What is Canada’s Artificial Intelligence and Data Act? A Guide To AIDA In 2024

High-Level Summary

The Artificial Intelligence and Data Act (AIDA) aims to set out clear requirements for the responsible development, deployment and use of AI systems by the private sector.

Under the law, businesses developing or making use of “high-impact” AI will face the strictest obligations and notably be accountable for ensuring that employees implement mechanisms to mitigate the risks of such systems. The act covers all actors at every stage of the AI development chain, from development to ongoing usage, and the level of accountability will correspond to the overall impact that actor has on the AI system as a whole.

The AIDA aims to achieve two goals:

1. Ensure that high-impact AI systems meet expectations with regards to safety and human rights
2. Prohibit reckless and malicious use of AI

This is the first legislation of its kind as no such requirements are in place for users and developers of AI in Canada today. The Act is part of a larger body of legislation called the Digital Charter, which also contains the Consumer Privacy Protection Act and the Data Protection Tribunal Act.

Scope

The Act applies to businesses who develop, use, or manage the operations of “high-impact” AI systems – the exact definition of which is not defined yet but a list of criteria has been laid out to include severity of potential harms, scale of use, ease of opting-out, and more.

While “high-impact” AI systems have not been defined yet, the Canadian government has listed several types of systems that are of interest: AI used in employment decisions, biometric systems used for identification and inference, systems that influence human behavior at scale and systems critical to health and safety. These categories correspond to a subset of those noted by the EU in their proposed AI Act, so it’s likely that Canada and the EU will have similar perspectives on what categories of systems are in scope for regulation.

Any AI systems that pose serious harm to Canadians and their interested will be prohibited, but the Act is currently unclear exactly how such systems are defined.

Compliance Requirements of AIDA

The requirements of high-risk AI systems have not been defined yet, but they will be focused around several key pillars:

1. Human oversight & monitoring: AI systems should be designed to accommodate human oversight and provide interpretability into its operations.
2. Transparency: the public should be informed of how high-impact AI systems are used.
3. Fairness and equity: high-impact AI systems should be checked for discriminatory outcomes and steps should be taken to remediate such outcomes if found.
4. Safety: high-impact AI systems should be proactively assessed to identify potential harms, and such harms should be remediated
5. Accountability: organizations should must enforce governance mechanisms to ensure all legal and compliance obligations are met
6. Validity and robustness: High-impact AI systems should perform their intended objectives well and should be reliable in a variety of circumstances

The law is expected to take a few years to flesh out, so the exact scope of regulations has not yet been defined. In the meantime, the Canadian Government has released a Code of Practice for generative AI that aims to ensure the safety and trustworthiness of the technology. The Code is voluntary and aims to ensure generative AI is safe and trustworthy by identifying and managing risks, mitigating bias by curating training data and fine-tuning the models, providing transparency about how the model was trained, and creating human oversight mechanisms. 

Non-Compliance Penalties

Enforcement of the act will consist of three mechanisms:

1. Monetary penalties in response to any violation of the Act
2. Regulatory offense will be prosecuted toward more serious violations of the Act
3. Criminal charges are possible in cases of knowing or deliberate behavior resulting in serious harm

Status

Drawing from our ongoing work in AI governance and responsible AI, we’ve observed how leading organizations are adapting to Canada’s AI regulation in advance of its full implementation.

To prepare for AIDA’s requirements, companies should:

1. Conduct Impact Assessments: Regularly perform detailed assessments of AI tools to identify potential risks and adverse impacts.
2. Establish Governance Programs: Develop comprehensive governance programs that include risk management strategies, designate responsible personnel, and implement safeguards.
3. Ensure Transparency: Notify individuals when AI tools are used in consequential decisions, providing clear and accessible information about the tools’ purposes and impacts.
4. Develop Public Policies: Make publicly available policies that summarize AI tools in use and how associated risks are managed.
5. Monitor Compliance: Stay updated with regulatory changes and ensure ongoing compliance with all requirements to avoid penalties and maintain ethical AI practices.