AI Compliance: Canada 2026

Sawai Gyoseishoshi Office • 2026
FREE CHAPTER

Chapter 1: Regulatory Overview

1.1 Canada's Approach to AI Regulation

Canada does not have a comprehensive federal AI statute. The most significant legislative attempt — the Artificial Intelligence and Data Act (AIDA), which formed Part 3 of Bill C-27, the Digital Charter Implementation Act, 2022 — died on the Order Paper when Parliament was prorogued on January 6, 2025. As of June 2026, AIDA has not been re-introduced in any subsequent session of Parliament. The earliest realistic window for federal AI legislation is 2027 or later.

In the absence of omnibus AI law, Canada regulates AI through a patchwork of existing federal and provincial statutes, sector-specific guidelines, and voluntary instruments. The federal Privacy Commissioner enforces PIPEDA for private-sector data processing, Quebec enforces its own modernized privacy law (Law 25), and individual sector regulators — notably the Office of the Superintendent of Financial Institutions (OSFI) — issue binding guidance for their domains.

The federal government itself is subject to the Treasury Board Directive on Automated Decision-Making, which applies to all federal departments and agencies using automated systems to make or assist administrative decisions affecting individuals.

Canada's regulatory posture sits between the EU's prescriptive approach and the United States' largely sectoral approach. There is political consensus that AI-specific legislation is needed, but no agreement on its scope, enforcement mechanism, or timeline.

1.2 Key Policy Instruments

Canada's AI governance rests on several instruments of varying legal force:

Binding law:

Binding for regulated entities:

Voluntary / policy instruments:

1.3 Key Regulatory Bodies

Office of the Privacy Commissioner of Canada (OPC): The primary federal privacy regulator. Investigates complaints under PIPEDA, issues guidance on AI and privacy, and has published position papers on generative AI, facial recognition, and automated decision-making. The OPC has limited order-making power under PIPEDA — it issues findings and recommendations, and must apply to the Federal Court for enforcement orders. The never-enacted Consumer Privacy Protection Act (CPPA, Part 1 of Bill C-27) would have granted the OPC order-making and penalty powers.

Innovation, Science and Economic Development Canada (ISED): The federal department leading AI policy development. ISED coordinated the development of AIDA and the Voluntary Code of Conduct for Generative AI. It administers the Pan-Canadian AI Strategy and oversees the three national AI institutes (Mila, Amii, Vector Institute).

Canadian AI Safety Institute (CAISI): Announced in 2024 as part of Canada's commitment at the UK AI Safety Summit. Mandated to evaluate frontier AI models and develop safety evaluation frameworks. Operational details remain in development as of June 2026. CAISI does not have regulatory or enforcement powers.

Treasury Board of Canada Secretariat (TBS): Issues directives binding on federal government departments. The Directive on Automated Decision-Making requires algorithmic impact assessments for automated systems used in federal administrative decisions.

Office of the Superintendent of Financial Institutions (OSFI): Federally regulated financial institutions (banks, insurance companies, pension plans) must comply with OSFI guidelines, including Guideline E-23 on Model Risk Management, which covers AI and machine learning models.

Autorite des marches financiers (AMF): Quebec's financial sector regulator. Oversees AI use in provincially regulated financial institutions and insurance. Issues its own guidance distinct from OSFI.

Commission d'acces a l'information du Quebec (CAI): Enforces Quebec Law 25, including its automated decision-making provisions. Has order-making power and can impose administrative monetary penalties up to CAD 25 million or 4% of worldwide turnover.

Competition Bureau of Canada: Enforces the Competition Act, including provisions on deceptive marketing practices that apply to AI-generated content and AI-driven pricing. Bill C-56 amendments (2024) expanded the Bureau's ability to address deceptive AI practices.

1.4 The Death of AIDA (Bill C-27)

The Artificial Intelligence and Data Act was introduced on June 16, 2022, as Part 3 of Bill C-27, the Digital Charter Implementation Act, 2022. The bill contained three parts: Part 1 (Consumer Privacy Protection Act), Part 2 (Personal Information and Data Protection Tribunal Act), and Part 3 (AIDA).

AIDA would have established:

Bill C-27 passed second reading and was referred to the Standing Committee on Industry and Technology (INDU) for study. The committee heard extensive testimony and proposed over 60 amendments to AIDA. However, when the Governor General prorogued Parliament on January 6, 2025, all bills on the Order Paper — including C-27 — died. The bill has not been re-introduced in any form as of June 2026.

The practical effect is that Canada has no federal AI-specific legislation and no AI-specific regulator. All AI governance operates through pre-existing laws and sector regulators.

1.5 Timeline of Key Developments

Date Development
June 2017 Pan-Canadian AI Strategy launched (first national AI strategy globally)
November 2018 PIPEDA amendments (DORS/2018-64) on breach reporting take effect
April 2019 Treasury Board Directive on Automated Decision-Making takes effect
June 2022 Bill C-27 (containing AIDA) introduced in the House of Commons
September 2022 Quebec Law 25 Phase 1 takes effect (privacy officer, breach reporting)
September 2023 Quebec Law 25 Phase 2 takes effect (consent, portability, automated decisions)
September 2023 Voluntary Code of Conduct for Generative AI published by ISED
November 2023 Canada participates in UK AI Safety Summit; pledges to establish CAISI
June 2024 Bill C-56 receives Royal Assent (Competition Act amendments)
September 2024 Quebec Law 25 Phase 3 takes full effect (data portability)
November 2024 OSFI Guideline E-23 (Model Risk Management) takes effect
January 6, 2025 Parliament prorogued; Bill C-27 (including AIDA) dies on the Order Paper
2026 (ongoing) No federal AI bill re-introduced; ISED policy consultations continue

Want to monitor your AI compliance automatically? Try AIOS — your AI compliance OS. https://mmoww.net/ai/app/

Quick Decision Matrix

Use this matrix to determine your AI compliance obligations.

Your Situation Risk Level Priority Action Go To
Deploying AI that affects employment decisions High Impact assessment required Chapter 3
Using AI for customer-facing services Medium-High Transparency obligations apply Chapter 4
Internal AI tools (analytics, automation) Medium Document and monitor Chapter 5
AI in regulated sector (finance, health) High Sector-specific rules apply Chapter 3
Procuring AI from third-party vendor Medium Vendor due diligence needed Chapter 5
Just exploring AI for the first time Low Start with governance framework Chapter 2

5-second answer: If your AI system makes decisions that affect people, you have compliance obligations. Start with Chapter 2 for the regulatory framework, then Chapter 3 for your specific obligations.

Continue Reading

Get the complete guide with all chapters, checklists, and regulatory updates.

Browse on Amazon Trust Library Edition — $77.7 Try Free Compliance Tool