Bill C-27: Canada Introduced Its First Legislation on the Development and Use of Artificial Intelligence in the Private Sector


HeadshotTianchu Gao is an IPilogue Writer and a 1L JD Candidate at Osgoode Hall Law School.


On June 16, 2022, the Canadian government tabled Bill C-27 An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts.” The Bill aims to strengthen the privacy framework for the private sector in Canada through the enactment of three pieces of legislation—the Digital Charter Implementation Act (DICA), the Consumer Privacy Protection Act (CPPA), and the Artificial Intelligence and Data Act (AIDA).

Bill C-27 is the successor to the former Bill C-11, the Digital Charter Implementation Act, which was introduced in November 2020. Unfortunately, it got stuck at the Second Reading stage despite strong support from the business community. Bill C-27 is largely a re-working of Bill C-11, as a significant portion of the Digital Charter Implementation Act (DICA) and the Consumer Privacy Protection Act (CPPA) remains intact. A detailed comparison between the two bills can be found here.

An entirely new section of Bill C-27 is the Artificial Intelligence and Data Act (AIDA). This section aims to regulate the development and use of artificial intelligence systems in the private sector. If AIDA is enacted, Canada would be the only jurisdiction, besides the European Union, to draft legislation that directly addresses the regulation of AI.  

AIDA is very broad in scope, with respect to both the definition of AI and the range of people obliged to abide by the Act. It does not set out specific prohibited practices and seems to contemplate a distinction only between high-risk systems and all other AI systems. Compared to EU’s 2021 proposal for Artificial Intelligence Act, AIDA is “considerably less elaborate” and “proposes to leave many salient matters to regulation,” according to cybersecurity professionals at BLG.

The legislative purposes of AIDA are, per s. 39.4:

(a) to regulate international and interprovincial trade and commerce in artificial intelligence systems by establishing common requirements, applicable across Canada, for the design, development and use of those systems; and

(b) to prohibit certain conduct in relation to artificial intelligence systems that may result in serious harm to individuals or harm to their interests.

AIDA aims to protect people from any potential harm brought by biased AI output, which is the output of AI systems that differentiate people based on prohibited grounds of discrimination.

AI systems identified as “high-impact” will undergo mitigation measures and ongoing monitoring for compliance. Despite the preliminary guidance from the federal Directive, it is largely the persons responsible for an AI system—including designers, developers, providers, and managers—who are responsible for these assessments and measures. There will also be higher transparency in both the intended and actual use for high-impact AI systems. Any material harm should be reported to the Minister of Innovation, Science and Industry. Under this act, an Artificial Intelligence and Data Commissioner will assist the Minister in monitoring company compliance.

Bill C-27, if passed, is sure to be a milestone in the development of legal regulations for AI. Many law firms are closely monitoring this legislation’s progress since it was released. There are, of course, still many questions to be investigated, such as the potential chilling effect on innovation and the design of administrative penalties. The legislation will become more clear upon the second and third readings in the House of Commons and subsequent regulations.