What is AI regulation in Canada?
AI regulation: countries and regions
Canada does not yet have a standalone AI statute in force for the private sector. Its main proposed route has been the Artificial Intelligence and Data Act, or AIDA, first introduced in Bill C-27 in 2022, but that bill did not become law before Parliament was prorogued and dissolved. In practice, Canadian AI governance currently rests on existing privacy, human rights, consumer, sector and criminal law, plus a voluntary federal code for advanced generative AI.
What this means
In Canada, "AI regulation" currently means a mix of proposed federal AI legislation and laws that already apply to how organisations collect data, make decisions, market products and manage risk. The headline proposal was AIDA, a federal, risk-based framework for high-impact AI systems. It was important, but it is still only a proposal.
That matters because many people assume Canada already has an AI Act in force. It does not. If you are building, buying or deploying AI in Canada today, your live compliance picture is still shaped mainly by privacy law, provincial rules, sector supervision, consumer protection, human rights law and ordinary criminal law. For advanced generative AI, the federal government has also published a voluntary code that companies can adopt now.
This topic is also narrower than the whole of "digital regulation". It is not the same thing as copyright reform, online harms law, cyber security law or public procurement rules, although those areas can overlap with AI in practice.
Why it matters
For leaders, the practical issue is timing. Canada's proposed AI framework is still influential, and it is a sensible preview of where federal law could go, but it is not the rulebook you can rely on as binding law today. If you wait for AIDA before doing governance work, you may miss duties that already apply under privacy and related law.
The stakes are operational as well as legal. AI systems can affect hiring, access to services, fraud control, security, health, customer support and public trust. In Canada, regulators are already examining how models are trained, what personal information they use, how transparent they are, whether outputs about people are accurate, and whether affected individuals can challenge or correct errors. That makes AI governance a present-tense management issue, not just a future legislative one.
How it works
Canada's position today
As of 4 June 2026, Canada has not enacted a general private-sector AI statute. AIDA was introduced in June 2022 as part of Bill C-27, passed second reading in the House of Commons in April 2023, and then remained at committee stage. When Parliament was prorogued on 6 January 2025, incomplete government business ended, and dissolution on 23 March 2025 closed the matter for that Parliament. The official federal material that remains online still describes AIDA as proposed, or preserves it as archived reference material.
That means Canada's current AI regime is fragmented but real. Businesses do not face a single AI Act in force at federal level, but they are not operating in a legal vacuum either.
What the AIDA route was meant to do
AIDA was designed as a cross-sector federal framework for AI systems used in the course of international and interprovincial trade and commerce. Its basic model was risk based. Rather than trying to regulate every AI use in the same way, it would have focused its main duties on "high-impact" systems and on especially serious misuse.
The official companion material shows the intended policy logic. High-impact systems were to be identified through regulation so the government could update scope over time and avoid freezing the law around one generation of technology. Government examples of systems of interest included AI used for screening access to services or employment, biometric identification and inference, systems influencing human behaviour at scale, and systems performing critical health or safety functions.
Core duties in the proposed AIDA model
Under the proposed model, organisations responsible for a high-impact system would have had to identify, assess and mitigate risks of harm and biased output, monitor whether mitigation measures were working, keep records, publish plain-language information about how covered systems are used, and notify the Minister if use of a system resulted in, or was likely to result in, material harm.
The proposal also tried to distribute responsibility across the AI value chain. The companion material described different expected duties for organisations designing or developing a system, making it available for use, and managing its operation after deployment. In other words, Canada was not aiming for a rulebook that only catches the original model developer.
AIDA also proposed criminal prohibitions for particularly serious conduct. Official material described three core offences: knowingly using unlawfully obtained personal information to build or use an AI system, making an AI system available while knowing or being reckless that it is likely to cause serious harm or substantial property damage where that harm or damage occurs, and making an AI system available with intent to defraud the public and cause substantial economic loss where that loss occurs.
Institutions and enforcement under the proposed federal model
The proposed federal institutional model was unusual. Instead of creating a fully separate AI regulator from the start, AIDA would have been administered by the Minister of Innovation, Science and Industry, supported by a new AI and Data Commissioner. Official policy material said the early emphasis would have been education, guidance and staged compliance, with stronger enforcement building over time.
The proposed toolkit included powers to order records, require independent audits, order a system's use to stop where there was a serious risk of imminent harm, and publish information in the public interest. The framework also contemplated administrative monetary penalties through later regulations, plus prosecutable regulatory offences and separate criminal offences for more serious conduct.
This matters for planning even though the Act never came into force. The proposed model shows that Canada was moving toward a regulator-led, documentation-heavy, lifecycle-based approach rather than a light-touch self-declaration model.
What the voluntary generative AI code does now
Canada's main live federal AI-specific instrument is the Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems, announced in September 2023. It is not legislation. It is a voluntary bridge intended to guide organisations that develop or manage advanced generative AI systems with general-purpose capabilities while formal regulation is still absent.
The code is built around six principles: accountability, safety, fairness and equity, transparency, human oversight and monitoring, and validity and robustness. It expects organisations to implement a risk management framework, assess foreseeable harmful or malicious uses, test for bias and vulnerabilities, use adversarial testing, manage cyber risk, and monitor incidents after deployment.
The code is stricter for systems made widely available to the public. For those systems, published measures include stronger transparency about capabilities and limitations, a description of the types of training data used, a method to detect generated content, and multiple lines of defence such as third-party audits before release. The published signatory list now runs to dozens of organisations from across Canada's AI ecosystem and major technology and finance firms.
The key boundary is simple: the code is useful governance scaffolding, but it does not itself create legal duties. The code expressly says it does not change existing legal obligations, including under PIPEDA.
The privacy-law overlay that already binds AI use
For most commercial AI deployments in Canada, the privacy overlay is the main live legal layer. Federally, the Personal Information Protection and Electronic Documents Act, or PIPEDA, remains the core private-sector privacy statute. It is still in force because the replacement private-sector privacy bill in Bill C-27 did not pass. PIPEDA also recognises exemption orders for Alberta, British Columbia and Quebec, where substantially similar private-sector laws apply to much intra-provincial activity.
The Office of the Privacy Commissioner of Canada has been explicit that generative AI does not sit outside existing privacy law. Its guidance says organisations developing, providing or using generative AI must have lawful authority for collecting, using and disclosing personal information, must obtain valid and meaningful consent where consent is the route relied on, and must remain open, explainable, accurate and privacy protective. The same guidance also treats inferences about an identifiable person as collection of personal information, which is important for modern generative and predictive systems.
The 2026 joint investigation into OpenAI shows what this looks like in enforcement practice. Canadian privacy regulators examined training on publicly accessible web data and user chats, transparency, accuracy of personal information in outputs, access and correction rights, retention and accountability. The investigation found multiple contraventions under the applicable privacy statutes. The broader lesson is that current Canadian enforcement can already reach model training, deployment and output behaviour without waiting for a new AI Act.
Where Quebec raises the bar
Quebec is especially important because its private-sector privacy statute adds duties that are highly relevant to AI procurement and deployment. An enterprise must carry out a privacy impact assessment for a project to acquire, develop or overhaul an information system or electronic service delivery system involving personal information. It must also provide the highest level of confidentiality by default for products or services with privacy settings, except for browser cookies.
Quebec also has a direct rule for solely automated decisions. If an enterprise uses personal information to render a decision based exclusively on automated processing, it must inform the person no later than when it informs them of the decision. On request, it must explain the personal information used, the reasons and main factors that led to the decision, and the person's correction rights. The person must also be able to submit observations to a member of staff who can review the decision.
For any organisation active in Quebec, these are not future-facing AI good practices. They are already part of the legal environment.
Examples
A company releasing a public-facing generative AI system in Canada can use the federal voluntary code as an operating template right now. The published measures include a risk management framework, testing for harmful or malicious uses, bias testing, adversarial testing, incident logging, cyber security controls, user-facing transparency on capabilities and limits, and a way to detect generated content for publicly available systems. That is not mandatory law by itself, but it is a practical benchmark for governance design.
A Quebec enterprise that relies only on automated processing to make a decision about a person has live legal duties today. It must tell the person that automated processing was used, explain the personal information and principal factors behind the decision if asked, and offer a route for human review. If the tool sits inside a new or overhauled information system involving personal information, a privacy impact assessment is also part of the legal picture from the start.
The OpenAI investigation is the clearest current example of AI enforcement in Canada. The federal and provincial privacy regulators looked at model training on public web data and user interactions, transparency to users, personal information in outputs, accuracy, retention, access, correction and accountability. The investigation shows that Canadian regulators are prepared to test modern AI systems against existing privacy statutes, even without AIDA in force.
Common misunderstandings
Misunderstanding: Canada already has an AI Act in force.
Correction: No. AIDA was proposed, but it did not become law.
Misunderstanding: If a company follows the voluntary generative AI code, it is legally compliant.
Correction: No. The code is voluntary and sits beside existing legal duties, it does not replace them.
Misunderstanding: Training on publicly accessible internet data is automatically lawful in Canada.
Correction: No. Canadian privacy regulators treat public accessibility, lawful authority and meaningful consent as separate questions.
Misunderstanding: Canadian AI regulation is basically just privacy law.
Correction: No. Privacy is the main live layer for many businesses, but human rights, consumer protection, criminal law and sector-specific regulation also matter, and AIDA was designed as an added federal layer.
Misunderstanding: Quebec works the same way as the rest of Canada.
Correction: No. Quebec adds duties such as privacy impact assessments, privacy by default and notice and review rights for solely automated decisions.
Risks and boundaries
The biggest boundary is legal status. AIDA is still best understood as a proposal and a policy direction, not as a live statute. Its archived companion document and related federal material are still useful for governance planning, but any future bill could change scope, duties, institutions or penalties.
The voluntary generative AI code is also limited in scope. It was built for advanced generative AI with general-purpose capabilities, not every narrow automation tool or analytics feature. Still, many of its controls are sensible more broadly, especially for public-facing systems.
Privacy law is not the whole story, but it is the clearest current route for supervision of commercial AI. If your tool uses personal information, infers information about an identifiable person, or can generate information about real people, privacy law is already implicated. If your system affects employment, credit, insurance, health, transport or other supervised areas, sector rules may add further requirements.
This article is an overview for governance and operational planning. It is not legal advice on a specific system, transaction or regulatory investigation.
What to do next
Start by separating today's mandatory duties from tomorrow's likely design target. Today's mandatory duties usually sit in privacy, consumer, human rights, sector and criminal law. Tomorrow's likely design target is the AIDA-style model of risk classification, documentation, monitoring, transparency and incident reporting.
Map your AI estate by role, not just by product. Identify which systems you develop, which you buy, which you fine-tune, which you operate, and which rely on personal information. That value-chain mapping is essential because both the proposed AIDA route and the current privacy guidance assume that responsibility is shared across design, deployment and operation.
For generative AI, adopt the voluntary code's controls even if you are not a signatory. Build a proportionate risk framework, test for misuse and bias, document capabilities and limitations, track incidents, set human oversight points, manage cyber risk and decide how you will label AI interaction or generated content where confusion is possible.
If you operate in Quebec, treat privacy impact assessments, privacy-by-default settings and automated decision review rights as product requirements, not as late legal add-ons.
Finally, monitor the federal legislative restart closely. Canada's AI framework is fast-dating, and the next bill may reuse much of AIDA's architecture while changing important details around scope, general-purpose AI and transparency.
FAQs
Is AIDA currently law in Canada?
No. AIDA was proposed in Bill C-27, but it did not complete the legislative process and is not in force.
Does Canada regulate AI at all right now?
Yes. Canada already regulates many AI activities through privacy law, human rights law, consumer protection, sector-specific supervision and criminal law. Advanced generative AI is also covered by a federal voluntary code.
What is the most important live legal layer for commercial AI in Canada?
In many cases it is privacy law. Federally that usually means PIPEDA, with provincial private-sector privacy laws playing a major role in Alberta, British Columbia and especially Quebec.
Does the federal voluntary code apply to every AI tool?
No. It is aimed at advanced generative AI systems with general-purpose capabilities, though many of its controls are useful for a wider range of systems.
What is special about Quebec?
Quebec requires privacy impact assessments for many system projects involving personal information, privacy-protective defaults for products or services with privacy settings, and notice plus a human review route for decisions based exclusively on automated processing.
Can Canadian regulators already scrutinise AI model training?
Yes. The 2026 joint OpenAI investigation shows that regulators are willing to examine scraped training data, user-chat training, transparency, accuracy, retention, access and correction using current privacy statutes.
Who would have enforced AIDA if it had passed?
The proposed model placed administration and enforcement mainly with the Minister of Innovation, Science and Industry, supported by a new AI and Data Commissioner.
Should organisations ignore AIDA until a new bill is introduced?
No. AIDA is not binding law, but its structure is still a strong planning signal for likely future federal requirements and is useful for building governance now.