AI Regulation in Canada After AIDA: What Actually Governs AI in 2026

AIDA is dead — what happened

Bill C-27, tabled in Parliament in June 2022, contained three parts: a replacement for PIPEDA (the Consumer Privacy Protection Act), a Personal Information and Data Protection Tribunal Act, and — in Part 3 — the Artificial Intelligence and Data Act (AIDA). AIDA would have been Canada’s first dedicated federal AI statute, creating a risk-based framework for “high-impact AI systems” administered by an AI and Data Commissioner under the Minister of Innovation, Science and Economic Development (ISED).

It never passed.

On January 6, 2025, following Prime Minister Trudeau’s announcement that he would resign as Liberal leader, Governor General Mary Simon prorogued Parliament. Under Canada’s constitutional conventions, prorogation clears the Order Paper: every bill at any stage of the legislative process is extinguished. Bill C-27 — including AIDA — died with it. As McInnes Cooper noted in its January 2025 analysis, the prorogation “effectively terminated all bills pending in the House of Commons.” As of June 2026, no successor bill has been tabled. (Source: The Demise of the Artificial Intelligence and Data Act (AIDA), McInnes Cooper, January 2025; DLA Piper, Canadian privacy and AI horizon shifts again, January 2025.)

Osler, Hoskin & Harcourt has stated the consequence plainly: “There is no law in Canada that sets out a general framework for regulating AI models and systems.” (Osler, Regulation of AI in Canada, 2025.)

What actually governs AI in Canada today

Without a dedicated AI statute, obligations arise from five overlapping sources. Each is described below with its key requirements and citations. This is orientation, not legal advice.

1. PIPEDA — federal privacy law

The Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5) remains the primary federal statute governing any AI system that processes Canadians’ personal information in a commercial context. Its ten Fair Information Principles require organizations to obtain meaningful consent, limit collection to stated purposes, and retain data no longer than necessary. “Hoard data now, train AI later” is not a valid PIPEDA purpose — disclosure must be clear at the point of collection.

PIPEDA does not explicitly mention AI, but the Office of the Privacy Commissioner of Canada (OPC) has applied it to algorithmic decision-making, facial recognition, and recommendation systems through investigation findings and guidance. PIPEDA also grants individuals a right of access to their own personal information, which courts and the OPC have interpreted to cover automated profiles in some circumstances.

British Columbia, Alberta, and Quebec have substantially similar provincial private-sector privacy legislation deemed “substantially similar” to PIPEDA; provincially regulated entities in those provinces follow the provincial statute.

2. Quebec Law 25 — Canada’s strongest AI accountability rule, in force now

An Act to modernize legislative provisions as regards the protection of personal information (Bill 64, commonly called “Law 25” or “Act 25”) came into full force on September 22, 2023. It applies to any organization that processes Quebec residents’ personal information — regardless of where the organization is headquartered.

Section 12.1 of the amended Act Respecting the Protection of Personal Information in the Private Sector is the AI-specific provision. Where a decision based exclusively on automated processing significantly affects an individual, the organization must:

• Inform the person that a decision was made by automated means;
• Disclose the personal information used and the principal factors that led to the decision;
• Offer the individual a right to request that a human review the decision (a genuine, substantive review — pro-forma sign-off does not satisfy the requirement);
• Allow the person to submit observations to the human reviewer and to have their data rectified.

Law 25 also requires Privacy Impact Assessments (PIAs) before deploying any technology that profiles individuals or supports AI decision-making affecting personal information. The Commission d’accès à l’information du Québec (CAI) enforces the Act; penalties can reach the higher of C$25 million or 4% of worldwide revenue — a scale comparable to the EU GDPR. (Sources: CAI; Quebec Law 25: AI & Automated Decision Requirements, aigovernance.ca, 2025.)

3. The ISED Voluntary Code of Conduct on Responsible Generative AI

On September 27, 2023, the Honourable François-Philippe Champagne, Minister of Innovation, Science and Industry, launched the Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems. It is non-binding legislation — no penalties for non-compliance — but it is the federal government’s clearest statement of what responsible AI governance looks like in Canada, and it has become a de facto procurement criterion for federal contracts. By November 2024, more than 40 organizations had signed, including IBM, Salesforce, CGI, Mastercard, and Lenovo.

The Code’s six commitments are:

1. Accountability — proportionate risk-management frameworks; third-party audits for public-facing systems.
2. Safety — comprehensive risk assessments and proportionate mitigations before deployment.
3. Fairness and equity — evaluation and curation of training datasets; diverse pre-release testing.
4. Transparency — disclosure of capabilities, limitations, and training data types; AI systems must identify themselves when they could be mistaken for humans.
5. Human oversight and monitoring — post-deployment monitoring for harmful use; incident databases.
6. Validity and robustness — extensive testing, adversarial testing, and security assessments against cyber-attack.

ISED has also published a companion AI Risk Management Implementation Guide for Managers offering practical governance strategies for organizations that adopt the Code. (Source: ISED’s Voluntary Code of Conduct, Osler, 2023; canada.ca, Minister Champagne announcement, September 27, 2023.)

4. Treasury Board Directive on Automated Decision-Making — federal departments only

Since April 2019, federal government departments operating automated decision systems (ADS) have been subject to the mandatory Directive on Automated Decision-Making issued by the Treasury Board Secretariat. This does not apply to private-sector organizations but is important context: any organization selling AI-assisted systems to the Canadian federal government will be assessed against these requirements as a procurement criterion.

The Directive uses a four-level impact classification (Level I – low impact through Level IV – very high impact) mapped to an Algorithmic Impact Assessment (AIA) tool. Higher-impact systems require human review capabilities, published AIA results on the Open Government Portal, and meaningful recourse mechanisms for affected individuals. (Source: Treasury Board Secretariat, Directive on Automated Decision-Making, 2019, as amended.)

5. Sectoral rules

Across regulated industries, existing sector-specific authorities have issued AI-specific guidance without waiting for AIDA:

• Financial services (OSFI Guideline E-23): The Office of the Superintendent of Financial Institutions released a final updated Guideline E-23 on Model Risk Management in September 2025, explicitly addressing AI/ML models in federally regulated financial institutions (FRFIs). Effective May 1, 2027. OSFI and the Global Risk Institute also co-developed the AGILE framework (Awareness, Guardrails, Innovation, Learning, Ecosystem Resiliency) for AI risk. (Source: Blakes, OSFI Releases Final Guideline E-23, 2025.)
• Capital markets (CSA): The Canadian Securities Administrators have issued guidance on the use of AI in investment advice, automated trading, and client communications under existing securities law.
• Health technology (Health Canada): AI-enabled software as a medical device (SaMD) is regulated under the Food and Drugs Act and the Medical Devices Regulations. Health Canada released a discussion paper on SaMD in 2019 and continues to update its regulatory approach for AI-based diagnostics and decision-support tools.
• Competition: The Competition Bureau has signalled it will scrutinize AI-enabled price coordination, algorithmic collusion, and deceptive practices under the Competition Act.
• Human rights: Federal and provincial human rights codes apply to algorithmic hiring, tenant screening, and credit decisions. Discriminatory outcomes produced by AI systems are actionable even absent AI-specific legislation.

Why local AI changes the compliance picture

One structural consequence of Canada’s regulatory patchwork is that it creates a data-residency and sovereignty gap. Cloud-hosted AI services — particularly those operated by US-headquartered providers — may be subject to compelled disclosure under US federal law (18 U.S.C. § 2713, the CLOUD Act), regardless of whether the data is physically stored in Canada. PIPEDA and Quebec Law 25 both require meaningful consent for cross-border transfers, but consent is not a complete defence if a US government order compels disclosure.

Organizations processing sensitive Canadians’ personal information through US cloud AI services should be aware that PIPEDA accountability obligations follow the data — the originating organization remains responsible for data protection even when it has been transferred to a third-party processor. Quebec Law 25 adds a Privacy Impact Assessment specific to cross-border transfers before any personal information may leave the province.

For organizations where data sovereignty is a material compliance or commercial concern, on-premise or private-cloud AI deployments — running models locally on your own infrastructure — avoid this exposure entirely. See our guide to local AI versus cloud AI, our total cost of ownership comparison, and our local LLM in Canada overview.

For the broader framework of Canadian digital sovereignty — why it matters, and what it entails technically and legally — see our digital sovereignty in Canada explainer.

What to expect next

The federal government has indicated it intends to address AI regulation through privacy legislation reform rather than a standalone AI statute. The new Liberal government formed after the October 2025 federal election established a Ministry of Artificial Intelligence and Digital Innovation and an AI Strategy Task Force; a renewed national AI strategy was expected in late 2025, with an emphasis on policy mechanisms and sovereign AI compute rather than comprehensive new legislation. (Source: Osler, Canada’s 2026 privacy priorities: data sovereignty, open banking and AI, 2025.)

PIPEDA reform remains on the federal agenda. Any new privacy statute is expected to include AI-specific provisions — particularly around automated decision-making, children’s data, and deepfakes — informed by what AIDA attempted and what Quebec Law 25 has already implemented.

Until new legislation passes, the operative framework is the patchwork described above. Organizations serious about AI governance in Canada should treat PIPEDA + Quebec Law 25 + the ISED Voluntary Code + applicable sectoral rules as the working compliance baseline, and document their reasoning accordingly.

If your AI deployment handles sensitive data, processes Quebecers’ personal information, or supports decisions affecting individuals, engage qualified legal counsel now — do not wait for comprehensive federal legislation that may be years away.

Explore our Sovereign Stack Guide and AI sovereignty consulting overview for the technical architecture options that give Canadian organizations direct control over their AI and data layer.

---

Frequently asked questions