Simon Hodgett, Kuljit Bhogal, CIPP/C, Sam Ip
Jun 27, 2022
On June 16, 2022 the Minister of Innovation, Science and Industry tabled Bill C-27 introducing updates to the federal private sector privacy regime and a new law on artificial intelligence. If passed, the Artificial Intelligence and Data Act (AIDA) would be the first law in Canada regulating the use of artificial intelligence systems. The stated objective of AIDA is to establish common requirements across Canada for the design, development and deployment of artificial intelligence systems that are consistent with national and international standards and to prohibit certain conduct in relation to artificial intelligence systems that may result in serious harm to individuals or their interests, in each case, in a manner that upholds Canadian norms and values in line with principles of international human rights law. While the general approach in AIDA is apparent, the full impact of the legislation will only be appreciated with the release of associated regulations which will set out most of the detailed application.
Bill C-27 sets out the following framework:
- Approach: Adopts a risk-based approach designed to focus on areas that create the highest risk, similar to the approach found in the proposed Artificial Intelligence Act in the EU, by focusing on areas where there is greatest risk of harm and bias by establishing rules for the use of artificial intelligence systems that are “high-impact” (a term that will be defined in the regulations). It will be difficult to know the full impact of AIDA without the release of the regulations.
- Scope of application: The AIDA applies to private sector organizations that design, develop or make available for use artificial intelligence systems in the course of international or interprovincial trade and commerce, an area of regulation within the federal government’s legislative authority. An “artificial intelligence system” is broadly defined and captures any “technological system that, autonomously or partly autonomously, processes data related to human activities through the use of a genetic algorithm, a neural network, machine learning or another technique in order to generate content or make decisions, recommendations or predictions.”
- General requirements:
- Assessment and risk mitigation measures: Persons responsible for artificial intelligence systems must assess whether it is a high-impact system (a term to be defined in the regs), and establish measures to identify, assess and mitigate risk of harm or biased output that could result in use of the system.
- Monitoring: Persons responsible for high-impact systems must establish measures to monitor compliance with the risk mitigation measures.
- Transparency: Persons that make available for use, or manage the operation of a high-impact system, must publish on a publicly available website in plain English a description of:
- How the system is, or intended to be used;
- The types of content that it generates and the decisions, recommendations or predictions that it makes;
- The mitigation measures established to identify, assess and mitigate the risks of harm or biased output that could result from the use of the system; and
- Any other information prescribed by regulation.
- Recording keeping: Persons that carry out a regulated activity must comply with prescribed record keeping requirements.
- Notification: Persons responsible for high-impact systems must notify the Minister if use of the system results or is likely to result in material harm.
- Use of anonymized data: Persons that carry out activities regulated by the act and who process or make available for use anonymized data in the course of the activity must, in accordance with the regulations, establish measures with respect to: (a) the manner in which data is anonymized; and (b) the use/management of anonymized data.
- Ministerial orders: The Minister may, by order, require:
- Production of records
- Conduct an audit, or engage an independent auditor to conduct an audit
- An organization that is the subject of an audit to implement any measure specified in the audit
- An organization responsible for a high-impact system to cease using it or making it available for use if there are reasonable grounds to believe the use of the system gives rise to a serious risk of imminent harm
- Administration: AIDA creates a statutory right for the Minister to designate a senior official of the department over which the Minister presides to be called the Artificial Intelligence and Data Commissioner, whose role is to assist the Minister in the administration and enforcement of AIDA.
- Administrative monetary penalties will be set out in regulations
- Penalties for contraventions of AIDA are significant, up to 3% of global revenue or C$10-million
- Higher penalties of up to 5% of global revenue or C$25-million or imprisonment, in the case of an individual, apply for more serious offences for:
- Possessing or using personal information obtained through criminal or other unlawful means for the purposes of creating, using or making available an AI system,
- Using an AI system knowing (or being reckless as to whether) the system is likely to cause serious or psychological harm or substantial damage to property, if such harm or damage occurs, and
- Using an AI system with intent to defraud the public and cause economic loss, if such loss occurs.
Bill C-27 must now be debated at second reading, and will then be reviewed, potentially changed, and further debated, before it can receive royal assent. We expect the public will have an opportunity to provide comments and make submissions.