Canada’s Proposed Artificial Intelligence and Data Act (AIDA)

24.01.2023

This article summarizes the substantive highlights and legislative progress of the proposed Artificial Intelligence and Data Act (AIDA), a part of Bill C-27, which the Canadian Parliament is presently debating.

On June 16, 2022, the Government of Canada tabled Bill C-27. In addition to the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act (PIDPTA), Bill C-27 introduces the Artificial Intelligence and Data Act (AIDA). The AIDA would be the first piece of legislation in Canada to regulate the development and deployment of artificial intelligence (AI) systems in the private sector.

The AIDA is a novel piece of legislation that has attracted substantial debate since the introduction of Bill C-27. The following is a summary of its most notable components and the path ahead for the proposed legislation.

 

Core Purpose of the AIDA

The AIDA aims to regulate AI in a manner that facilitates trade, commerce and innovation, while mitigating potential harms. The stated legislative purpose of the AIDA is twofold:

  1. To regulate international and interprovincial trade and commerce in AI systems by establishing common requirements applicable across Canada for the design, development and use of those systems; and
  2. To prohibit certain conduct in relation to AI systems that may result in serious harm to individuals or harm to their interests.

"Harm" is defined in the AIDA as (a) physical or psychological harm to an individual, (b) damage to an individual's property, or (c) economic loss to an individual.

 

Application

The AIDA will apply to persons carrying out a "regulated activity." Under the AIDA, a regulated activity includes, in the course of international or interprovincial trade and commerce:

  • processing or making available for use any data relating to human activities for the purpose of designing, developing or using an artificial intelligence system;
  • designing, developing or making available for use an artificial intelligence system or managing its operations.

Unlike PIPEDA, the AIDA as drafted will not apply to intra-provincial trade and commerce. Such commercial activity would be subject to provincial legislation regulating AI in the private sector, which does not presently exist.

The AIDA expressly exempts the federal government from its application.

 

Requirements

The AIDA focuses on mitigating risks of harm and bias presented by the use of “high-impact” AI systems. The meaning of “high-impact” remains unspecified, and will be established later by criteria set by regulation.

Persons responsible for AI systems must assess whether the system is high-impact. If the system is high-impact, responsible persons must establish measures to identify, assess and mitigate the risks of harm or biased output that could result from use. Persons responsible for high-impact systems must also implement measures to monitor compliance with and effectiveness of risk mitigation measures.

The act introduces additional requirements to promote transparency about AI. Where the system is made available for use, the person responsible must publish on a publicly available website a plain-language description of the system that explains how the system is to be used, the types of content that it is intended to generate, and the types of decisions, recommendations or predictions it is intended to make, along with the risk mitigation measures established.

Persons responsible for high-impact systems must also notify the Minister if use of the system results in or is likely to result in material harm.

Persons that carry out regulated activities under the act and who process or make available for use anonymized data in the course of the activity must, as specified by regulation, establish measures with respect to: (a) the manner in which data is anonymized; and (b) the use/management of anonymized data. There is presently no definition of anonymized data in the act.

 

Minister’s Powers

The Minister responsible for administering the AIDA will have broad enforcement powers. These includes order-making powers requiring persons or organizations to:

  • Produce records
  • Complete an audit, or engage an independent auditor to conduct an audit
  • Implement any measure specified in an audit report
  • For a high-impact system, cease using the system or making it available if the system gives rise to a serious risk of imminent harm
  • Publish on a publicly available website certain information about an audit, as long as it does not disclose confidential business information

 

Penalties

Those violating the AIDA can be liable for administrative monetary penalties (AMPs). AMPs for contravention of the AIDA can generally be as high as to 3% of global revenue or C$10-million. Higher AMPs are possible for certain contraventions of the act, amounting to 5% of global revenue or C$25-million. Imprisonment is also possible for individuals.

The Governor-in-Council will have authority to create an enforcement scheme by regulation.

 

Legislative Progress and Next Steps:

Bill C-27 currently sits at second reading in the House of Commons. Numerous stages of debate lie ahead, both in the House of Commons and, if the bill is passed in the House, the Canadian Senate.

Opposition parties in the House of Commons have expressed concern about the AIDA, arguing that the legislation was hastily drafted without adequate consultation, is vague, leaves too much to be specified later by regulation, and affords excessive discretionary powers to the Minister and their delegates.

On November 28, 2022, the Speaker of the House of Commons decided in favor of an opposition Point of Order arguing that the vote on Bill C-27 at second reading should be split in two, with the AIDA voted on separately from the CPPA and PIDPTA. This procedural measure does not split the bill itself, but permits separate votes on two distinct parts of the bill. This will allow for greater scrutiny of the AIDA by opposition members, who may now oppose the AIDA without voting down the entirety of Bill C-27. If the AIDA is voted down at second reading, Bill C-27 would be reprinted without the AIDA before moving to the Standing Committee on Industry and Technology (INDU) for further study.

The House of Commons will sit again beginning January 30, after which debate on Bill C-27 at second reading in the House of Commons will recommence. The AIDA will likely continue to be the subject of considerable debate and discussion among Parliamentarians, stakeholders, and the public.

 

Article provided by INPLP member: Wendy Wagner (Gowling WLG LLP, Canada)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.