AI & Law: Global Trends and Navigating Regulation Reforms in Canada
The European Union (the “EU”) has taken a significant step towards regulating artificial intelligence (“AI”). Amidst the increased use of generative AI, the EU Parliament approved the Artificial Intelligence Act (“EU AI Act”), aiming to address potential risks and dangers associated with the use of AI. The legislation takes a “risk-based approach”, implementing restrictions based on how dangerous lawmakers perceive applications to be. It also establishes controls on high-risk technologies such as recommendation algorithms and requires organizations to label AI-generated content.
As the first AI legislation of its kind, the EU AI Act could set global standards with respect to the regulation of AI systems, further highlighting the EU’s leading position in technology governance. Previously, the EU has adopted regulatory tools targeting Silicon Valley tech giants. Following in the EU’s footsteps, several countries have announced efforts to develop their own AI regulatory framework. American organizations, including Microsoft, OpenAI, and Google, have been lobbying for AI regulations worldwide.
- Canada’s AI Regulatory Framework
AI applications offer considerable benefits and have become increasingly valuable to businesses across various industries. As ongoing AI developments will continue to present new opportunities, it is crucial for businesses that are contemplating developing, deploying or using AI systems to acknowledge and tackle the accompanying concerns and potential risks of these technologies. Arising from various dimensions, these concerns encompass technical, ethical, legal, and social aspects.
Notably, the development and utilization of AI systems are closely intertwined with data privacy. Since AI systems process personal information (“PI”), organizations that rely on such systems or AI service providers must ensure that their collection, use, and communication of PI belonging to their customers or employees are done in compliance with privacy laws even when such collection, use or communication relies on AI systems.
In Canada, the Federal Government has demonstrated notable dedication towards addressing these matters and promoting a responsible and safe utilization of AI.
- Law 25 (previously Bill 64)
In Quebec, the Act to modernize legislative provisions as regards the protection of personal information (“Law 25” and previously Bill 64) introduced amendments to the privacy regime governing the collection, use, and communication of PI in the public and private sectors. Law 25 represents the latest and most important framework for privacy regulation in Canada.
Organizations operating in Quebec, whether they are headquartered within the province or simply conducting business there, will be directly impacted by Law 25. To ensure compliance, businesses should pay attention to mandatory requirements laid out in Law 25. The requirements already in force include:
- Obligation to designate a person in charge of protecting PI; and
- Obligation to promptly notify the Commission d’accès à l’information and individuals concerned in the event of a confidentiality incident that presents a risk of serious injury.
Further amendments, which will come into effect on September 22, 2023, will also bring significant changes to privacy compliance frameworks. These upcoming requirements include:
- Obligation to conduct a privacy impact assessment (a “PIA”) for any project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of PI; and
- Obligation to conduct a PIA for the communication of PI outside of Quebec.
Notably, Law 25 introduces increased penalties for non-compliance with privacy legislation that will come into effect on September 22, 2023. Private-sector organizations may face fines ranging from CAD 15,000 to CAD 25,000,000, or an amount equivalent to 4% of their worldwide turnover for the preceding fiscal year, whichever is greater.
- Bill C-27
Canada’s federal privacy regulatory landscape is undergoing a significant transformation that will have far-reaching implications for businesses operating in Canada. The introduction of An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, or in short, the Digital Charter Implementation Act, 2022 (“Bill C-27”), which passed second reading in the House of Commons and was referred to the Standing Committee on Industry and Technology for review on April 24, 2023, represents an attempt to overhaul Canada’s federal privacy framework. If adopted in its current form, Bill C-27 would establish three new pieces of legislation, namely the Consumer Privacy Protection Act (“CPPA”), the Personal Information and Data Protection Tribunal Act (“PIDPTA”), and the Artificial Intelligence and Data Act (“AIDA”). Once adopted, these legislative measures will directly impact the operations of businesses developing, deploying or using AI systems within the realm of international or interprovincial trade and commerce.
Under the CPPA, every organization would be required to establish a privacy management program. Such program would have to encompass various aspects, such as safeguarding PI and handling consumers’ requests to access their PI as well as complaints. Additionally, under the CPPA organizations would be required to grant the Privacy Commissioner of Canada access to the policies, practices, and procedures outlined in their privacy management programs.
In June 2022, the AIDA was introduced as part of Bill C-27 with a view to ensure Canadian businesses’ responsible adoption of AI technologies. More specifically, the AIDA builds on existing consumer protection and human rights laws in Canada. It seeks to ensure that policy and enforcement move together as AI systems evolve by creating an office headed by a new Artificial Intelligence and Data Commissioner, in support of the regulatory development and administration of the Act. It also prohibits reckless and malicious uses of AI through the creation of new criminal law provisions.
The implementation of the initial set of AIDA regulations is anticipated to follow the subsequent path:
- Public consultation on regulations (6 months);
- Development of draft regulations (12 months);
- Consultation on draft regulations (3 months); and
- Coming into force of initial set of regulations (3 months).
This path provides for a period of at least two years after Bill C-27 receives royal assent before the new law would come into force. This means that the AIDA would come into force no sooner than 2025. For more information on Bill C-27, we invite you to read our earlier article.
The laws in the making regarding the regulation of AI and data privacy exemplify legislators’ commitment to fostering a more responsible and secure utilization of AI in Canada. To align with these regulatory frameworks and ensure compliance with the new obligations that are incumbent on them, businesses will need to develop a more rigorous internal AI governance structure.
Given the speed at which AI systems are being developed and the increasing number of commercial applications these technologies can have, combined with an uptick in regulatory reforms in Canada and abroad, businesses should take into consideration the various risk factors related to the development, deployment, and use of AI systems when providing services to customers that rely on those technologies. Organizations can adopt measures to more effectively mitigate the risks associated with the utilization of AI applications.
If you have inquiries about how McCarthy Tétrault can help your business with respect to the topics discussed above, our experienced lawyers will be happy to assist you to formulate strategies to mitigate your commercial and legal risks.
 Cat Zakrzewski and Cristiano Lima, Europe Moves Ahead on AI Regulation, Challenging Tech Giants’ Power, The Washignton Post: https://www.washingtonpost.com/technology/2023/06/14/eu-parliament-approves-ai-act/.
 Aviv Gaon and Ian Stedman, A Call to Action: Moving Forward with the Governance of Artificial Intelligence in Canada, 2019 56-4 Alberta Law Review 1137, 2019 CanLIIDocs 2093: https://canlii.ca/t/skqg.
 Law 25, s. 3.1.
 Law 25, ss. 3.5 – 3.8.
 Law 25, s. 3.3.
 Law 25, s. 17.
 Law 25, s. 91.
 See House of Commons: Bill C-27 - An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts.
 CPPA, s. 9(1).
 CPPA, s. 10(1).
 AIDA, s. 33.
 AIDA, s. 39.
 The Artificial Intelligence and Data Act (AIDA) – Companion document (the “AIDA Companion Document”).
 See the AIDA Companion Document.