuals. 

General offenses³⁵ are punishable as follows:³⁶

• On conviction on indictment, by: (i) a fine of not more than the greater of CAD 25 million and 5 percent of gross global revenues in the preceding financial year for companies; and (ii) a fine at the discretion of the court, or a term of imprisonment of up to five years less a day, or both, in the case of an individual.
• On summary conviction, by: (i) a fine of not more than the greater of CAD 20 million and 4 percent of gross global revenues in the preceding financial year for companies; and (ii) a fine of not more than CAD 100,000 or to a term of imprisonment of up to two years less a day, or both, in the case of an individual.

_{1 See here. 
2 See here (in French).
3 See here.
4 See here. 
5 See here and here. 
6 See here.
7 Note that if Bill C-27 is adopted, PIPEDA will be replaced by the Consumer Privacy Protection Act and the Electronic Documents Act.
8 See here (in French).
9 See the Proposed Amendments, p.17.
10 See the Proposed Amendments, p.19.
11 See the Proposed Amendments, p.19.
12 See the Proposed Amendments, p.19: "For greater certainty, an artificial intelligence system may be a general-purpose system and a high-impact system at the same time".
13 See the section entitled "Application", on page 19 of the Proposed Amendments.
14 See the Proposed Amendments, pp.7-8. The Minister explains that the concept of "persons responsible" has been replaced with "distinct obligations based on each organization's role with regard to the system." 
15 See the Proposed Amendments, p.20, Section 7(1) (persons who make a general-purpose system available in the course of cross-border trade for the first time) and page 21, sections 8(1) (persons who make a general-purpose system available) and 8.2 (persons managing the operations of a general-purpose system).
16 See the Proposed Amendments, p.23, Sections 10(1) (persons who make a high-impact system available in the course of cross-border trade for the first time) and 10.1(1) (persons who make a high-impact system available), and page 24, section 11(1) (persons who manage operations of a high-impact system).
17 See the Proposed Amendments, p. 22, Sections 9(1) and 9(3) (person who makes a machine learning model available for incorporation into high-impact system).
18 See AIDA, Section 4. This remains unchanged by the Proposed Amendments. 
19 "High-impact system" is a concept originally introduced in AIDA. The definition was amended by the Proposed Amendments, p.17. The schedule is available at p.38
20 See the Proposed Amendments, p.38. 
21 As noted above, obligations vary depending on: (i) the type of AI system that persons are involved with; and (ii) their position along the AI value chain.
22 See the Proposed Amendments, p.22, Sections 9(1), and 9(1)(b).
23 See the Proposed Amendments, p.23, Sections 10(1)(b)-(c).
24 See the Proposed Amendments, p.24, Section 11(1)(c).
25 See the Proposed Amendments, p. 22, Section 9(1)(a).
26 See the Proposed Amendments, p.24, Section 11(1)(e).
27 See the Proposed Amendments, p.25, Sections 12(1)-(5). 
28 See the Proposed Amendments, p.32 ("Administration and enforcement" and "Absence, incapacity or no designation").
29 See the Proposed Amendments, p.26, Sections 13(1) and (2).
30 See the Proposed Amendments, p.26, Section 14(1).
31 See the Proposed Amendments, p.26, Section 15(1).
32 See the Proposed Amendments, p.31, paragraphs 26(1)(a)-(h).
33 The Proposed Amendments did not change the sections of AIDA related to fines. Under AIDA, certain fines were issuable for certain acts related to "regulated activities" (a defined term, see Section 30(2) of AIDA). However, the Proposed Amendments have removed the concept of "regulated activities" (see page 10 of the Proposed Activities PDF). It appears that AIDA's provisions related to fines may need to be revised to account for the fact that the concept of "regulated activities" no longer exists.
34 See AIDA, Sections 30(3)(a) and (b).
35 Under AIDA, Part 2, Sections 38 and 39, general offences are committed if a person: 
(i) for the purpose of designing, developing, using or making available for use an AI system, possesses – within the meaning of subsection 4(3) of the Criminal Code – or uses personal information, knowing or believing that the information is obtained or derived, directly or indirectly, as a result of (a) the commission in Canada of an offence under an Act of Parliament or a provincial legislature; or (b) the an act or omission anywhere that, if it had occurred in Canada, would have constituted such an offence; or
(ii) (a) without lawful excuse and knowing that or being reckless as to whether the use of an AI system is likely to cause serious physical or psychological harm to an individual or substantial damage to an individual's property, makes the AI system available for use and the use causes such harm or damage; or (b) with intend to defraud the public and to cause substantial economic loss to an individual, makes an AI system available for use and its use causes that loss.
36 See AIDA, Sections 40(a) and (b).}

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2024 White & Case LLP}

McCarthy Tétrault contributors

Charles S. Morgan
Partner, McCarthy Tétrault
+514 397 4230
cmorgan@mccarthy.ca

Christine Ing
Partner, McCarthy Tétrault
+1 416 601 7713
christineing@mccarthy.ca

Francis Langlois
Associate, McCarthy Tétrault
+514 397 4168
flanglois@mccarthy.ca