On June 16, the federal government introduced Bill C-27, also known as the Digital Charter Implementation Act, 2022.
If passed, this package of laws will:
- implement Canada’s first artificial intelligence (AI) legislation, the Artificial Intelligence and Data Act (AIDA);
- reform Canadian privacy law, replacing the Personal Information Protection and Electronic Documents Act with the Consumer Privacy Protection Act; and
- establish a tribunal specific to privacy and data protection.
The AIDA establishes Canada-wide requirements for the design, development, use, and provision of AI systems and prohibits certain conduct in relation to these systems that may result in serious harm to individuals or biased outputs.
The AIDA regulates activities carried out in the course of international or interprovincial trade and commerce. It does not apply to government institutions. Canada’s Directive on Automated Decision-Making is in effect, and by contrast, imposes several requirements on the federal government’s use of automated decision-making technologies and on businesses that license or sell such technologies to the federal government.
The AIDA requires individuals and legal entities who are “responsible for” AI systems (meaning those who, in the course of international or interprovincial trade and commerce, design, develop or make available for use the artificial intelligence system or manage its operation) to:
- establish measures to manage anonymized data;
- conduct an impact assessment to determine if the AI system is “high-impact” (a threshold that will eventually be defined by regulations); and
- maintain general records of steps taken to meet compliance requirements and that describe how impact assessment conclusions are reached.
If an AI system is assessed as “high-impact,” persons responsible for AI systems must:
- develop a risk mitigation plan;
- monitor those risk mitigation measures;
- to the extent the system is being used or being made available for use, publish a plain-language description on a website describing (a) how the system is or is intended to be used, (b) the types of content it is or is intended to generate and the decisions, recommendations or predictions it makes or is intended to make, (c) the mitigation measures in place, and (d) any other information as prescribed by regulation;
- to the extent the use of the system results or is likely to result in “material harm,” notify, as soon as feasible, the Minister of Innovation, Science and Industry.
In summary, the law will require persons responsible for AI systems to assess these systems’ potential to cause harm or produce biased outputs, develop mitigation plans to reduce or eliminate these risks, and publicly disclose when high-impact systems are being used, among other obligations.
The minister’s authority
Under the AIDA, the minister may, by order, initiate or require:
- information and records about an AI system;
- an audit, either by the person responsible for the AI system or an independent auditor;
- the adoption of measures to address anything referred to in an audit report;
- the cessation of an AI system’s operation should the minister have “reasonable grounds” to believe it gives rise to a “serious risk of imminent harm”;
- the publication of information about contraventions of the requirements in order to encourage compliance (this does not extend to “confidential business information”); and
- the sharing of information with other regulators and enforcers, such as the Privacy Commissioner or the Canadian Human Rights Commission, as appropriate.
The minister is also able to designate an AI and Data Commissioner, whose role would be to assist and support the minister in ensuring compliance with the requirements.
Penalties and offences
Administrative Monetary Penalties
The administrative monetary penalties regime has been largely left to the regulations to define. Notably, the stated purpose of such penalties is to “promote compliance” and “not to punish.”
Criminal Offences – Contravention of Requirements
It is an offence to contravene any AIDA requirements or to obstruct or provide false or misleading information during an audit or investigation. A business or other legal entity committing these offences could receive a fine of up to $10 million or 3% of its global revenues. An individual committing these offences could face a discretionary fine.
Criminal Offences - Related to Artificial Intelligence Systems
Further offences established under the AIDA can arise in circumstances involving (1) possessing or using personal information, or (2) making an AI system available for use.
At all stages of AI development and in operating or providing an AI system, a person (legal entity or individual) is prohibited from possessing or using “personal information” that is unlawfully obtained.
If making a system available for use, it is also an offence if either of the following occurs:
- the system causes serious physical or psychological harm or substantial property damage, without lawful excuse. The responsible person must have knowingly or recklessly made the AI system available despite a likelihood it would cause such harm or damage; or
- the system causes substantial economic loss to an individual. The responsible person must have had the intent to defraud the public and cause that loss.
A business or other legal entity that commits any of these offences can be fined up to $25 million or 5% of global revenues. An individual committing any of them can receive a discretionary fine or be imprisoned up to five years less a day, or both.
Reflections and takeaways
Bill C-27 introduces Canada’s first AI legislation and a novel AI regulatory framework. All businesses designing, developing, operating, licensing or selling AI systems in the context of international or interprovincial trade and commerce will be expected to comply, and should consider current activities in view of the proposed AIDA requirements. This is particularly important for those using or providing “high-impact” systems.
Some questions remain. While the AIDA is directed to “high-impact” systems and prohibits “material harm,” these and other key terms are not yet defined. Further, the quantum of administrative penalties will be fixed only upon the issuance of regulations.
Moreover, the AIDA sets out publication requirements but it is unclear if there will be a public register of high-impact AI systems and what level of technical detail about the AI systems will be available to the public. More clarity should come through Bill C-27’s second and third readings in the House of Commons, and subsequent regulations if the bill passes.
The AIDA may have extraterritorial application if components of global AI systems are used, developed, designed or managed in Canada. The European Union recently introduced its Artificial Intelligence Act, which also has some extraterritorial application. Other countries will likely follow. Multi-national companies should develop a coordinated global compliance program.
We will continue to closely monitor this legislation’s progress through Parliament and provide updates.