Canadian AI Regulations 2026: AIDA Is Dead, But Your Compliance Obligations Are Not

Canada's Artificial Intelligence and Data Act (AIDA) was supposed to make Canada one of the first countries with dedicated AI legislation. Instead, it died on the order paper in January 2025 when Parliament prorogued following PM Trudeau's resignation. No replacement has passed since. But that does not mean AI is unregulated in Canada. PIPEDA, Quebec Law 25, sector-specific rules, and human rights legislation already govern how businesses can deploy AI. Here is what Canadian companies actually need to know in 2026.

What Happened to Bill C-27 and AIDA?

Bill C-27, the Digital Charter Implementation Act, was an omnibus bill with three parts: the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act (AIDA). AIDA was Canada's proposed framework for regulating high-impact AI systems.

The bill had a rocky legislative journey from the start. Introduced in June 2022, it faced criticism from privacy advocates who said AIDA was too weak, from industry groups who said it was too vague, and from AI researchers who said it failed to address the real risks of AI systems. The Senate had not yet begun reviewing the bill when events overtook it.

Here is the timeline of how Canada's AI legislation collapsed:

• June 2022: Bill C-27 introduced in the House of Commons, including AIDA as Part 3.
• 2023-2024: Lengthy committee study. Significant amendments proposed. Criticism from all sides about AIDA's scope and enforceability.
• Late 2024: Bill C-27 passed second reading in the House but had not completed committee stage.
• January 6, 2025: PM Trudeau announces resignation. Parliament prorogued.
• January 2025: Bill C-27, including AIDA, dies on the order paper. All legislative progress is lost.
• June 2025: Minister Evan Solomon states AIDA "as drafted is off the table" and any replacement would be "light, tight, and right."
• April 2026: No replacement AI legislation has been introduced.

The death of AIDA left Canada without dedicated AI legislation at a time when the EU AI Act is being enforced, the UK has its AI Safety Institute, and the US has issued executive orders on AI governance. Canada went from being an early mover to having no AI-specific law at all.

What Actually Regulates AI in Canada Right Now?

The absence of an AI-specific law does not mean AI operates in a legal vacuum. Several existing federal and provincial laws apply directly to how businesses develop and deploy AI systems. Understanding this patchwork is essential for compliance.

PIPEDA (Federal Privacy Law)

The Personal Information Protection and Electronic Documents Act applies to any private-sector organization that collects, uses, or discloses personal information in the course of commercial activity. Since most AI systems process personal data in some form, PIPEDA is the baseline federal regulation for AI in Canada.

PIPEDA requires meaningful consent for data collection and use, which directly affects AI training data and input data. It mandates data minimization (collect only what is necessary), purpose limitation (use data only for the purpose it was collected), and the right of individuals to access their personal information. For AI systems, this means you need to know what personal data your AI processes, where it came from, and whether you have adequate consent for that use. For a deeper look at how PIPEDA applies to AI deployments, see our PIPEDA-compliant AI guide.

The Office of the Privacy Commissioner (OPC) has published guidance specifically on AI and privacy, recommending privacy impact assessments, algorithmic impact assessments, and transparency about automated decision-making. While these are recommendations rather than legal requirements, the OPC uses them as benchmarks during investigations and enforcement actions.

Quebec Law 25 (Strongest Provincial AI Rules)

Quebec's Law 25 is the most comprehensive privacy law in Canada and the closest thing the country has to AI-specific regulation. Full enforcement began in September 2024, and it applies to any organization that processes personal information of Quebec residents, regardless of where the organization is based.

Law 25 goes significantly further than PIPEDA on AI-related requirements:

• Mandatory privacy impact assessments (PIAs): Required before deploying any system that processes personal information, including AI tools. Not optional, not recommended, legally required.
• Privacy officer appointment: Every organization must designate a person responsible for privacy compliance. Their contact information must be published on the organization's website.
• 30-day breach notification: Confidentiality incidents must be reported to the Commission d'acces a l'information within 30 days, with notification to affected individuals.
• Automated decision transparency: Organizations must inform individuals when a decision about them is made by an automated system, including AI. Individuals have the right to know the personal information used in the decision and the reasons behind it.
• Right to human review: Individuals can request that an automated decision be reviewed by a human. Organizations must provide a mechanism for this.

For businesses operating across Canada, Quebec Law 25 effectively sets the compliance standard. If you comply with Law 25, you will likely exceed the requirements of PIPEDA and other provincial laws.

BC PIPA and Alberta PIPA

British Columbia and Alberta each have their own Personal Information Protection Acts (PIPA) that apply to private-sector organizations in those provinces. Both are considered substantially similar to PIPEDA, meaning organizations subject to BC or Alberta PIPA are generally exempt from PIPEDA for intra-provincial activities.

Neither BC PIPA nor Alberta PIPA has AI-specific provisions comparable to Quebec Law 25. However, their consent, purpose limitation, and data minimization requirements still apply to AI deployments. BC's law was updated in 2023 to strengthen breach notification requirements, and Alberta's PIPA includes provisions about automated collection and use that can apply to AI systems.

OSFI Guidelines (Financial Sector)

The Office of the Superintendent of Financial Institutions (OSFI) regulates banks, insurance companies, and federally regulated financial institutions. OSFI has issued guidance on the use of AI and machine learning in financial services, including expectations for model risk management, explainability, and governance.

Financial institutions using AI for credit decisions, fraud detection, risk assessment, or customer interactions must demonstrate that their models are validated, monitored for drift, and subject to human oversight. OSFI's Guideline E-23 on Model Risk Management is particularly relevant, setting expectations for model development, validation, and ongoing monitoring that apply directly to AI and ML models.

Health Sector Rules

Healthcare AI is regulated primarily at the provincial level. Ontario's Personal Health Information Protection Act (PHIPA) governs the collection, use, and disclosure of personal health information and applies to AI systems used in healthcare settings. Similar legislation exists in other provinces. Health Canada also regulates AI-powered medical devices through its medical device framework, requiring pre-market review for AI systems that make or support clinical decisions.

Employment and HR: Human Rights Laws on AI-Biased Hiring

One of the most overlooked areas of AI regulation in Canada is employment law. Federal and provincial human rights legislation prohibits discrimination in hiring and employment on protected grounds (race, gender, disability, age, etc.). This applies regardless of whether the discrimination is caused by a human or an AI system.

If your AI-powered resume screening tool, interview scoring system, or performance evaluation model produces biased outcomes against a protected group, your organization is liable. The Canadian Human Rights Act (federal) and provincial human rights codes do not distinguish between human bias and algorithmic bias. Companies using AI in hiring, promotion, or termination decisions should audit their systems for discriminatory outcomes and maintain documentation showing they have tested for and mitigated bias.

What Was AIDA Going to Require?

Understanding what AIDA proposed is useful context for anticipating what future legislation might include. AIDA would have introduced a risk-based framework for AI regulation with the following key requirements:

• High-impact AI system classification: Systems with significant effects on individuals' health, safety, or rights would have been subject to enhanced obligations.
• Mandatory risk assessments: Organizations deploying high-impact AI would have been required to assess and mitigate risks before deployment.
• Transparency obligations: Public disclosure requirements for high-impact AI systems, including how they work and what data they use.
• Algorithmic bias monitoring: Ongoing requirements to test for and address biased outcomes in AI systems.
• Record-keeping: Detailed documentation requirements for the design, development, and deployment of AI systems.
• Criminal prohibitions: Penalties for reckless or knowing deployment of AI systems that cause serious harm, including potential imprisonment.

Critics argued AIDA was simultaneously too broad (capturing low-risk AI uses) and too vague (leaving key definitions to future regulations). The criminal provisions were particularly controversial, with industry groups arguing they would chill AI innovation in Canada. These criticisms will likely shape whatever replaces AIDA, which is why Minister Solomon's "light, tight, and right" framing signals a narrower, more targeted approach.

What Is Coming Next?

While there is no confirmed timeline for new AI legislation, several signals indicate the direction Canada is heading:

A lighter federal framework. Minister Solomon's "light, tight, and right" language suggests the government will pursue a less prescriptive approach than AIDA. This likely means focusing on truly high-risk AI applications (healthcare, financial services, criminal justice) rather than attempting to regulate all AI uses. Parts of AIDA may survive in a slimmed-down form, but the broad regulatory apparatus AIDA envisioned is unlikely to return.

EU AI Act influence. The EU AI Act, which began enforcement in 2024, uses a tiered risk-based approach: unacceptable risk (banned), high risk (heavy regulation), limited risk (transparency obligations), and minimal risk (largely unregulated). This framework is influencing AI regulation globally, and Canada is likely to adopt a similar risk-tiering approach rather than inventing a completely different model.

Potential Canada-US alignment. Given the deep economic integration between Canada and the United States, there is pressure to align AI governance frameworks. The US has taken a sector-specific, executive-order-driven approach rather than passing comprehensive AI legislation. Canada may end up with a hybrid: a light federal framework combined with sector-specific rules that align with US approaches in areas like financial services and healthcare.

Provincial leadership continuing. Quebec has already demonstrated that provinces can move faster than the federal government on AI-adjacent regulation. Other provinces may follow Quebec's lead, creating a patchwork of provincial rules that businesses must navigate. This is the most likely near-term development and the strongest reason to build compliance programs now rather than waiting for federal action.

Compliance Checklist for Canadian Businesses Using AI

Regardless of what future legislation looks like, the following checklist covers your compliance obligations under existing law and positions your organization for whatever comes next. For additional guidance on data residency requirements, see our AI data residency guide for Canada.

1. Inventory your AI systems. Document every AI tool and system your organization uses, what data it processes, and what decisions it influences. You cannot comply with regulations you do not know apply to you.
2. Conduct privacy impact assessments. Mandatory in Quebec, strongly recommended everywhere else. Assess the privacy risks of each AI system before deployment, not after.
3. Map your data flows. Know where your AI training data comes from, where it is processed, and where it is stored. This is critical for PIPEDA consent requirements and for data residency compliance.
4. Review consent mechanisms. Ensure you have meaningful consent for using personal data in AI systems. "Buried in the terms of service" does not meet PIPEDA's meaningful consent standard.
5. Implement automated decision transparency. If AI makes or influences decisions about individuals, have a process to inform them. Required in Quebec, best practice everywhere.
6. Provide human review mechanisms. Ensure individuals can request human review of AI-driven decisions. Required in Quebec, likely to be required federally in any future legislation.
7. Audit for bias. Test AI systems used in hiring, lending, insurance, and other consequential decisions for discriminatory outcomes against protected groups. Human rights liability exists now.
8. Establish breach response procedures. Know what to do if an AI system exposes personal data. Quebec requires 30-day notification. Have a plan before you need it.
9. Appoint a privacy officer. Required in Quebec. Practically essential everywhere for coordinating AI compliance across the organization.
10. Document everything. Keep records of your AI impact assessments, bias audits, consent processes, and compliance decisions. When regulators come asking, documentation is your best defense.

Industry-Specific AI Compliance Requirements

Different industries face different regulatory obligations when deploying AI. Here is a summary of key sector-specific requirements. For more on how AIDA would have affected your industry, see our AIDA compliance guide.

Frequently Asked Questions

Related Reading

• AIDA and AI Compliance in Canada: What Was Proposed and What It Means Now
• How to Deploy PIPEDA-Compliant AI in Canada
• AI Data Residency in Canada: Where Your Data Lives Matters