On June 15, 2022, the Government of Canada introduced Bill C-27 which proposes the first artificial intelligence (AI) systems legislation to apply in Canada, amongst other things.  If enacted, this legislation will make very severe penalties available for non-compliance.

The successor to Bill C-11, Bill C-27 reintroduces the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act (PIDPTA) in modified form.  Bill C-27 goes further by also proposing a new statute - the Artificial Intelligence and Data Act (AIDA) - to regulate the development and use of artificial intelligence (AI) systems.

AIDA will apply throughout Canada, excluding federal government institutions as defined in the Privacy Act R.S.C., 1985, c. P-21.  Additional federal and provincial government departments and agencies may be excluded by regulation.

Under AIDA, an artificial intelligence (AI) system is any technological system that, autonomously or partly autonomously, processes data related to human activities in order to generate content or make decisions, recommendations or predictions.  The meaning of “autonomously or partly autonomously”, which is not defined in AIDA, will be crucial when determining if a system is an “AI system”.

AIDA will require any person who designs or develops an AI system, makes an AI system available for use, or manages the operation of an AI system to determine if it is a “high-impact system”.  AIDA will define “high-impact systems” in forthcoming regulations. 

If the AI system is a high-impact system, the person will be required to establish measures:

• to identify, assess and mitigate the risks of harm or biased output (as defined in AIDA) that could result from the use of the AI system, and
• to monitor compliance with such measures and their effectiveness.

The person will also be required to notify the designated Minister, as soon as feasible, if the use of the high impact system results in, or is likely to result in, material harm.

Under AIDA, each person who makes a high-impact system available for use or who manages the operation of a high-impact system will be required to publish on a publicly available website a plain-language description of the high impact system, including:

• an explanation of how the system is used or intended to be used,

• the types of content that it generates or is intended to generate,

• the decisions, recommendations or predictions that it makes or is intended to make,

• the mitigation measures established to identify, assess and mitigate the risks of harm or biased output that could result from the use of the system, and

• any other information that may be prescribed by regulation.

AIDA also applies to the following regulated activity if it is carried out in the course of international or interprovincial trade and commerce:

• processing, or making available for use, any data relating to human activities for the purpose of designing, developing or using an AI system; or

• designing, developing or making available for use an AI system or managing its operations.

Under AIDA, anyone who carries out regulated activity and who processes anonymized data or makes anonymized data available for use in the course of regulated activity will be required to establish measures with respect to how the data is anonymized and the use or management of the anonymized data.

Each person who carries out a regulated activity will be required to keep records describing, in general terms, the measures they have taken as required by AIDA, including measures they have taken with respect to a high impact system and the reasons supporting their assessment as to whether their AI system is a high impact system. 

It is important to note that a person is not to be found guilty of an offence for violating the requirements outlined above if they establish they exercised due diligence to prevent the offence.

AIDA will give the applicable Minister powers to obtain copies of records required to be maintained under AIDA, to conduct audits with respect to possible contraventions of AIDA, and to make certain rectifying orders. 

In addition to a breach of the requirements outlined above, AIDA provides that it is an offence to possess or use personal information for the purpose of designing, developing, using or making available for use an AI system, while knowing or believing that the information is obtained or derived, directly or indirectly, as a result of:

• the commission in Canada of an offence under federal or provincial law; or
• an act or omission anywhere that, if it had occurred in Canada, would have constituted such an offence.

Further, every person will be considered to commit an offence under AIDA if the person:

• without lawful excuse and knowing that or being reckless as to whether the use of an artificial intelligence system is likely to cause serious physical or psychological harm to an individual or substantial damage to an individual’s property, makes the artificial intelligence system available for use and the use of the system causes such harm or damage; or
• with intent to defraud the public and to cause substantial economic loss to an individual, makes an artificial intelligence system available for use and its use causes that loss.

Organizations that violate AIDA’s statutory requirements may face a fine of up to the greater of $25,000,000 and 5% of the organization’s gross global revenues in its immediately preceding financial year, depending on the type of violation.  Individuals who commit such an offence may face a fine in the discretion of the court or to imprisonment of up to five years less a day, or both, depending on the violation. 

Aside from Canadian federal government institutions, anyone who designs, develops, makes available, manages or operates a technological system in Canada that, autonomously or partly autonomously, processes data related to human activities in order to generate content or make decisions, recommendations or predictions should pay attention to this proposed law and start planning to comply with it.

Peter Murphy can be contacted at Peter.Murphy@shibleyrighton.com.

For more information, visit https://www.shibleyrighton.com/Lawyers/Lawyers_List/~393