AI Governance in Canada: OPC, Bill C-27, and the Proposed AIDA Regulation

This article describes the Canadian AI governance landscape with particular attention to distinguishing what is currently in force from what is proposed legislation. The status of Bill C-27 should be verified directly from Canadian Parliament sources, as legislative timelines can change. This article does not provide legal advice; Canadian-qualified counsel should be consulted for compliance obligations in the Canadian context. The OPC is the authoritative source for current PIPEDA obligations: priv.gc.ca.

Current Framework: PIPEDA and OPC Oversight

PIPEDA (Personal Information Protection and Electronic Documents Act) is Canada's current federal private sector privacy law. It applies to organisations that collect, use, or disclose personal information in the course of commercial activity. For AI, PIPEDA's core principles apply to any AI system that processes personal information about Canadian individuals:

• Consent: Individuals must consent to the collection, use, and disclosure of their personal information, with limited exceptions. AI training on personal data requires a basis for collection and use under PIPEDA's consent framework.
• Purpose limitation: Personal information can only be used for the purposes for which it was collected. Using customer data to train AI models may require additional consent if the AI training purpose was not disclosed at collection.
• Safeguards: Organisations must protect personal information with security appropriate to its sensitivity. This applies to how personal data is stored and processed by AI systems.
• Openness and access: Individuals have the right to know about an organisation's information practices and to access their own personal information.

The OPC enforces PIPEDA and has published guidance specifically on AI and privacy: priv.gc.ca.

The Office of the Privacy Commissioner (OPC)

The OPC is Canada's federal privacy regulator. For AI, the OPC applies PIPEDA and has been an active participant in developing Canada's AI governance approach. The OPC has:

• Published guidance on AI and privacy, including specific guidance on automated decision-making systems
• Collaborated with provincial privacy commissioners on joint guidance for AI systems
• Investigated AI-related privacy complaints under PIPEDA
• Provided recommendations to Parliament on privacy reform and AI regulation

The OPC's AI and technology guidance is available at: priv.gc.ca. Provincial equivalents (such as the Information and Privacy Commissioner of Ontario and BC's OIPC) have also published AI-relevant guidance within their jurisdictions.

Bill C-27 and the Proposed Reforms

Bill C-27 (Digital Charter Implementation Act 2022) proposes three components:

• Part 1. Consumer Privacy Protection Act (CPPA): A new federal private sector privacy law to replace PIPEDA. The CPPA would maintain PIPEDA's core principles while adding: stronger consent requirements, expanded individual rights (including a right of erasure and data portability), higher penalties for violations, and a new Privacy Tribunal to hear appeals of OPC decisions.
• Part 2. Personal Information and Data Protection Tribunal Act: Establishes the new Privacy Tribunal referenced above.
• Part 3. Artificial Intelligence and Data Act (AIDA): Canada's first proposed AI-specific legislation. AIDA would create requirements for organisations that develop or use high-impact AI systems in commerce. Key elements of AIDA as proposed include: obligations for high-impact AI systems (anonymisation of training data, assessments of risks to human rights, mitigation measures), requirements for human oversight of high-impact AI, a prohibition on certain AI systems that create serious harm, and notification requirements to the minister for systems that pose serious harm.

The combination of privacy reform and AI regulation in a single bill reflects Canada's approach of integrating AI governance into its broader data protection framework, rather than creating entirely separate regulatory regimes.

Key Canadian Bodies for AI Governance

ISED (Innovation, Science and Economic Development Canada): The federal ministry leading AI policy, including development of the National AI Strategy, coordination of the Pan-Canadian AI Strategy (which funds AI research through CIFAR and the three national AI institutes: Mila, Vector Institute, Amii), and oversight of AIDA implementation if enacted. ISED: ic.gc.ca.

NRC (National Research Council): Oversees AI standards development and contributes to international AI standards through ISO and CEN/CENELEC engagement. Canada participates actively in international AI standards bodies.

Treasury Board Secretariat: Has issued the Government of Canada Directive on Automated Decision-Making, which applies to federal government AI systems. This is not private sector legislation but establishes the framework for how federal departments deploy AI. The directive requires impact assessments, human review mechanisms, and notification for government AI systems at defined risk levels.

What This Means for Businesses Using AI in Canada

For businesses operating in Canada or processing personal information about Canadian individuals, the current practical AI governance questions are:

• PIPEDA applies now: Privacy obligations under PIPEDA cover any AI system that processes personal information about Canadians in a commercial context. The OPC's AI guidance clarifies how PIPEDA principles apply to AI systems, including automated decision-making.
• Automated decision-making transparency: The OPC has indicated that organisations using AI to make significant automated decisions should disclose this to affected individuals and provide meaningful explanation. This is guidance under current PIPEDA obligations, not yet a statutory right (AIDA, if enacted, would formalise this further).
• Monitor Bill C-27 status: If AIDA is enacted, businesses using AI in commercial settings in Canada will face new high-impact AI system obligations. Monitoring the bill's progress allows for advance preparation. Current status: parl.ca.
• Quebec Law 25: Quebec has enacted its own provincial privacy reform (Law 25 / Bill 64, which came into force in phases from 2022 to 2023). Quebec's framework includes specific provisions on automated decision-making that are already in force. Businesses operating in Quebec should verify their current obligations under Law 25.

Australian Businesses and Canadian AI Obligations

Australian businesses handling personal information about Canadian individuals face PIPEDA obligations in addition to Australian Privacy Act requirements. Both frameworks apply cross-border disclosure obligations when personal data is transferred to third-party services, including AI tools. For Australian businesses, the domestic framework is the starting point: AI and the Privacy Act in Australia. For a practical guide to what happens when Australian customer data enters major AI tools: What Happens to Your Customer Data in ChatGPT.

What is PIPEDA and how does it apply to AI?

PIPEDA (Personal Information Protection and Electronic Documents Act) is Canada's federal private sector privacy law. It applies to organisations that collect, use, or disclose personal information in the course of commercial activity. For AI systems, PIPEDA's principles apply to the collection of training data, the use of personal information in AI processing, and any disclosure of personal information through AI outputs. The OPC has published specific guidance on how PIPEDA applies to AI: priv.gc.ca/en/privacy-topics/technology/artificial-intelligence/.

What is AIDA and when does it apply?

AIDA (Artificial Intelligence and Data Act) is the proposed AI-specific legislation included as Part 3 of Bill C-27 (Digital Charter Implementation Act 2022). If enacted, AIDA would create obligations for organisations that develop or deploy high-impact AI systems in commercial contexts in Canada. As at June 2026, AIDA is proposed legislation, not yet in force. The current legislative status of Bill C-27 should be verified at parl.ca. AIDA obligations do not apply until the bill is passed and the relevant provisions come into force.

Does Quebec have separate AI governance rules?

Yes. Quebec enacted Law 25 (An Act to modernize legislative provisions as regards the protection of personal information, also known as Bill 64), which came into force in phases from September 2022 to September 2023. Law 25 includes privacy requirements that go beyond PIPEDA in certain respects, including specific provisions on automated decision-making: organisations must inform individuals when a decision is based exclusively on automated processing, and must allow individuals to request human review. Businesses operating in Quebec should assess their obligations under Law 25 in addition to PIPEDA.

How does Canada's AI governance approach compare to the EU?

Canada's proposed AIDA shares some structural similarities with the EU AI Act, including a focus on high-impact or high-risk AI systems and requirements for risk assessment and human oversight. However, the EU AI Act is already in force with detailed technical requirements and a registration system for high-risk AI systems, while AIDA is still proposed legislation as at June 2026. The EU AI Act is also horizontal legislation with broad application, while AIDA focuses specifically on high-impact AI systems in commerce. The EU framework is more prescriptive and further advanced in implementation.

What is the Government of Canada Directive on Automated Decision-Making?

The Government of Canada Directive on Automated Decision-Making applies to federal government departments and agencies using AI systems to make or support administrative decisions. It requires impact assessments before deployment, appropriate human oversight mechanisms (including human review for high-risk decisions), and notification to affected individuals. This directive applies to the federal public service, not to private sector organisations. It is nonetheless a useful reference for how the Canadian government approaches AI risk assessment in practice.