Table of Contents
Laws governing technology have historically focused on the regulation of information privacy and digital communications. However, governments and regulators around the globe have increasingly turned their attention to artificial intelligence (AI) systems. As the use of AI becomes more widespread and changes how business is done across industries, there are signs that existing declarations of principles and ethical frameworks for AI may soon be followed by binding legal frameworks. 
On June 16, 2022, the Canadian government tabled Bill C-27, the Digital Charter Implementation Act, 2022. Bill C-27 proposes to enact, among other things, the Artificial Intelligence and Data Act (AIDA). Although there have been previous efforts to regulate automated decision-making as part of federal privacy reform efforts, AIDA is Canada’s first effort to regulate AI systems outside of privacy legislation. 
If passed, AIDA would regulate the design, development, and use of AI systems in the private sector in connection with interprovincial and international trade, with a focus on mitigating the risks of harm and bias in the use of “high-impact” AI systems. AIDA sets out positive requirements for AI systems as well as monetary penalties and new criminal offences on certain unlawful or fraudulent conduct in respect of AI systems.
Comparing AIDA and the EU AI Act
Prior to AIDA, in April 2021, the European Commission presented a draft legal framework for regulating AI, the Artificial Intelligence Act (EU AI Act), which was one of the first attempts to comprehensively regulate AI. The EU AI Act sets out harmonized rules for the development, marketing, and use of AI and imposes risk-based requirements for AI systems and their operators, as well as prohibitions on certain harmful AI practices.
Broadly speaking, AIDA and the EU AI Act are both focused on mitigating the risks of bias and harms caused by AI in a manner that tries to be balanced with the need to allow technological innovation. In an effort to be “future-proof” and keep pace with advances in AI, both AIDA and the EU AI Act define “artificial intelligence” in a technology-neutral manner. However, AIDA relies on a more principles-based approach, while the EU AI Act is more prescriptive in classifying “high-risk” AI systems and harmful AI practices and controlling their development and deployment. Further, much of the substance and details of AIDA are left to be elaborated in future regulations, including the key definition of “high risk” AI systems to which most of AIDA’s obligations attach.
The table below sets out some of the key similarities and differences between the current drafts of AIDA and the EU AI Act.
|EU AI Act
|“Artificial intelligence system” means a technological system that, autonomously or partly autonomously, processes data related to human activities through the use of a genetic algorithm, a neural network, machine learning or another technique in order to generate content or make decisions, recommendations or predictions.
|“Artificial intelligence system” means software that is developed with one or more techniques and approaches specified in the legislation (e.g., machine learning approaches, logic and knowledge-based approaches and statistical approaches) and which can, for a given set of human-defined objectives, generate outputs such as content, predictions, recommendations, or decisions influencing the environments they interact with.
|“High-impact system” means an artificial intelligence system that meets the criteria established in future regulations.
“High-risk system” means:
|“Harm” means (a) physical or psychological harm to an individual; (b) damage to an individual’s property; or (c) economic loss to an individual.
|“Serious incident” means any incident that directly or indirectly leads, might have led or might lead to:
|EU AI Act
|AIDA applies to “persons” (including trusts, joint ventures, partnerships, unincorporated associations, and any other legal entities) who carry out any of the following “regulated activities” in the course of international or interprovincial trade and commerce:
|The EU AI Act applies to:
The EU AI Act applies irrespective of whether the AI system is free or for payment (although the AI system must be put into service in the course of commercial activity).
|AIDA does not apply to:
The EU AI Act does not apply to:
|EU AI Act
AIDA does not stipulate an outright ban on AI systems presenting an unacceptable level of risk.
It does, however, make it an offence to:
The EU AI Act prohibits certain AI practices and certain types of AI systems, including:
|Use of Data
|EU AI Act
Persons who process anonymized data for use in AI systems must establish measures (in accordance with future regulations) with respect to:
High-risk systems that use data sets for training, validation and testing must be subject to appropriate data governance and management practices that address:
Data sets must:
|Requirements for AI Systems
|EU AI Act
|Assessment. Persons responsible for an AI system must assess (in accordance with future regulations) whether it is a “high-impact system.”
|Assessment. The EU AI Act takes a graduated approach:
|Risk management. Persons responsible for “high-impact systems” must:
|Risk management. High-risk systems must:
Transparency. Persons responsible for “high-impact systems” must publish on a public website a plain-language description of the AI system which explains:
Transparency. AI systems which interact with individuals and pose transparency risks, such as those that incorporate emotion recognition systems or risks of impersonation or deception, are subject to additional transparency obligations.
Regardless of whether or not the system qualifies as high-risk, individuals must be notified that they are:
|Record-Keeping & Reporting Requirements
|EU AI Act
Persons responsible for AI systems must keep records (in accordance with future regulations) describing:
High-risk AI systems must:
Providers of high-risk AI systems must:
|EU AI Act
|Persons responsible for “high-impact systems” must notify the Minister of Industry if the use of the system results or is likely to result in material harm, as soon as feasible.
|Providers of “high-risk” AI systems must report any serious incident or malfunctioning which constitutes a breach of the EU AI Act or of obligations under EU law intended to protect fundamental rights of individuals.
|Monitoring Authority & Oversight
|EU AI Act
The Minister of Industry may designate an official to be the Artificial Intelligence and Data Commissioner, whose role is to assist in the administration and enforcement of AIDA. The Minister may delegate any of their powers or duties under AIDA to the Commissioner.
The Minister of Industry has the following powers:
The European Artificial Intelligence Board will assist the European Commission in providing guidance and overseeing the application of the EU AI Act. Each Member State will designate or establish a national supervisory authority.
The Commission has the authority to:
|Penalties & Offences
|EU AI Act
Persons who commit a “violation” of AIDA or its regulations may be subject to administrative monetary penalties, the details of which will be establish by future regulations. Administrative monetary penalties are intended to promote compliance with AIDA.
Contraventions to AIDA’s governance and transparency requirements can result in fines:
Persons who commit more serious criminal offences (e.g., contravening the prohibitions noted above or obstructing or providing false or misleading information during an audit or investigation) may be liable to:
|Penalties under the EU AI Act include:
Each Member States may specify additional penalties for infringements of the EU AI Act.
Key Comparisons Between AIDA and the EU AI Act
Definition of AI
While both acts define AI systems relatively broadly, the definition provided in AIDA is narrower. AIDA only encapsulates technologies that process data autonomously or partly autonomously, whereas the EU AI Act does not stipulate any degree of autonomy. This distinction in AIDA is arguably a welcome divergence from the EU AI Act, which as currently drafted would appear to include even relatively innocuous technology, such as the use of a statistical formula to produce an output. That said, there are indications that the EU AI Act’s current definition may be modified before its final version is published, and that it will likely be accompanied by regulatory guidance for further clarity. 
Risk Assessment and Management
Both acts are focused on avoiding harm, a concept they define similarly. The EU AI Act is, however, slightly broader in scope as it considers serious disruptions to critical infrastructure a “harm”, whereas AIDA is solely concerned with harm suffered by individuals.
Under AIDA, “high-impact systems” will be defined in future regulations, so it is not yet possible to compare AIDA’s definition of “high-impact systems” to the EU AI Act’s definition of “high-risk systems”. The EU AI Act identifies two categories of “high-risk systems”. The first category is AI systems intended to be used as safety components of products, or as products themselves. The second category is AI systems listed in an annex to the act and which present a risk to the health, safety, or fundamental rights of individuals. It remains to be seen how Canada would define “high-impact systems”, but the EU AI Act provides an indication of the direction the federal government could take.
Similarly, AIDA also defers to future regulations with respect to risk assessments, while the proposed EU AI Act sets out a graduated approach to risk in the body of the act. Under the EU AI Act, systems presenting an unacceptable level of risk are banned outright. In particular, the EU AI Act explicitly bans manipulative or exploitive systems that can cause harm, “real-time” biometric identification systems used in public spaces by law enforcement, and all forms of social scoring. AI systems presenting low or minimal risk are largely exempt from regulations, except for transparency requirements.
AIDA only imposes transparency requirements on high-impact AI systems, and does not stipulate an outright ban on AI systems presenting an unacceptable level of risk. It does, however, empower the Minister of Industry to order that a high-impact system presenting a serious risk of imminent harm cease being used.
Application and Scope
AIDA’s application is limited by the constraints of the federal government’s jurisdiction. AIDA broadly applies to actors throughout the AI supply chain from design to delivery, but only as their activities relate to international or interprovincial trade and commerce. AIDA does not expressly apply to intra-provincial development and use of AI systems. Government institutions (as defined under the Privacy Act) are excluded from AIDA’s scope, as are products, services, and activities that are under the direction or control of specified federal security agencies.
The EU AI Act specifically applies to providers (although this may be interpreted broadly) and users of AI systems, including government institutions but excluding where AI systems are exclusively developed for military purposes. The EU AI Act also expressly applies to providers and users of AI systems insofar as the output produced by those systems is used in the EU.
AIDA is largely silent on requirements with respect to data governance. In its current form, it only imposes requirements on the use of anonymized data in AI systems, most of which will be elaborated in future regulations. AIDA’s data governance requirements will apply to anonymized data used in the design, development, or use of any AI system, whereas the EU AI Act’s data governance requirements will apply only to high-impact systems.
The EU AI Act sets the bar very high for data governance. It requires that training, validation, and testing datasets be free of errors and complete. In response to criticisms of this standard for being too strict, the European Parliament has introduced an amendment to the act that proposes to make “error-free” and “complete” datasets an overall objective to the extent possible, rather than a precise requirement.
Other Key Obligations
While AIDA and the EU AI Act both set out requirements with respect to assessment, monitoring, transparency, and data governance, the EU AI Act imposes a much heavier burden on those responsible for high-risk AI systems. For instance, under AIDA, persons responsible for such systems will be required to implement mitigation, monitoring, and transparency measures. The EU AI Act goes a step further by putting high-risk AI systems through a certification scheme, which requires that the responsible entity conduct a conformity assessment and draw up a “declaration of conformity” before the system is put into use.
Both acts impose record-keeping requirements. Again, the EU AI Act is more prescriptive, but contrary to AIDA, its requirements will only apply to high-risk systems, whereas AIDA’s record-keeping requirements would apply to all AI systems.
Finally, both acts contain notification requirements that are limited to high-impact (AIDA) and high-risk (EU AI Act) systems. AIDA imposes a slightly heavier burden, requiring notification for all uses that are likely to result in material harm. The EU AI Act only requires notification if a serious incident or malfunction has occurred.
Enforcement and Penalties
Both AIDA and the EU AI Act provide for the creation of a new monitoring authority to assist with administration and enforcement. The powers attributed to these entities under both acts are similar.
Both acts contemplate significant penalties for violations of their provisions. AIDA’s penalties for more serious offences – up to $25 million CAD or 5% of the offender’s gross global revenues from the preceding financial year – are significantly greater than those found in Quebec’s newly revised privacy law and the EU’s General Data Protection Regulation (GDPR). The EU AI Act’s most severe penalty is higher than both the GDPR and AIDA’s most severe penalty: up to €30 million or 6% of gross global revenues from the preceding financial year for non-compliance with prohibited AI practices or the quality requirements set out for high-risk AI systems.
In contrast to the EU AI Act, AIDA also introduces new criminal offences for the most serious offences committed under the act.
Finally, the EU AI Act would also grant discretionary power to Member States to determine additional penalties for infringements of the act.
Takeaways and Next Steps
While both AIDA and the EU AI Act have broad similarities, it is impossible to predict with certainty how similar they could eventually be, given that so much of AIDA would be elaborated in future regulations. Further, at the time of writing, Bill C-27 has only completed first reading, and is likely to be subject to amendments as it makes its way through Parliament.
It is still unclear how much influence the EU AI Act will have on AI regulations globally, including in Canada. Regulators in both Canada and the EU may aim for a certain degree of consistency. Indeed, many have likened the EU AI Act to the GDPR, in that it may set global standards for AI regulation just as the GDPR did for privacy law.
Regardless of the fates of AIDA and the EU AI Act, organizations should start considering how they plan to address a future wave of AI regulation.
For more information on the potential implications of the new Bill C-27, Digital Charter Implementation Act, 2022, please see our bulletin, The Canadian Government Undertakes a Second Effort at Comprehensive Reform to Federal Privacy Law , on this topic.
 There have been a number of recent developments in AI regulation, including the United Kingdom’s Algorithmic Transparency Standard, China’s draft regulations on algorithmic recommendation systems in online services, the United States’ Algorithmic Accountability Act of 2022, and the collaborative effort between Health Canada, the FDA and the United Kingdom’s Medicines and Healthcare Products Regulatory Agency to publish Guiding Principles on Good Machine Learning Practice for Medical Device Development.
 In the public sphere, the Directive on Automated Decision-Making guides the federal government’s use of automated decision systems.
 This prohibition is subject to three exhaustively listed and narrowly defined exceptions where the use of such AI systems is strictly necessary to achieve a substantial public interest, the importance of which outweighs the risks: (1) the search for potential victims of crime, including missing children; (2) certain threats to the life or physical safety of individuals or a terrorist attack; and (3) the detection, localization, identification or prosecution of perpetrators or suspects of certain particularly reprehensible criminal offences.
 As an indication of potential changes, the Slovenian Presidency of the Council of the European Union tabled a proposed amendment to the act in November 2021 that would effectively narrow the scope of the regulation to machine learning.