Canada has not enacted a comprehensive, AI-specific statute comparable to the EU AI Act. Instead, AI is regulated through a patchwork of targeted amendments to existing laws, common law rules, binding and non-binding regulatory guidance, and developing case law:

• Employment laws in Ontario may require employers to disclose the use of AI in publicly advertised job postings where AI is used to screen, assess, or select applicants.
• Privacy laws at the federal and provincial levels regulate AI uses involving automated decision-making, profiling, geolocation, anonymisation, and the handling of sensitive personal information, supplemented by regulator guidance on responsible AI uses.
• Human rights laws indirectly constrain AI use by prohibiting discriminatory outcomes based on protected characteristics, often necessitating meaningful human oversight where AI influences decisions in areas such as hiring, credit, or access to services.
• Consumer protection laws may apply where AI-enabled products or services result in misleading representations, deceptive practices, or unfair treatment of consumers.
• Competition laws may apply where AI systems facilitate price co-ordination, reinforce anticompetitive conduct, or support exaggerated or misleading performance claims.
• Copyright laws, including the Copyright Act, apply to AI training and outputs through existing reproduction and fair dealing doctrines, but there is limited Canadian jurisprudence directly addressing large-scale model training on protected works or ownership of purely AI-generated outputs; policy consultations continue to explore whether targeted reforms (eg, a text-and-data-mining exception) are needed.
• Criminal laws may apply where AI tools are used to facilitate criminal offences, such as system intrusion, identity-related crimes, data manipulation, or malicious uses of media.
• Civil liability regimes, including negligence and product liability, may attach where AI systems cause harm due to design flaws, biased data, operational failures, or foreseeable misuse, alongside exposure under traditional torts such as defamation.
• Sector-specific regimes increasingly address AI risks through guidance and supervisory expectations, particularly in financial services, securities markets, and health, emphasising governance, risk management, accountability, and appropriate controls.

• Financial institutions are using AI across many core functions, from detecting suspicious transactions, supporting anti-money laundering reviews, optimising investment strategies, analysing market activity, online lending, fraud detection and market analysis;
• The use of AI in the healthcare sector ranges from patient care solutions, administrative processes, payment processes (payer and pharma companies), and diagnosis and treatment applications. For medical devices, hospitals, and clinics, AI capabilities include enhanced imaging systems, predictive analytics models for early disease detection, and clinical support systems that use LLM or RAG technologies to summarise medical charts.
• There is considerable progress in the use of both predictive and generative AI in the automotive sector for autonomous and self-driving vehicles and infotainment systems.
• AI is being leveraged to help advertisers understand customer sentiment, tailor product recommendations, and generate marketing content autonomously.

The Government of Canada continues to take an expansive and multi-layered approach to facilitating AI innovation. This includes large-scale capital investments, infrastructure-building programmes, targeted incentives for commercialisation and adoption, workforce initiatives, and the development of sovereign AI capabilities in Canada. The 2025 federal budget allocated:

• CAD925.6 million over five years to strengthen sovereign AI infrastructure and improve access to secure, Canadian-based compute capacity for public and private research;
• additional allocations to develop a sovereign Canadian cloud; and
• CAD334.3 million to develop quantum and AI-adjacent technologies.

On 2 February 2026, the Government of Canada released a summary of its consultations related to the upcoming update of Canada’s national AI strategy, highlighting several priority areas:

• expanding domestic AI infrastructure and better protecting Canadian IP;
• promoting research emphasising safety, responsible development, and ethical design;
• improving AI-skills training and public literacy;
• establishing coherent, risk-based approaches to regulation; and
• strengthening frameworks for AI security, accountability, and liability.

In January 2026, the Government of Canada launched a new memorandum-of-understanding process inviting private-sector proponents to partner on the development of large-scale, Canadian-controlled AI data centre projects of 100 MW or more and is inviting proposals.

As the proposed Artificial Intelligence and Data Act (AIDA) did not proceed after Parliament was prorogued in January 2025, federal regulators are turning to a mix of existing laws like privacy, human rights, consumer protection, competition, and sector-specific laws, supported by soft-law instruments like the federal Voluntary Code of Conduct for Generative AI and the binding Directive on Automated Decision-Making (ADM) for federal institutions. These federal tools propose algorithmic impact assessments, transparency, model testing, and proportional human oversight, making them practical benchmarks for organisations engaging with AI.

Canadian provinces generally govern AI-related issues through existing laws, voluntary and binding regulatory guidance, and provincial rules imposing targeted AI-related obligations under existing laws, such as Ontario’s Working for Workers Four Act, 2024, which amended the Employment Standards Act and may require disclosure of the use of AI in job postings.

Canada regulates AI-related issues through a patchwork of AI regulations to existing laws, the extension of existing laws (eg, privacy, IP, consumer protection, employment, human rights, and tort) to cover AI-related risks, binding and non-binding guidance from regulators, and case law:

• Federal – Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems;
• Federal – Implementation Guide for Managers of Artificial Intelligence Systems (2025);
• Federal – OSFI Guideline E-23 (Model Risk Management), published 11 September 2025 and coming into effect May 2027, setting expectations for model risk management including AI/ML models used by federally regulated financial institutions;
• Federal – Principles for responsible, trustworthy, and privacy-protective generative AI technologies issued by the Office of the Privacy Commissioner of Canada;
• Federal – Consultation on Copyright in the Age of Generative Artificial Intelligence;
• Federal – Discussion Paper – Artificial Intelligence and Competition (2024);
• Ontario – Working for Workers Four Act, 2024, amending Ontario’s Employment Standards Act, which may require disclosing the use of AI in job postings;
• Ontario – Principles to guide the responsible adoption of artificial intelligence systems by the Information and Privacy Commissioner of Ontario and Human Rights Commissioner; and
• Quebec – Act respecting the protection of personal information in the private sector, which may require disclosure of a decision concerning a data subject when it is based exclusively on an automated processing of their personal information. 

The federal government introduced the Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems as well as an Implementation Guide for Managers of Artificial Intelligence Systems. The Voluntary Code sets out high-level principles for the development, management, and use of generative AI systems, while the implementation guide elaborates on best practices.

The federal government has also issued a Guide on the Use of Generative AI for federal institutions to inform their use of generative AI tools, which recommends a host of risk assessment and mitigation measures to be considered by public institutions in Canada.

The Canadian Centre for Cyber Security has also issued guidance on mitigating cybersecurity risks associated with AI technologies, such as the December 2025 guide on Artificial Intelligence (ITSAP.00.040) and December 2025 guide on Generative Artificial Intelligence (ITSAP.00.041).

Canada has not implemented the EU AI Act; however, Canadian organisations operating in or targeting Europe may be subject to applicable AI and privacy requirements extraterritorially.

Canada does not have US state AI laws; however, Canadian organisations operating in or targeting US states may be subject to applicable AI and privacy requirements extraterritorially.

Canada has not yet amended its federal privacy or copyright statutes to specifically regulate the use of artificial intelligence; however, the federal government has launched several detailed consultations aimed at updating these regimes and has issued binding and non-binding guidance.

In the area of copyright, the multi-year Copyright in the Age of Generative AI review (2025) found that current legislation does not clearly regulate text-and-data-mining (TDM) activities or large-scale training of AI models. The government’s summary report states that Canada lacks a specific TDM exception, leaving AI developers to rely on fair dealing, an analysis whose application to mass ingestion of copyrighted material is not yet resolved. The consultations also underscored uncertainty around web-scraping practices, as copying protected works from publicly accessible websites to train datasets may infringe the reproduction right unless covered by a fair-dealing purpose and judged “fair” under a multi-factor test.

In February 2026, the Government of Canada published a summary of its national AI strategy consultations on AI in Canada, which suggests new laws and regulations may be released to regulate issues such as safety evaluation, adversarial testing and red-teaming, structured human-oversight mechanisms, traceability throughout the model life cycle, and clearer rules for allocating responsibilities and liability across the AI supply chain. This could include a new federal bill akin to Bill C-27, which had proposed to introduce the Artificial Intelligence and Data Act (AIDA) and amend federal private sector privacy law until the bill was terminated in 2025.

To date, there have only been a handful of judicial decisions in Canada that have substantively addressed generative AI issues. Below are a few recent examples of such decisions. 

In Clearview AI Inc. v British Columbia (Information and Privacy Commissioner), 2026 BCCA 67, the B.C. Court of Appeal supported the notions that:

• provincial private sector privacy law can apply extraterritorially where there is a real and substantial connection to the province, even if the organisation is foreign and has ceased operations in Canada;
• the systematic scraping of facial images of Canadians (residents of B.C.) from publicly accessible websites constitutes collection of personal information requiring consent under PIPA;
• the “publicly available information” exception must be interpreted narrowly, consistent with the quasi-constitutional status of privacy legislation; and
• the “reasonable purpose” for collecting personal information remains a freestanding requirement, even where a consent exception is argued by defendants.

Stross v Trend Hunter, 2020 FC 201 (upheld on appeal) is a copyright infringement decision that is sometimes cited in AI discussions because the defendant operated a platform that used automated tools, including AI-enabled processing, to generate market research insights from user interactions. The Federal Court accepted that the dealing could fall within “research” at the first stage of the fair dealing analysis, but ultimately held the dealing was not fair on the facts, and found infringement. While not a “generative AI outputs” case, it illustrates how Canadian courts may treat AI-enabled commercial analytics in applying existing copyright doctrines.

Canada has not issued any Copyright Board decisions addressing whether AI-generated works qualify for copyright protection. However, the Canadian Patent Appeal Board, whose recommendation was adopted by the Commissioner of Patents, held in Thaler (Re), 2025 CACP 8, that an AI system cannot be named as an inventor, with the result that a patent cannot be granted for an invention attributed solely to AI. Further judicial guidance is expected.

In Moffatt v Air Canada, 2024 BCCRT 149, the British Columbia Civil Resolution Tribunal found that a company could be liable for negligent misrepresentation based on inaccurate information provided to a consumer through a website chatbot. In this case, the plaintiff used a chatbot on an airline’s website to search for flights. The chatbot indicated that the plaintiff could apply a bereavement fare retroactively; however, the plaintiff later learned from the airline that retroactive applications are not permitted. In a suit for a partial refund, the plaintiff argued that he relied on the chatbot’s advice. The court found the airline responsible for negligent misrepresentations on its website as a result of representations made by the chatbot.

In January 2026, Canada’s Office of the Privacy Commissioner of Canada opened an investigation into a social media platform’s generative AI tools and whether the platform had collected consent to use images and personal information to generate deepfakes on the platform.

In March 2026, Canada’s Office of the Privacy Commissioner of Canada released findings regarding a major loyalty programme’s retention practices, emphasising that where an organisation relies on “anonymisation” rather than deletion, it must be able to demonstrate that there is no serious possibility of re-identification, including as techniques evolve over time. The regulator reinforced its position that anonymisation of personal information must be irreversible to remove personal information outside of the regulatory scope of Canada’s federal private sector privacy law. If there is a serious possibility that anonymised personal information could be reidentified, alone or combined with other information, it may be regulated as personal information.

Office of the Privacy Commissioner of Canada (OPC)

The OPC is a primary federal regulator overseeing AI systems that collect, use, disclose, or generate personal information under PIPEDA. It has authority to launch investigations, make compliance recommendations, and respond to data subject complaints, including with respect to the collection, use, and disclosure of personal information by AI systems. Provincial privacy regulators in Alberta, British Columbia and Quebec, also play a similar regulatory and enforcement role with regard to the use of personal information in AI systems within those provinces.

Competition Bureau of Canada

The Competition Bureau may regulate AI where it intersects with competition law, including algorithmic pricing, collusion risks, deceptive marketing (such as “AI-washing”), and competition issues in AI infrastructure markets. The Competition Bureau has carried out dedicated consultations on AI and competition and co-ordinates with the OPC and CRTC through the Canadian Digital Regulators Forum to address emerging AI-driven market dynamics.

Industry-Specific Regulators

Industry-specific regulators may also be involved in regulating AI. For example, Health Canada has issued guiding principles for the development of medical devices that use machine learning. The Office of the Superintendent of Financial Institutions has also published its model risk guideline (E-23), and securities regulators have issued guidance on AI-specific issues, such as Canadian Securities Administrators (CSA) Staff Notice and Consultation 11-348, which clarifies how existing securities laws apply to the use of AI in capital markets, and which provides guidance on governance, disclosure, conflicts of interest, explainability, and human oversight for registrants, issuers, marketplaces, and other intermediaries. The CSA has also cautioned issuers against “AI-washing” and emphasised tailored, accurate disclosure of AI use in public filings.

Canadian Artificial Intelligence Safety Institute (CAISI)

CAISI is a federal initiative launched to strengthen Canada’s capacity to understand and address safety risks associated with advanced AI systems, including through testing, evaluation and research co-ordination. CAISI is not an enforcement regulator; its role is principally research, convening and technical capacity building to support safe development and deployment.

Advisory Council on Artificial Intelligence

The federal government appointed an Advisory Council on AI, which focuses on examining how to advance AI in Canada in an open, transparent, and human rights-centric manner.

The Government of Canada’s Implementation Guide for Managers of Artificial Intelligence Systems is a non-binding guide that supports the Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems. While the Code primarily guides developers and managers of advanced generative AI systems, it also outlines responsible AI practices more broadly. The guide details essential best practices for the responsible and effective use of AI technologies, emphasising safety protocols to mitigate risks, accountability measures to uphold ethical standards, and human oversight to maintain control over AI systems.

In late 2025, Canada’s federal privacy regulator launched an investigation into a major social media platform operating in Canada with a focus on algorithmic recommendations to children, including AI-driven content personalisation, reinforcing the notion that algorithmic design choices may be subject to accountability and fairness obligations under Canadian privacy laws.

In 2025, Quebec’s privacy regulator issued enforcement guidance regarding automated decision-making and algorithmic management tools used in employment contexts. While framed through guidance, the guidance states that employers deploying AI systems affecting employees’ rights may be subject to investigation and penalties for failing to meet transparency, necessity, and proportionality requirements, suggesting stricter enforcement of AI in workplaces.

In January 2026, Canada’s Office of the Privacy Commissioner of Canada opened an investigation into a social media platform’s generative AI tools and whether the platform had collected consent to use images and personal information to generate deepfakes on the platform.

Canada does not have a single AI-specific national standards authority dedicated solely to AI; however, the Standards Council of Canada supports the development and adoption of AI-related standards, including through collaborative standardisation initiatives. The Canadian Institute for Advanced Research released in 2017 the Pan-Canadian Artificial Intelligence Strategy (PCAIS), which lays out Canada’s three-pillared strategy for becoming a world leader in AI. As part of the PCAIS, the Government of Canada has pledged CAD8.6 million in funding from 2021 to 26 for the Standards Council of Canada to develop and/or adopt standards related to artificial intelligence. In March 2023, the Standards Council of Canada expanded the Canadian Data Governance Standardization Collaborative to address national and international issues related to both AI and data governance through a new AI and Data Governance (AIDG) Standardization Collaborative to develop standardisation strategies in this area.

International standards increasingly shape Canadian AI governance. ISO/IEC 42001:2023 is the world’s first AI management system standard, and CSA ISO/IEC 42001:25 is the Canadian-adopted version used in Canada’s national standards ecosystem. In Canada, the Standards Council of Canada offers accreditation related to AI management systems certification based on ISO/IEC 42001, enabling third-party assurance aligned with these standards.

Federal institutions in Canada rely on AI for functions such as screening files, processing applications, analysing datasets, automating service interactions, and monitoring cybersecurity events. These activities are primarily governed by the federal Directive on Automated Decision-Making, which applies whenever a federal system renders, or meaningfully contributes to, an administrative decision about an individual. The Directive may require federal departments to complete and publish an Algorithmic Impact Assessment, give advance notice and clear explanations to affected individuals, maintain human review mechanisms, perform testing and quality control, and report publicly on how the system performs.

In addition, the federal public service is implementing its AI Strategy for 2025–2027, which sets expectations for responsible deployment, transparency, safeguards, and workforce training for any department using AI tools. The federal Guide on the Use of Generative AI provides further operational rules for employees, including requirements for privacy protection, proper handling of government information, record management, and safe use of third-party AI services.

The federal government has also released its Guide on the use of generative AI and its strategy for federal public service, which provides principled guidance to federal institutions on their use of generative AI tools, including best practices in respect of privacy, compliance, record-keeping and future policy direction in the implementation of AI for improving public service.

In Haghshenas v Canada (Citizenship and Immigration), 2023 FC 464, the Federal Court of Canada dismissed an applicant’s request for judicial review of a deportation decision by a Federal Immigration Officer. The court rejected the applicant’s argument that the officer’s decision was not procedurally fair because it was reached through the assistance of AI, as the court found that this consideration was not relevant to the duty of procedural fairness. The court found the use of AI was not relevant because an Officer had made the decision in question, and judicial review is meant to deal with the procedural fairness and/or reasonableness of a decision.

Canada has modernised the Investment Canada Act through Bill C-34, the National Security Review of Investments Modernization Act (Royal Assent 22 March 2024), enhancing the federal government’s ability to scrutinise foreign investments that may raise national security concerns, including in sensitive technology areas. Certain amendments came into force on 3 September 2024, while others require regulations or guidance to implement; the reforms also clarify net benefit factors relevant to protecting IP developed with Government of Canada support and the security of Canadians’ personal information.

Issues created by such generative AI tools span multiple industry sectors and include intellectual property issues related to ownership, authorship, and originality, litigation and liability issues, and privacy law issues.

On the intellectual property front, the Government of Canada engaged in a Consultation on Copyright in the Age of Generative Artificial Intelligence. This consultation examined areas related to text and data mining, authorship and ownership of works generated by AI, and infringement and liability regarding AI. To date, the government has only provided a summary report identifying the issues that were outlined in the submissions from stakeholders.

The Office of the Privacy Commissioner of Canada (OPC) has also acknowledged the potential privacy issues associated with generative AI. In March 2026, Canada’s federal privacy regulator confirmed that the deployment and operation of generative AI technologies, such as large language models, image creation systems, and other tools capable of producing synthetic content, remain governed by existing federal and provincial privacy regimes, despite the lack of a dedicated AI statute. The regulator highlighted that developers and deployers of foundation and general-purpose AI must continue to comply with established privacy principles, including lawful authority to use personal data in training, limits on data collection and retention, explainability of automated processes, safeguards to address inaccurate or harmful outputs concerning identifiable individuals, and ongoing responsibility across the AI life cycle.

Moreover, in December 2023, the OPC along with provincial privacy regulators published the “Principles for responsible, trustworthy and privacy-protective generative AI technologies” to identify key considerations for the application of privacy principles to the development, management, and use of AI.

E-Discovery

AI-powered e-discovery tools can assist with quickly and efficiently reviewing documents in the litigation discovery process. One such technique is through predictive coding. Deep learning and AI-empowered tools can use words and word patterns in a small set of documents marked as relevant and/or privileged and then apply them to a large dataset of other documents.

Legal Research and Legal Analytics

AI tools have been introduced that purport to provide increased productivity and efficiency for legal research via use of natural language processing and machine learning technologies. For example, some offerings include AI-powered research tools that may provide answers to legal questions asked in plain language, as opposed to more traditional research searches using keywords and Boolean operators.

Contractual Analysis

AI technologies are being deployed to assist in contract analysis and review. AI can assist in quickly scrutinising contracts, identifying missing clauses, inconsistencies in terminology used or undefined terms across a single document or multiple documents.

Patent and Trade Mark Searches

AI is being utilised to benefit intellectual property practitioners by assisting in patent and trade mark searches. For example, NLPatent uses machine learning and natural language processing to understand patent language, which allows lawyers to search for patent terms and prior art in plain language, instead of relying on keywords. In the trade mark context, companies such as Haloo utilise AI-powered searches to provide rapid and more expansive mark searches.

Rules or Regulations Promulgated or Pending by Courts

The Federal Court has issued guidance requiring parties to disclose, by declaration, when generative AI was used to create or generate content in documents filed for the purpose of litigation, subject to the notice’s stated scope and exceptions. Several provincial courts, including in Manitoba, Yukon and Alberta, have issued similar guidelines.

In Canadian law, tort law is a relevant theory of liability for personal injury or commercial harm arising from AI-enabled technologies where the injured person has no pre-existing legal relationship (ie, by way of contract). Although it is possible for liability to arise through intentional torts or strict liability, negligence law will likely be the most common mechanism for plaintiffs seeking compensation for losses from the defendant’s use of an AI system.

To bring a tort claim, the plaintiff has the burden of proof in establishing that an AI system was defective, the defect was present at the time the AI system was in the plaintiff’s control and that the defect contributed to or caused the plaintiff’s injury. A defect related to manufacturing, design or instruction of an AI-based system could give rise to a tort claim.

Canada does not have a single, unified “strict liability” regime for defective products across all jurisdictions. In the common-law provinces, product liability claims are typically advanced through negligence principles. Quebec differs; under the Civil Code of Québec, manufacturers, distributors and suppliers may be bound to make reparations for injury caused by a safety defect, which operates as a distinct civil law product liability framework and can apply even without proof of classic negligence elements. At present, neither federal nor provincial governments have enacted AI-specific liability rules, and no legislative proposals are underway that would create special liability standards or strict-liability regimes for harms arising from AI systems. As a result, disputes involving AI-related injuries or defects continue to be resolved under existing tort, contract, consumer-protection, and product-safety law, with courts determining liability based on the facts of each case.

Under established principles of contract and agency law, AI systems do not have legal personality, but Canadian electronic commerce statutes recognise that “electronic agents” (computer programs acting without human review at the time of the act/response) can be used in forming and performing electronic contracts. In practice, legal responsibility for commitments and outputs remains allocated to the persons or organisations deploying or authorising the use of those systems, and disputes are resolved through conventional doctrines (contract interpretation, agency/authority, negligence and misrepresentation) applied to the human actors and entities involved. Any representation, error, or harm arising from an AI tool could be legally attributed to the individual or organisation that deploys it. As a result, responsibility continues to be assessed through conventional doctrines such as negligence and product liability rules.

Oversight duties for higher-risk or more autonomous systems are shaped largely by public-sector instruments that organisations may treat as de facto governance benchmarks. The federal Directive on Automated Decision-Making generally requires Algorithmic Impact Assessments, human-in-the-loop safeguards, logging and auditability, explainability measures, and public transparency for automated systems used in federal administrative decision-making, with obligations calibrated to the level of impact.

In Canada, injuries or losses involving autonomous or agentic AI systems are dealt with under the same liability rules that apply to other technologies, as no federal or provincial statute currently establishes a dedicated AI liability regime. Fault is allocated through established doctrines in negligence, product liability law, contract, IP, and consumer protection statutes.

Biased outputs by AI systems may be found when they create an unjustified and adverse differential impact on any of the prohibited grounds for discrimination under the Canadian Human Rights Act, in the case of an institution or organisation governed by Canadian federal laws, or provincial or territorial human rights or discrimination legislation. For example, if an AI system is used by an employer to triage applications for job openings, employers must make sure that prospective candidates are not being discriminated against on a prohibited ground of discrimination.

The collection, use, and disclosure of biometric personal information, including for biometric AI systems, may be governed under federal and provincial laws. For example, in Quebec, the Act to establish a legal framework for information technology may require businesses and organisations to disclose to Quebec’s privacy regulator the use of biometric personal information for the purpose of identification or identity verification or the creation of a database of biometric characteristics or measurements promptly but no later than 60 days before it is brought into service. If this requirement is triggered, it would require the entity to complete and submit a prescribed disclosure form to the regulator, describing the biometric database, how and why it is being used, and any potential risks associated with its use and subsequent maintenance.

Biometric personal information is also considered “sensitive” personal information under federal and provincial privacy laws in Canada, which may attract more stringent compliance obligations, such as the need to obtain express (opt-in) consent for its collection, use, and disclosure.

The collection, use and disclosure of biometric personal information without express consent has been the topic of a joint investigation by the Office of the Privacy Commissioner of Canada and provincial privacy regulators in Canada; namely, in the joint investigation of Clearview AI. Clearview AI’s facial recognition technology was found to scrape facial images and associated data from publicly accessible online sources (eg, public social media accounts) and to store that information in a database. While the information was scraped from publicly accessible social media accounts, Canadian privacy regulators found that the purposes for which Clearview AI used the facial images and associated data were unrelated to the purposes for which the images were originally shared on social media sites, thereby requiring fresh and express consent for new uses, and new purposes for using any of the facial images or associated data by a third party.

Canada does not have a standalone federal statute targeting deepfakes; however, synthetic and manipulated media may be governed through a combination of existing laws and coordinated regulator guidance. For example, in January 2026, Canada’s Office of the Privacy Commissioner of Canada opened an investigation into a social media platform’s generative AI tools and whether the platform had collected consent to use images and personal information to generate deepfakes on the platform. Moreover, the Canadian Digital Regulators Forum, which brings together the CRTC, Competition Bureau, Copyright Board, and the Office of the Privacy Commissioner, has cautioned that AI-altered content may violate deceptive marketing rules if it misleads the public, and may also trigger privacy and data protection obligations. 

Canada’s transparency expectations for AI systems are drawn from privacy statutes, consumer-protection rules, and sector-specific regulatory obligations rather than a single, unified AI law. Under federal and provincial privacy legislation, organisations may be required to communicate their use of tools that use personal information to make automated decisions. Within the federal public service, the Directive on Automated Decision-Making may require departments to conduct Algorithmic Impact Assessments, maintain human-review mechanisms, and disclose both the use and general functioning of automated systems, with more stringent obligations applying to higher-impact systems. The Canadian Intellectual Property Office released a notice on the “Use of AI in proceedings before the Trademarks Opposition Board” in June 2025, which requires a standard-form declaration in the first paragraph of each document that used AI to generate or create content. AI-related transparency rules are also emerging in employment regulations. Ontario’s Working for Workers Four Act, 2024, may require employers to indicate in job postings when AI is used to screen, assess, or select applicants.

Federal agencies that procure AI systems may be required to comply with the Directive on Automated Decision-Making, which obliges agencies to complete Algorithmic Impact Assessments and maintain detailed logging, documentation, and human-review mechanisms for any system that influences an administrative decision. As a result, suppliers working with federal institutions may be expected to design and deliver solutions that satisfy these transparency, auditability, and oversight requirements. From a privacy perspective, private sector privacy laws, such as PIPEDA and “substantially similar” private-sector laws in Alberta, British Columbia, and Québec, may require businesses and organisations supplying AI systems to comply with core obligations that apply generally to the collection, use, and disclosure of personal information, such as consent, limits on the purposes for which data may be used, safeguards to protect personal information, transparency about automated processes, and rules governing transfers of data outside Canada. Guidance from privacy regulators on generative AI systems likewise underscores constraints on large-scale scraping and the need to minimise data collection.

Canadian AI accountability relies on risk-based due diligence when procuring systems, supplier assessments, and clear allocation of liability for third-party components.

Under federal and provincial laws in Canada, employers are generally restricted from taking actions that have or are intended to have an unjustified and adverse differential impact on employees under one or more prohibited grounds for discrimination, whether under the Canadian Human Rights Act for federally regulated federal institutions and agencies or under provincial or territorial human rights or discrimination laws. Risks are greater for employers where such decisions are systematic and involve a large number of employees. Therefore, when AI systems are being used by employers, whether during the onboarding, termination or employment phase of the relationship, employers may be accountable for discriminatory effects resulting from their use of the AI systems. Moreover, in the Province of Ontario specifically, the Working for Workers Four Act, 2024, was passed and entered into force in 2026, which may require employers in Ontario to disclose the use of AI for recruitment in public job postings. Use of technologies to make automated decisions about employees is also regulated indirectly in federal and provincial privacy statutes, which may require businesses to communicate the use of technologies that use personal information to render automated decisions without humans.

In October 2022, the Province of Ontario amended its employment standards legislation, the Employment Standards Act, to require employers with 25 or more employees in Ontario, to have a written “electronic monitoring policy” in place to convey all the ways that electronic monitoring is being used by the employer to monitor employees. These could include, for example, monitoring attendance in the office, activity on a work computer, monitoring emails and other communications, or monitoring internet browsing activity. Employers to whom the requirements apply may need to share the electronic monitoring policy with existing employees. From a privacy perspective, federal and provincial privacy laws in Canada may need to inform data subjects about the purposes for which their personal information is collected, used, and disclosed, including for the purposes of electronic monitoring, performance analytics, or other related purposes, which may need to be communicated in an employee privacy policy.

Digital platform companies using AI may be subject to Canadian federal and provincial private sector privacy laws for the collection, use and disclosure of the personal information of customers. With regard to e-commerce, digital platform companies may also be subject to Canada’s Anti-Spam Legislation (CASL), which generally governs the sending of electronic messages (eg, emails and texts) for a commercial purpose. Digital platform companies may also be subject to human rights and privacy laws in Canada with regard to the handling of employee personal information and any recruitment and hiring practices through automated AI systems.

AI deployment in Canada’s financial sector is not governed by a standalone statute; instead, it is managed through the existing prudential, consumer-protection, and securities-regulatory framework, supplemented by increasingly detailed supervisory expectations.

Federally regulated financial institutions are generally required to treat AI and machine-learning models as part of their overall model-risk portfolio under the Office of the Superintendent of Financial Institutions’ (OSFI) model-governance regime. The joint OSFI–FCAC Risk Report released in 2024 identifies heightened risks in areas such as underwriting, credit assessment, fraud detection, and algorithmic trading, and emphasises the importance of explainability, data integrity, governance controls, and ethical safeguards as central pillars of responsible AI use. OSFI’s forthcoming Guideline E-23, Model Risk Management (2027), will formally extend its oversight to AI and other complex models, requiring institutions to maintain comprehensive model inventories, apply life cycle governance, monitor performance and model drift, manage risks associated with vendor-supplied or externally sourced tools, and keep documentation robust enough to support independent validation. These obligations will work in conjunction with Guideline B-10, Third Party Risk Management, on third-party risk, which generally applies whenever financial institutions obtain or integrate external AI services, ensuring that outsourcing practices do not compromise risk management, compliance, or operational resilience. From a securities law perspective, securities regulators have also taken steps to regulate AI systems, such as through National Instrument 23-103 Electronic Trading and Direct Electronic Access to Marketplaces, and the Canadian Investment Regulatory Organization’s Notice 12-0364, Guidance Respecting Electronic Trading, which require firms to adequately test algorithmic trading systems.       

In Canada, there is no AI-specific statute for the healthcare and medical devices sector; rather, Health Canada is focused on establishing a regulatory framework for the use of machine learning in medical devices. To this end, Health Canada, in collaboration with the US Food and Drug Administration (FDA), and the United Kingdom’s Medicines and Healthcare products Regulatory Agency (MHRA), have jointly identified ten guiding principles that can inform the development of Good Machine Learning Practice (GMLP):

• Multi-disciplinary expertise is leveraged throughout the total product life cycle.
• Good software engineering and security practices are implemented.
• Clinical study participants and datasets are representative of the intended patient population.
• Training datasets are independent of test sets.
• Selected reference datasets are based upon best available methods.
• Model design is tailored to the available data and reflects the intended use of the device.
• Focus is placed on the performance of the human–AI team.
• Testing demonstrates device performance during clinically relevant conditions.
• Users are provided clear, essential information.
• Deployed models are monitored for performance and retraining risks are managed.

A regulatory framework governing autonomous vehicles in Canada is emerging at both the federal and provincial levels. In general, published guidelines at both the provincial and federal levels are informed by the standards set by the Society of Automotive Engineers (SAE) International, which define six levels of driving automation along a spectrum of degrees of human control. The safety standards for autonomous vehicles are regulated federally, while provinces and territories regulate drivers, liability, insurance, and traffic laws within their jurisdictions. Several provinces are currently engaged in pilot programmes testing fully autonomous vehicles on Canadian roads. The collection, use and disclosure of personal information by autonomous vehicles and connected car systems may be subject to privacy laws.

Product liability can also be imposed on the designers, manufacturers, and retailers of AI products through contractual liability, sale-of-goods laws, consumer protection laws and tort law.

AI-enabled machinery and robotics used across Canadian industrial sectors, such as manufacturing, energy, mining, transportation, and logistics, are regulated through long-standing occupational health and safety (OHS) requirements, established product safety laws, and general AI governance policies rather than any robotics-specific statute.

Provincial OHS legislation, such as Ontario’s Occupational Health and Safety Act, may require employers to identify and control risks associated with automated systems, such as collaborative robots and autonomous equipment, and authorities have power to issue orders and penalties where unsafe conditions are found. Federal product safety statutes may also apply: the Canada Consumer Product Safety Act governs consumer-facing robotic products, while the Hazardous Products Act sets requirements for industrial machinery. Federal AI policy instruments, such as Canada’s emerging national AI safety initiatives and the voluntary Code of Conduct for the Responsible Development and Management of Advanced Generative AI Systems, encourage organisations to perform risk assessments, maintain documentation, and monitor AI risks.

Intellectual property rights generally inure to the author, owner, or inventor of a work or invention. Generative AI, which can produce complex creative works and inventions, challenges the fundamentals of intellectual property. Canadian patent legislation and jurisprudence have generally supported that inventors are humans. Under Canadian copyright law, a generative model creating fully realised creative works based solely on user inputs, which can be very rudimentary, raises the question whether the user is exhibiting sufficient skill and judgement in the expression of the idea. Furthermore, the process by which the generative AI model created the output based on the user input is often shrouded within a “black box”, whereby even the AI model programmer cannot identify exactly how the final expression was created. The Government of Canada has acknowledged in its Consultation on a Modern Copyright Framework for Artificial Intelligence and the Internet of Things that the current Copyright Act is ill-equipped to address the novel questions posed by generative AI.

Ownership of AI

With the rise of AI, and specifically generative AI, one of the main discussions surrounding intellectual property (IP) is whether AI can own IP, or an AI system has IP rights associated with a work. Currently, AI-created IP is being tested through the Canadian Intellectual Property Office. Both copyright and patents require the owners, authors, and/or inventors to be identified as part of the application and registration process. With AI, it is unclear who the owner, author, or inventor of the work may be. For example, in patent law, the courts have primarily demonstrated that an inventor must be a human; however, currently there are patent applications being prosecuted in Canada where an AI system is the inventor. Similarly, in copyright, although the term “author” is not defined in the Copyright Act, it is unclear whether an AI system can be an author.

AI Training and IP

AI systems are trained on massive datasets that are often scraped from the internet. Depending on the AI model, these can include texts and images that may be subject to copyright protection, or other intellectual property protection. Since protected data may be used for training, there is a risk that AI systems may infringe upon intellectual property to produce an output. Training data can also infringe intellectual property rights if the data was not licensed for AI training.

In Canada, questions about the legal status of AI-generated inventions and creative works are resolved under the country’s existing intellectual property statutes, which require a human creator. Patent law continues to treat inventorship as a role that only natural persons can hold. In Thaler, Stephen L. (Re), 2025 CACP 8, the Patent Appeal Board concluded (and the Commissioner of Patents adopted) that an AI system cannot be named as an inventor under Canada’s Patent Act framework, so an application listing only an AI as inventor did not proceed.

Canada’s Copyright Act does not provide a definition of “author”, but previous case law related to injunction applications states that copyright can only exist in works authored by a human being. However, recently, the Canadian Intellectual Property Office (CIPO) granted a copyright registration to copyright that was completely generated by AI. Although the copyright registration was granted, it is unclear how this registration will be enforced. The CIPO states that they do not guarantee that “the legitimacy of ownership or the originality of a work will never be questioned”. While the software supporting AI may be copyrightable, this copyright does not automatically mean that the output of the software or AI is protected by copyright.

Whether training AI systems by scraping online content constitutes copyright infringement remains an open question in Canada. In November 2024, a coalition of major Canadian news publishers, including the Toronto Star, Postmedia, The Globe and Mail, CBC, and The Canadian Press, launched a lawsuit against a major AI services provider, alleging that the company copied, scraped, and ingested their news content to train their AI models without authorisation, infringing both copyright and contractual terms. Another dispute that could have provided similar guidance was the litigation between CanLII and Caseway AI, initiated in 2024 and settled in early 2026. CanLII, a non-profit organisation that maintains Canada’s primary free access legal database, alleged that Caseway AI had scraped its platform and republished the content behind a paywall. CanLII claimed that more than 120 gigabytes of data and 3.5 million records had been taken. The matter settled on confidential terms, leaving the courts without an opportunity to issue what could have been a significant precedent on AI training data and copyright infringement.

AI-generated works of art and works of authorship can include, for example, literary, dramatic, musical, and artistic works, all of which can be the subject of copyright protection in Canada. Before AI-generated works can be copyright protected, they must first overcome two major hurdles:

• formal requirements for copyright protection; and
• the question of to whom authorship should be attributed for AI-generated works.

Formal Requirements

Copyright protects the original expression of ideas that are fixed in a material form. Outputs from generative AI programs are expressions of ideas that are fixed in a material form, but there is some question as to their originality. Originality in Canada requires that skill and judgement be involved in the expression of the idea. The Supreme Court of Canada in CCH Canadian Ltd. v Law Society of Upper Canada, 2004 SCC 13, defined “skill” as the use of one’s knowledge, developed aptitude, or practiced ability, and “judgement” as the use of one’s capacity for discernment or ability to form an opinion or evaluation by comparing different possible options and producing a work. The work involved must also be more than a purely mechanical exercise.

Authorship

The author of a copyrighted work is the person who exercised skill and judgement in its creation. There are therefore three potential candidates for authorship of AI-generated works: the user inputting the prompt, the person who created the AI model, or the AI model itself.

Logistically, copyright protection in Canada subsists for the life of the author plus 70 years, creating obvious issues for generative AI models that do not “die”. Furthermore, Section 5(1)(a) of the Copyright Act states that an author must be “a citizen or subject of, or a person ordinarily resident in, a treaty country”. This seems to contemplate that the author is a natural person. Finally, Section 14.1(1) of the Copyright Act conveys moral rights, or rights to the integrity of the work, that are separate from copyright rights. Generative AI models, which are (so far) non-sentient, cannot properly exercise their moral rights to the integrity of their works.

There are several considerations when commercialising or otherwise incorporating into your business the outputs of generative AI models.

Licensing Considerations

Each generative AI model has different policies related to the use and ownership of the inputs (user prompts), and outputs of the program. While users may own all inputs, other generative AI programs might retain some interest in the output of the program, so users should carefully review the legal policies associated with the program they are using.

Inaccuracies

Generative AI programs consisting of LLMs are prone to inaccuracies, or “hallucinations”, whereby the program will produce a seemingly correct answer to a question that actually has no grounding in reality. Inaccurate outputs might lead to a number of legal liabilities, such as under defamation law, consumer product liability law, tort law, etc.

Litigation Risk

Generative AI models are trained on massive data sets scraped from the internet, which often include data points such as images that are subject to intellectual property law protection. There is a risk that, by using these protected data points as inputs for generative AI models, the outputs of those models might infringe upon those protected works.

Privacy Considerations

A large number of the data points fed into the generative AI models as training data are likely considered “personal information” under Canadian privacy law, meaning informed consent is likely necessary before collecting, using, or disclosing the personal information as part of the AI model. Furthermore, consideration should be given to the user inputs and potential confidentiality breaches that might occur if sensitive information is input into the system.

Bias

Generative AI models, like all AI models, are susceptible to bias stemming from the personal bias of their programmers and any bias baked into their training data.

In Canada, training AI systems with personal information is generally regulated under the country’s federal and provincial privacy laws. These statutes, PIPEDA, Alberta’s PIPA, British Columbia’s PIPA, and Quebec’s private sector privacy law may require obtaining meaningful consent, which may need to be express (opt-in) in nature where sensitive information or automated decision-making is at issue. Because privacy laws are purpose-specific, organisations must clearly define AI-training activities as an intended and compatible purpose, and regulators have repeatedly warned that gathering publicly available data for model training does not remove the need to meet consent and purpose-limitation requirements. Each of these statutes also embeds data-minimisation obligations (organisations may collect only the information reasonably necessary for the identified training purpose), and generally grants individuals rights to access, correct, and withdraw their consent to the collection, use, and disclosure of their personal information. Where an AI system is trained on sensitive or high-risk categories of personal information, such as biometric identifiers or intimate data, privacy duties may become more stringent. Quebec’s private-sector law and core federal and provincial privacy principles require organisations to show that the collection and use of such information is necessary, proportionate, and supported by robust security safeguards.

Individuals continue to hold all statutory privacy rights during AI deployment, including rights to access and correct their personal information, request deletion or erasure, and withdraw consent. Quebec further grants a right to obtain an explanation of decisions produced exclusively through automated processing. Several provincial regimes, especially Quebec, offer similar protections for profiling and automated decision-making, including heightened rules for sensitive or high-risk data. Organisations must also meet legislated retention and deletion standards, ensuring that AI models and supporting data pipelines can remove or de-identify personal information when it is no longer needed. Where children’s information may be involved, regulators expect enhanced protections, tighter consent practices, reduced profiling, and stronger safeguards due to the increased sensitivity of minors’ data.

AI-related data-governance duties in Canada’s private sector stem from federal and provincial private-sector privacy laws, including PIPEDA, Alberta’s PIPA, British Columbia’s PIPA, and Québec’s modernised private-sector privacy law. Across these regimes, organisations may need to incorporate privacy-by-design principles into the creation and operation of AI tools. In practice, this requires completing privacy or data-protection impact assessments before deploying AI in ways that could significantly affect individuals. Quebec imposes formal privacy impact assessment obligations for certain projects involving personal information (including the acquisition, development or redesign of information systems or electronic service delivery involving personal information) and for transfers of personal information outside Quebec, and transparency and recourse rules for decisions based exclusively on automated processing.

AI-related service arrangements remain subject to standard control–processor rules. Contracts must limit how a service provider may use personal information, impose confidentiality and security obligations, and set out breach-reporting expectations. While Canadian law permits personal information to be transferred outside the country for AI training or operation, organisations must evaluate the risks associated with the transfer and ensure that the information will receive protection comparable to Canadian standards.

The Canadian Competition Bureau recently conducted a public consultation on Artificial Intelligence and Competition in Canada, highlighting emerging issues and concerns from both domestic and international stakeholders. Several concerns were identified, stemming from the unique characteristics of AI markets, which are marked by higher marginal costs, frequent partnerships, and applicability across diverse sectors. Stakeholders have also raised concerns over new potentially anti-competitive dynamics, such as algorithmic pricing and the amplification of deceptive marketing practices. AI-empowered deceptive practices identified by the Competition Bureau include generating fake reviews, endorsements, impersonations, tailored phishing campaigns, and the use of generative AI and deepfake tools.

The Canadian Centre for Cyber Security has issued guidance on Artificial Intelligence (ITSAP.00.040) and Generative Artificial Intelligence (ITSAP.00.041), outlining the risks they pose and the security measures that can be taken to mitigate these risks.

Canadian cybersecurity law does not impose AI-specific security obligations, but AI systems are subject to the general safeguarding duties found in federal and provincial privacy legislation. Under PIPEDA, Alberta PIPA, BC PIPA, and Quebec’s private sector privacy law, organisations must implement technical, physical, and administrative measures proportionate to the sensitivity of the personal information processed by an AI model. In practice, this means that the unique security risks associated with AI, such as adversarial inputs, model-extraction attempts, data poisoning, unauthorised training-data access, and manipulation of deployed models, must be addressed through built-in controls.

Federal AI policy instruments, including Canada’s emerging national AI-safety initiatives and the Voluntary Code of Conduct for advanced generative AI systems, now explicitly encourage “secure-by-design” approaches along with risk assessments for higher-impact AI systems.

Canadian ESG regulations are increasingly aligning with international standards. In Canada, large financial institutions are required to adhere to mandatory ESG reporting requirements, while other companies have the option to engage in voluntary reporting.

Organisations are integrating AI into their internal operations and, in some cases, as part of their product and service offerings. In such cases, key issues that organisations should keep in mind relate to:

• AI systems development and training;
• data privacy and security risks;
• intellectual property ownership;
• over-reliance or misuse by employees; and
• risks of inherent bias and discrimination.

To address these risks, organisations can consider the following best practices:

• review all inputs and outputs for validity, applicability, accuracy, and bias;
• consider disclosing the fact that generative AI was used in the creation of any content for commercial purposes;
• assess the impact of automated decision-making on the subject population, and ensure the use of automated decision-making is compliant with applicable law in a given setting;
• when engaging the services of AI systems from intermediaries or developers, critically engage with the source of the training data and evaluate any apparent biases which can be expected to colour AI outputs;
• scrutinise commercial agreements for AI services to ensure that they are compliant with relevant privacy laws;
• critically evaluate commercial needs in advance of seeking AI tools; not all AI tools are the same, and the quality of the underlying training datasets, as well as the guardrails and additional training imposed on the AI by the developers are crucial commercial considerations necessary to fit the unique needs of each business;
• be mindful to create an employee AI code of conduct; and
• ensure that disclosures to AI models do not contravene applicable contractual confidentiality and statutory privacy obligations.