Chapter 1: Regulatory Overview
1.1 Canada's Approach to AI Regulation
Canada does not have a comprehensive federal AI statute. The most significant legislative attempt — the Artificial Intelligence and Data Act (AIDA), which formed Part 3 of Bill C-27, the Digital Charter Implementation Act, 2022 — died on the Order Paper when Parliament was prorogued on January 6, 2025. As of June 2026, AIDA has not been re-introduced in any subsequent session of Parliament. The earliest realistic window for federal AI legislation is 2027 or later.
In the absence of omnibus AI law, Canada regulates AI through a patchwork of existing federal and provincial statutes, sector-specific guidelines, and voluntary instruments. The federal Privacy Commissioner enforces PIPEDA for private-sector data processing, Quebec enforces its own modernized privacy law (Law 25), and individual sector regulators — notably the Office of the Superintendent of Financial Institutions (OSFI) — issue binding guidance for their domains.
The federal government itself is subject to the Treasury Board Directive on Automated Decision-Making, which applies to all federal departments and agencies using automated systems to make or assist administrative decisions affecting individuals.
Canada's regulatory posture sits between the EU's prescriptive approach and the United States' largely sectoral approach. There is political consensus that AI-specific legislation is needed, but no agreement on its scope, enforcement mechanism, or timeline.
1.2 Key Policy Instruments
Canada's AI governance rests on several instruments of varying legal force:
Binding law:
- Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5
- Quebec Act respecting the protection of personal information in the private sector (Law 25), CQLR c P-39.1, as amended by SQ 2021, c. 25
- Canadian Human Rights Act, R.S.C. 1985, c. H-6
- Competition Act, R.S.C. 1985, c. C-34 (as amended by Bill C-56, Affordable Housing and Groceries Act, 2024)
- Criminal Code, R.S.C. 1985, c. C-46 (fraud, identity theft, deepfake provisions)
Binding for regulated entities:
- OSFI Guideline E-23: Model Risk Management (effective November 1, 2024, superseding prior AI/ML guidance)
- Treasury Board Directive on Automated Decision-Making (effective April 1, 2019, updated 2023)
Voluntary / policy instruments:
- Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems (September 2023)
- Canadian Guide to Responsible AI (Innovation, Science and Economic Development Canada)
- Pan-Canadian AI Strategy (2017, renewed 2021)
1.3 Key Regulatory Bodies
Office of the Privacy Commissioner of Canada (OPC): The primary federal privacy regulator. Investigates complaints under PIPEDA, issues guidance on AI and privacy, and has published position papers on generative AI, facial recognition, and automated decision-making. The OPC has limited order-making power under PIPEDA — it issues findings and recommendations, and must apply to the Federal Court for enforcement orders. The never-enacted Consumer Privacy Protection Act (CPPA, Part 1 of Bill C-27) would have granted the OPC order-making and penalty powers.
Innovation, Science and Economic Development Canada (ISED): The federal department leading AI policy development. ISED coordinated the development of AIDA and the Voluntary Code of Conduct for Generative AI. It administers the Pan-Canadian AI Strategy and oversees the three national AI institutes (Mila, Amii, Vector Institute).
Canadian AI Safety Institute (CAISI): Announced in 2024 as part of Canada's commitment at the UK AI Safety Summit. Mandated to evaluate frontier AI models and develop safety evaluation frameworks. Operational details remain in development as of June 2026. CAISI does not have regulatory or enforcement powers.
Treasury Board of Canada Secretariat (TBS): Issues directives binding on federal government departments. The Directive on Automated Decision-Making requires algorithmic impact assessments for automated systems used in federal administrative decisions.
Office of the Superintendent of Financial Institutions (OSFI): Federally regulated financial institutions (banks, insurance companies, pension plans) must comply with OSFI guidelines, including Guideline E-23 on Model Risk Management, which covers AI and machine learning models.
Autorite des marches financiers (AMF): Quebec's financial sector regulator. Oversees AI use in provincially regulated financial institutions and insurance. Issues its own guidance distinct from OSFI.
Commission d'acces a l'information du Quebec (CAI): Enforces Quebec Law 25, including its automated decision-making provisions. Has order-making power and can impose administrative monetary penalties up to CAD 25 million or 4% of worldwide turnover.
Competition Bureau of Canada: Enforces the Competition Act, including provisions on deceptive marketing practices that apply to AI-generated content and AI-driven pricing. Bill C-56 amendments (2024) expanded the Bureau's ability to address deceptive AI practices.
1.4 The Death of AIDA (Bill C-27)
The Artificial Intelligence and Data Act was introduced on June 16, 2022, as Part 3 of Bill C-27, the Digital Charter Implementation Act, 2022. The bill contained three parts: Part 1 (Consumer Privacy Protection Act), Part 2 (Personal Information and Data Protection Tribunal Act), and Part 3 (AIDA).
AIDA would have established:
- A definition of "AI system" aligned with the OECD definition
- A "high-impact AI system" classification based on regulations to be issued by the Minister of ISED
- Obligations for persons responsible for high-impact AI systems, including risk assessments, mitigation measures, monitoring, record-keeping, and transparency
- Prohibitions on AI systems that cause serious harm, with criminal penalties
- A new AI and Data Commissioner to administer and enforce the Act
- Penalties of up to CAD 25 million or 5% of global gross revenues for the most serious contraventions
Bill C-27 passed second reading and was referred to the Standing Committee on Industry and Technology (INDU) for study. The committee heard extensive testimony and proposed over 60 amendments to AIDA. However, when the Governor General prorogued Parliament on January 6, 2025, all bills on the Order Paper — including C-27 — died. The bill has not been re-introduced in any form as of June 2026.
The practical effect is that Canada has no federal AI-specific legislation and no AI-specific regulator. All AI governance operates through pre-existing laws and sector regulators.
1.5 Timeline of Key Developments
| Date | Development |
|---|---|
| June 2017 | Pan-Canadian AI Strategy launched (first national AI strategy globally) |
| November 2018 | PIPEDA amendments (DORS/2018-64) on breach reporting take effect |
| April 2019 | Treasury Board Directive on Automated Decision-Making takes effect |
| June 2022 | Bill C-27 (containing AIDA) introduced in the House of Commons |
| September 2022 | Quebec Law 25 Phase 1 takes effect (privacy officer, breach reporting) |
| September 2023 | Quebec Law 25 Phase 2 takes effect (consent, portability, automated decisions) |
| September 2023 | Voluntary Code of Conduct for Generative AI published by ISED |
| November 2023 | Canada participates in UK AI Safety Summit; pledges to establish CAISI |
| June 2024 | Bill C-56 receives Royal Assent (Competition Act amendments) |
| September 2024 | Quebec Law 25 Phase 3 takes full effect (data portability) |
| November 2024 | OSFI Guideline E-23 (Model Risk Management) takes effect |
| January 6, 2025 | Parliament prorogued; Bill C-27 (including AIDA) dies on the Order Paper |
| 2026 (ongoing) | No federal AI bill re-introduced; ISED policy consultations continue |
Want to monitor your AI compliance automatically? Try AIOS — your AI compliance OS. https://mmoww.net/ai/app/
Quick Decision Matrix
Use this matrix to determine your AI compliance obligations.
| Your Situation | Risk Level | Priority Action | Go To |
|---|---|---|---|
| Deploying AI that affects employment decisions | High | Impact assessment required | Chapter 3 |
| Using AI for customer-facing services | Medium-High | Transparency obligations apply | Chapter 4 |
| Internal AI tools (analytics, automation) | Medium | Document and monitor | Chapter 5 |
| AI in regulated sector (finance, health) | High | Sector-specific rules apply | Chapter 3 |
| Procuring AI from third-party vendor | Medium | Vendor due diligence needed | Chapter 5 |
| Just exploring AI for the first time | Low | Start with governance framework | Chapter 2 |
5-second answer: If your AI system makes decisions that affect people, you have compliance obligations. Start with Chapter 2 for the regulatory framework, then Chapter 3 for your specific obligations.