AIDA (Stalled)
Artificial Intelligence and Data Act
Overview
Canada's attempt at federal AI legislation — the Artificial Intelligence and Data Act (AIDA), Part 3 of Bill C-27 — failed to pass before Parliament prorogued in January 2025. This has left Canada without dedicated federal AI legislation, creating a regulatory vacuum at the national level.
In the absence of federal law, Quebec's Law 25 (An Act to modernize legislative provisions as regards the protection of personal information) has become the most significant AI-relevant regulation in Canada, particularly its provisions on automated decision-making, data portability, and transparency.
Other provinces are developing their own approaches, creating the potential for a provincial patchwork similar to the US state-level situation. The federal Privacy Commissioner and the Competition Bureau continue to exercise oversight over AI-related data practices and market conduct under existing authorities.
Scope
AIDA, had it passed, would have applied to high-impact AI systems used in federal jurisdiction and international/interprovincial trade. In the current vacuum, applicable laws include: Quebec Law 25 (for organizations in Quebec or processing Quebec residents' data); PIPEDA (federal private sector privacy law); the Canadian Human Rights Act; and sector-specific regulations for banking, telecommunications, and broadcasting.
Key Provisions
Would have established requirements for 'high-impact' AI systems including risk assessments, mitigation measures, transparency, record-keeping, and reporting. Would have created a new AI and Data Commissioner to oversee compliance.
Requires organisations to inform individuals when automated decision-making is used, provide reasons for automated decisions upon request, allow individuals to submit observations and request review of automated decisions, and implement privacy impact assessments for AI systems processing personal information.
Canada's federal privacy law applies to AI systems processing personal information in commercial contexts, requiring consent, transparency, and purpose limitation. The Privacy Commissioner has issued guidance on AI and privacy.
In the absence of legislation, the Canadian government has promoted a Voluntary Code of Conduct for Responsible Development and Management of Advanced Generative AI Systems, signed by several major AI companies.
Implementation Timeline
June 2022
Bill C-27 (including AIDA) introduced in Parliament
2023-2024
Committee review and extensive criticism of AIDA provisions
January 2025
Parliament prorogued; Bill C-27 dies on the order paper
2025
Voluntary Code of Conduct promoted as interim measure
2026+
New federal AI legislation may be introduced
Compliance Requirements
- Comply with Quebec Law 25 for automated decision-making (if applicable)
- Comply with PIPEDA for AI systems processing personal information
- Follow the Voluntary Code of Conduct for generative AI systems
- Conduct privacy impact assessments for AI systems processing personal data
- Implement transparency measures for automated decisions
- Provide explanation and review mechanisms for AI-driven decisions
- Monitor for new federal and provincial AI legislation
Enforcement Mechanism
Without AIDA, there is no AI-specific federal enforcement mechanism. Enforcement relies on existing authorities: the Privacy Commissioner of Canada (PIPEDA), the Commission d'accès à l'information du Québec (Law 25), the Competition Bureau (for AI-related market conduct), and the Canadian Human Rights Commission (for discriminatory AI use). Penalties vary by statute.
Practical Implications
The federal legislative vacuum creates uncertainty but not lawlessness. Organizations should comply with existing privacy, human rights, and consumer protection laws as they apply to AI. Quebec-based or Quebec-serving organizations face the most specific obligations under Law 25. Organizations should design AI governance frameworks that can accommodate future federal legislation, which may be more comprehensive than AIDA. ISO 42001 certification provides a structured governance approach in the absence of clear regulatory requirements.
Relation to EU AI Act
Canada's current position contrasts sharply with the EU's comprehensive approach. Where the EU has detailed, binding AI-specific regulation, Canada relies on general-purpose laws and voluntary measures. AIDA, had it passed, would have been narrower than the EU AI Act, covering only 'high-impact' systems without the EU's detailed risk classification or conformity assessment requirements. Organizations operating in both Canada and the EU should use EU AI Act compliance as their standard, which will exceed any current or foreseeable Canadian requirements.