Canada's AI Laws: What AIDA and Bill C-27 Mean for Your Business

Canada's approach to AI regulation combines existing privacy law with proposed AI-specific legislation. For businesses operating in Canada, this creates a dual compliance landscape: obligations that exist right now under PIPEDA and the Personal Information Protection and Electronic Documents Act, and future obligations under the Artificial Intelligence and Data Act that organizations should prepare for even before enactment.

This guide covers both the current legal requirements and the proposed AIDA framework, including what high-impact AI means, what organizations must do, penalty structures, and a practical checklist for preparation.

What It Requires

Current Requirements Under PIPEDA

PIPEDA applies right now to any organization collecting, using, or disclosing personal information in the course of commercial activity using AI. Key requirements include:

Consent and transparency. Organizations must obtain meaningful consent before using personal information in AI systems. This means explaining in clear language what data the AI processes, how it processes it, and what decisions or outputs it produces. Generic privacy policies that do not mention AI processing are insufficient. The Office of the Privacy Commissioner (OPC) has issued guidance stating that consent for AI processing must be specific enough that individuals understand how AI affects decisions about them.

Purpose limitation. Personal information collected for one purpose cannot be repurposed for AI training or inference without additional consent. An organization that collected email addresses for service communications cannot feed them into an AI system for marketing predictions without obtaining new consent for that specific purpose.

Accuracy. PIPEDA Principle 6 requires that personal information be as accurate, complete, and up-to-date as necessary for its purposes. When AI systems make decisions based on personal data, organizations must ensure the underlying data is accurate and that AI outputs about individuals are verifiable.

Individual access rights. Under PIPEDA, individuals have the right to access their personal information and challenge its accuracy. When AI processes personal data, organizations must be able to explain what data was used, how the AI processed it, and provide mechanisms for correction.

Proposed Requirements Under AIDA

AIDA, as Part 3 of Bill C-27 (the Digital Charter Implementation Act), proposes a comprehensive framework specifically targeting high-impact AI systems. The key proposed requirements include:

High-impact AI classification. AIDA would require the government to define high-impact AI systems through regulations. Based on the companion document published alongside Bill C-27, high-impact AI is expected to include systems used for decisions about employment, access to services, prioritization of emergency services, content moderation at scale, biometric identification, and health-related decision-making.

Mandatory impact assessments. Organizations responsible for high-impact AI must assess and document the risks of harm or biased output. These assessments must be conducted before deployment and updated regularly throughout the system's lifecycle.

Risk mitigation measures. Based on impact assessment results, organizations must establish measures to mitigate identified risks. These measures must be proportionate to the severity and probability of potential harms.

Monitoring and incident reporting. Organizations must monitor high-impact AI systems for compliance with mitigation measures and report material harm or risk of material harm to the AI and Data Commissioner.

Transparency obligations. Organizations must publish plain-language descriptions of high-impact AI systems, including their intended purpose, the types of decisions they influence, and the mitigation measures in place. Individuals affected by high-impact AI decisions must be notified that AI was used.

Record keeping. Detailed records of impact assessments, mitigation measures, monitoring activities, and incidents must be maintained and made available to the AI and Data Commissioner upon request.

Key Dates

Penalties

AIDA proposes a tiered penalty structure that distinguishes between administrative violations and criminal offenses, making it one of the more aggressive penalty frameworks globally for AI regulation.

Administrative monetary penalties (AMPs): The AI and Data Commissioner would have the power to impose administrative penalties of up to 10 million Canadian dollars or 3% of the organization's gross global revenue in the preceding financial year, whichever is greater. AMPs apply to violations such as failing to conduct impact assessments, failing to implement mitigation measures, failing to maintain required records, or failing to publish transparency information.

Criminal offenses for serious harm: AIDA proposes criminal penalties for organizations that knowingly or recklessly deploy AI systems that cause serious physical or psychological harm. Criminal penalties include fines of up to 25 million Canadian dollars or 5% of gross global revenue, whichever is greater. For individuals, criminal conviction could result in imprisonment.

Criminal offenses for fraud and deception: Using AI systems to make decisions about individuals with the intent to defraud or cause economic loss would constitute a criminal offense with the same penalty maximums of 25 million Canadian dollars or 5% of global revenue.

Current PIPEDA penalties: Under existing law, the OPC can refer matters to the Federal Court, which can award damages. Bill C-27's Part 1 (the Consumer Privacy Protection Act) would replace PIPEDA and introduce administrative penalties of up to 25 million Canadian dollars or 5% of gross global revenue for privacy violations, which would include AI-related privacy breaches.

How PolicyGuard Helps

Canada's dual regulatory landscape requires organizations to maintain compliance with existing privacy law while preparing for AIDA's AI-specific requirements. PolicyGuard simplifies this by providing a unified compliance platform that addresses both regimes simultaneously.

PolicyGuard's AI inventory automatically classifies your systems against proposed AIDA high-impact criteria, giving you early visibility into which systems will require impact assessments and enhanced monitoring. The platform's impact assessment templates follow the framework outlined in AIDA's companion document, so assessments completed now will align with final requirements when the law takes effect. For current PIPEDA compliance, PolicyGuard generates consent audit reports showing how personal data flows through each AI system and whether consent coverage is adequate. The monitoring capabilities track AI system behavior against mitigation measures and generate incident reports in the format regulators expect. See our AI governance guide for the foundational governance framework, and our 2026 regulatory compliance overview for how Canada's approach compares globally. Organizations also subject to UK requirements should review our UK AI regulation guide for cross-jurisdictional planning.

FAQ

Is AIDA currently in effect?

No. As of early 2026, AIDA (Part 3 of Bill C-27) has not been enacted. The bill continues through the Parliamentary process. However, PIPEDA is in full effect and applies to AI processing of personal information for commercial purposes. Organizations should comply with PIPEDA now and prepare for AIDA's additional requirements given that the proposed obligations align with global regulatory trends and are likely to become law in some form.

What qualifies as high-impact AI under AIDA?

The specific definition will be established through regulations after AIDA is enacted. The companion document published in April 2023 indicates that high-impact AI systems are those used for decisions about individuals in areas such as employment, access to financial services, prioritization of emergency services, content moderation at scale, biometric identification and inference, healthcare, and administration of justice. The government has indicated it will consult with industry before finalizing these definitions.

Does AIDA apply to organizations outside Canada?

AIDA would apply to organizations that make high-impact AI systems available for use in Canada, regardless of where the organization is headquartered. If your AI system processes data about Canadian residents or is used to make decisions affecting people in Canada, AIDA would likely apply. PIPEDA already applies to commercial AI processing of Canadians' personal information by organizations with a real and substantial connection to Canada.

How do AIDA and the EU AI Act compare?

Both frameworks target high-risk or high-impact AI with requirements for impact assessments, transparency, and monitoring. Key differences include the EU AI Act's detailed risk classification system with four tiers versus AIDA's binary high-impact/other distinction, the EU's explicit prohibited practices list versus AIDA's broader harm-based approach, and AIDA's unique criminal penalty provisions for AI that causes serious harm. Organizations subject to both should build compliance programs that satisfy the more detailed EU requirements, which will generally meet AIDA's requirements as well.

What should organizations do right now to prepare?

Focus on three immediate actions. First, ensure full PIPEDA compliance for all AI processing, because these obligations exist today and will carry forward under the new privacy law. Second, inventory your AI systems and identify those that would likely qualify as high-impact under AIDA's proposed criteria. Third, begin conducting voluntary impact assessments for your highest-risk AI systems using the AIDA companion document as a guide. These assessments are valuable for risk management regardless of AIDA's timeline and will give you a head start when the law takes effect.