Evolving AI Regulation in Canada
Canada was an early mover in artificial intelligence. It became the first country to adopt a national AI strategy in 2017, and in 2019 Canada introduced one of the first binding rules for government use of automated decisions, the Treasury Board Directive on Automated Decision-Making.
A general AI law has proved harder to secure. The country’s most ambitious attempt, the Artificial Intelligence and Data Act (AIDA), introduced as Part 3 of Bill C-27, did not survive the dissolution of parliament before the 2025 federal election. The privacy bill that followed, Bill C-36, was tabled in June 2026 and deliberately omits AI, though it does include positive obligations for the use of automated decision-making systems in certain circumstances. AI is therefore governed through a combination of federal policy, privacy law, provincial statutes, and sector-specific oversight, and businesses must work within all of them.
Federal developments
The federal government has the longest record of regulating its own use of AI. Under the Treasury Board Directive on Automated Decision-Making, departments must complete a mandatory algorithmic impact assessment that scores each system’s risk and attaches matching obligations for transparency, human oversight, and recourse. Separate Treasury Board guidance sets out how institutions may use generative AI responsibly.
For the private sector, the federal approach has so far been voluntary. A 2023 Code of Conduct invites developers of advanced generative AI systems to adopt common measures on safety and accountability until formal regulation arrives. In June 2026 the government also launched a renewed national strategy, AI for All, a signal that AI remains a federal priority even without a dedicated statute.
AIDA itself would have gone much further. Introduced in 2022, it proposed a risk-based framework centred on regulating “high-impact” AI systems, placing obligations on organisations that design and deploy them. Bundled with two privacy statutes in Bill C-27, the AI provisions proved the most contested part of the package, which helps explain why the government later chose to legislate privacy on its own.
Bill C-36 still bears on AI, even though it creates no AI statute. If enacted, it would repeal the private-sector privacy provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA) and require organisations that use automated systems “to make a prediction, recommendation or decision about the individual that could have a legal or similarly significant effect on them, the organisation must, on request by the individual, provide them with an explanation of the prediction, recommendation or decision”. The bill was first read in June 2026 and remains before parliament. Privacy law remains a key mechanism for AI accountability by the federal government.
Provincial developments
The provinces have not waited for Ottawa. Quebec has gone furthest: under the reforms to its privacy law known as Law 25, its private-sector privacy statute requires an organisation that makes a decision based exclusively on automated processing to inform the individual concerned. On request, the person must be told which personal information was used and the main factors behind the decision, and must be allowed to submit observations to a member of staff able to review it. These rights have applied since September 2023, and the regime is now backed by significant administrative penalties.
Ontario has concentrated on the public sector. Its Bill 194 received Royal Assent in 2024 and enacted the Enhancing Digital Security and Trust Act, 2024, which lets the government set requirements for public-sector use of AI, including accountability frameworks and risk management. Much of the operative detail is left to future regulations that have yet to be published. Alberta’s Protection of Privacy Act, also applicable to public bodies, has provisions governing automated decision-making systems similar to those in Quebec’s Law 25. Other provinces, such as British Columbia, have created dedicated AI portfolios and published guiding principles for their own use of the technology.
Alberta, Saskatchewan and Manitoba have each issued, or are considering issuing, guidance to government public sector or government employees in using generative AI.
Sector-specific oversight
Regulators and standard-setting bodies are also weighing in on AI governance. Several developments matter for businesses operating in Canada:
Looking ahead
The best route ahead appears to be a layered approach, built from federal policy, privacy law, provincial statutes, and sectoral rules. Whether the federal government will revive a dedicated AI law is uncertain, but any new bill is unlikely to mirror the 2022 model. A separate consultation on copyright and AI continues, and public trust remains a recognised barrier to wider adoption. In the meantime, organisations should assume that meaningful obligations already exist; the immediate task is to identify where automated decisions are made about individuals and to be ready to explain and contest them.
Data Governance and Compliance Trends
In Canada, data governance is shifting from policy-based privacy and data compliance to evidence-based accountability. Where businesses were once expected to maintain policies and include key data protection terms in contracts, now, irrespective of what a business does, there is a much weightier expectation from boards, vendors servicing businesses, and customers alike, to demonstrate how personal information is governed across its entire life cycle.
This is particularly crucial as businesses implement analytics tools and processes, and cloud infrastructure, onboard integrated digital platforms, and adopt AI. In this environment, privacy compliance turns on whether the business is able to consistently identify what data it holds, why it is authorised to use it, where it is stored or transferred, who has access to it, whether it remains accurate, and whether it is able to show how decisions about personal information uses are documented and reviewed.
Bill C-36
Bill C-36 aims to modernise the federal private-sector privacy framework by enacting the proposed Protecting Privacy and Consumer Data Act. The bill echoes this evidence-based accountability trend by pointing to a more structured accountability model that requires businesses to maintain a privacy management programme; document their privacy policies, practices, and procedures; and provide those materials to the regulator upon request. It also proposes privacy impact assessment (PIA) requirements for certain higher-risk activities, including transfers or disclosures of personal information outside Canada or when choosing to rely on the proposed legitimate interest exception to consent.
The practical point is that businesses operating in Canada need to show:
These proposed elements indicate that compliance is becoming less about having the right policy on file and more about being able to demonstrate, through both records and repeatable processes, that risks are identified, assessed, managed and revisited as the business, technology, and data uses evolve.
Vendor and cloud governance
A related trend is that vendor and cloud governance are now central to data compliance risks. For most businesses, data flows through cloud providers, like software-as-a-service (SaaS) tools and other outsourced services. Recent breach incidents, including the PowerSchool breach, which affected at least 80 Canadian school boards across seven provinces and one territory, illustrate how a single technology vendor incident can create broad, multi-jurisdictional privacy and governance consequences.
These incidents explain why regulators and customers scrutinise third-party vendors, credential controls, breach response, contractual protections, and understanding of where sensitive info sits in vendor ecosystems. Bill C-36 adds to this trend by signalling heightened expectations regarding the personal information of minors, reinforcing the need for businesses to maintain clear records of data flows, service providers, cross-border transfers, and other related data-handling obligations. Age verification methodologies are expected.
Vendor management remains a core part of privacy, security and accountability. Businesses need to flow through appropriate security and data handling requirements to third and fourth party vendors. In addition, they need to show they understand and document how vendors handle sensitive information, because vendor choices increasingly affect legal compliance, breach exposure, customer trust, and a business’s ability to show control over its data.
AI trends in data governance
AI is also driving a slowly emerging trend towards stronger data governance. This reflects the operational reality that AI systems depend on accurate, reliable, and well-governed data to produce the insights businesses are seeking. As a result, AI governance is being built not only through AI-specific rules, but through existing privacy laws, regulator guidance, procurement requirements, sector expectations, cybersecurity controls, and contracts that address key privacy considerations, including legal authority for use, retention periods, and oversight.
For businesses adopting AI at scale, the key questions are not just about the tool’s legality but also about data use, purpose, authority, safeguards, transparency, and human review. Overall, it is apparent that AI is making data governance harder to avoid. Businesses that cannot explain what data they have, where it came from, how it can be used, and who is accountable for the output will struggle to move AI from experimentation to reliable adoption.
Regulators are also becoming increasingly critical of how AI is developed and used. For example, the federal, British Columbia and Alberta Privacy Commissioners’ Offices jointly found that the development of some of OpenAI’s ChatGPT models contravened PIPEDA and the Personal Information Protection Acts of British Columbia and Alberta, and Quebec’s private-sector Privacy Act. Businesses will need to be increasingly aware of not only their own data practices but stay abreast of the practices of AI developers, to be able to responsibly procure AI tools in a privacy-complaint manner.
Some businesses are pushing ahead with AI pilots despite poor data governance, unclear data ownership, weak retention practices, incomplete inventories, and limited oversight; this helps explain why many pilots are expensive, difficult to scale up, and ultimately unsuccessful.
Other businesses remain stationary: they want to adopt AI, but hesitate to do the unglamorous data-governance work required to make it viable, including mapping and cleaning data, confirming authority for secondary use, reviewing vendor contracts, and assigning accountability for AI-generated outputs.
In practice, businesses that move the fastest will not be the ones that implement the most AI tools, but the ones that recognise that data-governance readiness is the foundation of AI readiness, and invest accordingly.
Cross-Border Data Considerations
Canada’s federal privacy framework was built to be permissive. It does not prohibit transferring personal information outside Canada, a flexibility that has suited businesses well. However, federal and provincial privacy laws, as well as the use of AI, do create requirements and considerations organisations should be aware of. For any organisation moving data into or out of Canada, understanding what requirements they are subject to is a necessity.
The PIPEDA baseline
Under PIPEDA, there is no general restriction on transferring personal information outside Canada. Instead, the law follows a principle of accountability: organisations that collect data remain responsible for it, wherever it travels. In practice, a business must ensure that any foreign service provider offers a comparable level of protection to that offered by PIPEDA, and it must be transparent in letting individuals know that their information may be processed and accessed outside the country.
In practice, the limitation of this is enforcement. The federal privacy regulator has historically been able to investigate and make recommendations, but not to issue binding orders or significant penalties. This has led to the real pressure on cross-border transfers increasingly coming from the provinces rather than from Ottawa.
Provincial requirements
Businesses often assume cross-border rules are a federal matter, but that is not exclusively the case. Quebec, Alberta and British Columbia each have their own private-sector privacy laws which supplant PIPEDA, and Alberta is expected to strengthen its regime in 2026 based on their 2025 review of their privacy laws.
Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (Law 25) is one of the most stringent privacy laws in Canada. Law 25 treats a transfer from a Quebec office to one in Ontario in much the same way as a transfer overseas, with obligations applying the moment the data leaves the province. Before transferring personal information out of Quebec, an organisation must carry out a PIA and satisfy itself that the receiving jurisdiction offers equivalent protection. For any company with a Quebec footprint, this has become the practical national standard.
Cross-border data risks
A pressing concern for multinational organisations is who can compel access to the data they have. Storage of data or transferring data to other jurisdictions means potentially being subject to foreign access laws. The US CLOUD Act allows American authorities to require disclosure of data in the possession, custody or control of US-based companies, regardless of where that data physically sits. Information stored in a Canadian data centre may still be at risk of access if the provider is a US-parented cloud or technology firm.
This creates a direct, unresolved tension in Canada. An honest assessment of a US-controlled provider may struggle to conclude that “equivalent protection” exists, because the data remains exposed to foreign legal process that Canadian law cannot override. This may add another legal consideration for vendor selection.
Artificial intelligence as a cross-border data engine
Adopting AI is, almost always, a decision to move data, frequently offshore and under foreign jurisdiction. This is the area businesses most often overlook. The questions that matter most are practical:
Using AI without asking where the data goes, and whose laws govern it, is a compliance problem waiting to happen.
Upcoming changes and considerations
The most significant upcoming change with possible cross-border data implications is the federal government’s Bill C-36, which aims to strengthen privacy requirements in several key areas, namely the disclosure or transfer of personal information outside of Canada. Organisations will be required to carry out PIAs and implement measures to mitigate any risks they identify. This is a step-up from the accountability principle in PIPEDA, which essentially only required ensuring foreign service providers offered a comparable level of protection.
Businesses will need to be diligent about mapping their data flows to determine if personal information is leaving the country, which would trigger their obligation to conduct a PIA.
Bill C-36 significantly increases the consequences of non-compliance with privacy obligations, creating actual penalties for non-compliance. While the international data transfer provisions are excluded from the penalty structure, Bill C-36 still requires organisations to protect personal information, including against privacy risks from transferring personal information to a service provider. This likely includes risks from cross-border data transfer to service providers, and contravention of that provision is within the scope of the penalty-issuing powers.
Practical Implications for Businesses Operating in the Digital Economy
Canada’s regulatory environment for AI and data protection has changed materially in the past 18 months. Businesses operating in the Canadian digital economy face a more demanding compliance posture than at any prior point under PIPEDA, driven by new federal legislation, active privacy enforcement, provincial reform, and tightening constraints on cross-border data flows. Compliance programmes built to the pre-2024 federal standard are already inadequate.
A fragmented jurisdiction requires jurisdiction-specific analysis
The compliance landscape governing AI and personal data in Canada is fragmenting rather than converging towards a single framework. Businesses will need to comply with different privacy regimes offering different rights and imposing different obligations.
At the federal level, Bill C-36 proposes the Protecting Privacy and Consumer Data Act (PPCDA) to replace PIPEDA. The proposed legislation recognises privacy as a fundamental right, shifts the default to express consent, conditions any legitimate interest exception on a documented PIA, introduces a private right of action, and introduces rights to deletion and explanation of automated decisions. Enforcement would pass to a new Digital Safety and Data Protection Commission of Canada, with penalties up to CAD25 million or 5% of global revenues.
Quebec’s Law 25, already in force since September 2024, applies to any organisation collecting or using the personal information of Quebec residents regardless of where the organisation is incorporated. It requires documented PIAs before deploying any technology involving personal information, designation of a person responsible for personal information protection, and a privacy-by-default governance framework, with penalties reaching the greater of CAD25 million or 4% of worldwide revenues.
Alberta, British Columbia and Ontario are each conducting parallel statutory reviews. Until those processes are resolved, national-level generalisations are an unreliable basis for compliance planning.
Existing law already governs AI
Previous assumptions that AI governance obligations would crystallise only upon passage of dedicated AI legislation have been discredited by privacy regulators seeking to enforce existing privacy regimes. The joint Office of the Privacy Commissioner of Canada (OPC) investigation into OpenAI’s ChatGPT, (findings published 6 May 2026), concluded that ChatGPT’s initial training violated Canadian privacy law through over-collection, invalid consent, and inadequate individual redress. The volume of OPC complaints doubled year-on-year to 3,044 filings, and breach reports affected more than 20 million Canadians in the same period. The federal Voluntary Code of Conduct on Responsible Generative AI, though not yet enforceable, is being used by the OPC as a reference standard in complaint proceedings.
PIAs, data minimisation analyses, valid consent architecture, human oversight protocols, and processor agreements governing AI tools are being treated as already required under existing law. The OPC has designated AI governance a priority enforcement area, and the PPCDA’s forthcoming mandatory privacy management programme will codify obligations that well-governed organisations are already meeting.
Cloud procurement carries legal exposure
The most structurally difficult compliance problem arises from the interaction between Canadian privacy law and the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which authorises US federal law enforcement to compel American cloud providers to disclose customer data regardless of where it is stored (subject to the signing of a bilateral treaty, which has been under negotiation for some time). A Canadian data residency contractual term will not constitute a legal barrier to a valid CLOUD Act order. The Upper Harbour Canadian Technology Sovereignty Index 2026 found that 80% of tools offering Canadian data residency remain CLOUD Act-exposed because their parent entities are US-incorporated; a growing number of Canadian organisations are therefore actively migrating away from US cloud providers.
Quebec’s transfer impact assessment requirement has applied since September 2023, and Bill C-36 would introduce an equivalent federal obligation. Survey evidence suggests most organisations subject to the Quebec requirement have yet to complete even their first assessment. Canada’s EU adequacy status, re-confirmed in January 2024, is contingent on maintaining protections broadly equivalent to the GDPR; a prolonged gap between PIPEDA and the PPCDA’s coming into force could invite review with material consequences for transatlantic data flows.
Practical priorities
Three steps are recommended under both current and anticipated law. An inventory of AI systems in deployment, classified by risk and jurisdictional exposure, is the necessary first step and prerequisite for the impact assessments Law 25 already requires. Transfer impact assessments for personal information disclosed to US-parented service providers should be completed immediately; the analysis will support the cross-border documentation the PPCDA will require federally. CLOUD Act response protocols should be incorporated into vendor due diligence and master service agreements, addressing what data would be produced, under what process, and with what notice to affected individuals and regulators.
The PPCDA’s proposed privacy management programme and documentation requirements for automated decisions are the most reliable design template for governance frameworks being built today. Organisations that align their programmes to the proposed federal standard will satisfy current OPC enforcement expectations and be better positioned when the new legislation comes into force.