Bill C-27 Archives - IPOsgoode /osgoode/iposgoode/tag/bill-c-27/ An Authoritive Leader in IP Fri, 12 Aug 2022 16:00:00 +0000 en-CA hourly 1 https://wordpress.org/?v=6.9.4 Artificial Intelligence and Data Act (AIDA) signals more AI regulation to come /osgoode/iposgoode/2022/08/12/artificial-intelligence-and-data-act-aida-signals-more-ai-regulation-to-come/ Fri, 12 Aug 2022 16:00:00 +0000 https://www.iposgoode.ca/?p=39900 The post Artificial Intelligence and Data Act (AIDA) signals more AI regulation to come appeared first on IPOsgoode.

]]>

Aaron Dishy is an IPilogue Writer and a 3L JD Candidate at Osgoode Hall Law School.


The proposed Artificial Intelligence and Data Act (AIDA) would introduce greater regulation of the use and development of artificial intelligence (AI) in Canada’s private sector. On June 15th, 2022, the Minister of Innovation, Science and Industry, François-Phillippe Champagne introduced Bill C-27, or the . Bill C-27 reiterates much of , tabled in 2020, reintroducing a modified Consumer Privacy Protection Act (CPPA) and Personal Information and Data Protection Tribunal Act (PIDPTA). However, Bill C-27 also introduced newly proposed legislation like AIDA which, if enacted, would make long advocated-for changes to Canada’s AI regulatory landscape.

AIDA would create new assessment and risk-mitigation tools for the use and transparency of high-impact AI systems. It would establish persons responsible for monitoring AI systems, such as the Artificial Intelligence and Data Commissioner — their role is to assist the Minister in the administration and enforcement of AIDA. Monetary penalties for the AIDA contraventions are also set out to enforce trust and deter the reckless and fraudulent uses of AI. In this way, Bill C-27 and AIDA would direct Canada towards harmonization with international regulatory frameworks, like that of the .

With that being said, AIDA would be more limited in scope when compared to its EU counterpart. For example, unlike EU legislation, AIDA would not apply to both public and private sectors, and all federal government institutions would be exempt.[1] Further, EU legislation sets out specific prohibited AI practices, alongside criteria for determining the degree of risk presented by any AI system. AIDA establishes no specific prohibited AI practices and distinguishes only between high-risk AI and all other systems; complex and salient matters are left to incoming regulation.

Beyond its limited scope, AIDA may be uncertain in its delineation of provincial and federal responsibilities. For example, AIDA’s consideration of “regulated activity,” would capture many elements of AI development and use, including “designing, developing or making available for use an artificial intelligence system or managing its operations.”[2] This language indicates the legislation is pursuant to Parliament's trade and commerce power under section of the Constitution Act, 1867. However, the federal government may also intend provinces to legislate on intraprovincial uses of AI, notwithstanding the rarity of circumstances under which such AI systems would be developed.

Lastly, attention is required of the breadth of persons AIDA considers “responsible” for an AI system in the course of trade.[3] It holds designers, developers and managers of AI systems subject to AIDA’s administrative and operational requirements. If those parties are expected to monitor or conduct audits of consumer deployment of AI systems, assessments must be made of risk potentials and mitigation from both perspectives. Additional regulation may be required in the full consideration of such perspectives.  

AIDA remains proposed legislation and may be modified prior to implementation. However, it represents a much larger move by international legal bodies to regulate the development and use of AI. Businesses must be prepared for greater AI regulation in Canada. Thankfully, informative and responsive policy for the consideration of AI systems is also being developed, such as a by the Law Commission of Ontario. If correctly applied, AIDA should empower more Canadians to engage with trustworthy and transparent AI systems.


[1] This may be extended to exclude provincial departments or agencies by regulation as set out in s.3 of AIDA.

[2] See s.5(1) of AIDA.

[3] Ibid at s.5(2).

The post Artificial Intelligence and Data Act (AIDA) signals more AI regulation to come appeared first on IPOsgoode.

]]>
Bill C-27: Canada Introduced Its First Legislation on the Development and Use of Artificial Intelligence in the Private Sector /osgoode/iposgoode/2022/08/11/bill-c-27-canada-introduced-its-first-legislation-on-the-development-and-use-of-artificial-intelligence-in-the-private-sector/ Thu, 11 Aug 2022 16:00:00 +0000 https://www.iposgoode.ca/?p=39902 The post Bill C-27: Canada Introduced Its First Legislation on the Development and Use of Artificial Intelligence in the Private Sector appeared first on IPOsgoode.

]]>

HeadshotTianchu Gao is an IPilogue Writer and a 1L JD Candidate at Osgoode Hall Law School.


On June 16, 2022, the Canadian government tabled “An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts.” The Bill aims to strengthen the privacy framework for the private sector in Canada through the enactment of three pieces of legislation—the Digital Charter Implementation Act (DICA), the Consumer Privacy Protection Act (CPPA), and the Artificial Intelligence and Data Act (AIDA).

Bill C-27 is the successor to the , the Digital Charter Implementation Act, which was introduced in November 2020. Unfortunately, it got at the Second Reading stage despite strong support from the business community. Bill C-27 is largely a re-working of Bill C-11, as a significant portion of the Digital Charter Implementation Act (DICA) and the Consumer Privacy Protection Act (CPPA) remains intact. A detailed comparison between the two bills can be found .

An entirely new section of Bill C-27 is the Artificial Intelligence and Data Act (AIDA). This section aims to regulate the development and use of artificial intelligence systems in the private sector. If AIDA is enacted, Canada would be the only jurisdiction, besides the , to draft legislation that directly addresses the regulation of AI.  

AIDA is very broad in scope, with respect to both the definition of AI and the range of people obliged to abide by the Act. It does not set out specific prohibited practices and seems to contemplate a distinction only between high-risk systems and all other AI systems. Compared to EU’s 2021 proposal for Artificial Intelligence Act, AIDA is “considerably less elaborate” and “proposes to leave many salient matters to regulation,” according to cybersecurity professionals at .

The legislative purposes of AIDA are, per s. 39.4:

(a) to regulate international and interprovincial trade and commerce in artificial intelligence systems by establishing common requirements, applicable across Canada, for the design, development and use of those systems; and

(b) to prohibit certain conduct in relation to artificial intelligence systems that may result in serious harm to individuals or harm to their interests.

AIDA aims to protect people from any potential harm brought by biased AI output, which is the output of AI systems that differentiate people based on prohibited grounds of discrimination.

AI systems identified as “high-impact” will undergo mitigation measures and ongoing monitoring for compliance. Despite the preliminary guidance from the federal , it is largely the persons responsible for an AI system—including designers, developers, providers, and managers—who are responsible for these assessments and measures. There will also be higher transparency in both the intended and actual use for high-impact AI systems. Any material harm should be reported to the Minister of Innovation, Science and Industry. Under this act, an Artificial Intelligence and Data Commissioner will assist the Minister in monitoring company compliance.

Bill C-27, if passed, is sure to be a milestone in the development of legal regulations for AI. Many law firms are closely monitoring this legislation’s progress since it was released. There are, of course, still many questions to be investigated, such as the potential chilling effect on innovation and the design of administrative penalties. The legislation will become more clear upon the second and third readings in the House of Commons and subsequent regulations.

The post Bill C-27: Canada Introduced Its First Legislation on the Development and Use of Artificial Intelligence in the Private Sector appeared first on IPOsgoode.

]]>
Bill C-27: An Early Critical Look at the Electronic Commerce Protection Act /osgoode/iposgoode/2009/05/18/bill-c-27-an-early-critical-look-at-the-electronic-commerce-protection-act/ Mon, 18 May 2009 11:34:10 +0000 http://www.iposgoode.ca/?p=4569 On April 24th the Minister of Industry, Tony Clement, tabled a government bill with the aims of protecting consumers and businesses from dangerous forms of spam and regulating activities that are believed to discourage the use of electronic means of carrying out commercial activities. Bill C-27, the Electronic Commerce Protection Act, contains provisions that prohibit […]

The post Bill C-27: An Early Critical Look at the Electronic Commerce Protection Act appeared first on IPOsgoode.

]]>
On April 24th the Minister of Industry, Tony Clement, with the aims of protecting consumers and businesses from dangerous forms of spam and regulating activities that are believed to discourage the use of electronic means of carrying out commercial activities. , the Electronic Commerce Protection Act, contains provisions that prohibit the sending of commercial electronic messages without prior consent, the unauthorized installation of computer programs, the altering of transmission data in an electronic message (as is commonly used in phishing scams), and a variety of other activities that touch upon electronic commerce. There are amendments to the , , the , and the . The ECPA also allows for administrative penalties to be imposed by the CRTC against offenders as well as separate civil actions by persons who suffer damage as a result of violations.

Though the stated purpose of the ECPA is to “promote the efficiency and adaptability of the Canadian economy”, some of the provisions found within may do just the opposite if applied too liberally. Not that I am certain that the ECPA can be made any more effective, but this post will point out what may be some of the possible undesirable consequences if it is passed. Of course, its overall effects, with which we can make a decision about whether it is actually a good law or not, will likely not be truly understood until it is put into play in our dynamic marketplace. However, it should be expected that both legitimate and illegitimate enterprises will, as usual, evolve around the law so as to continue to pursue their end goals as best as possible.

Section 6 of the ECPA prohibits the transmission of electronic messages received without express or implied consent that, it would be reasonable to conclude, have as their purposes the encouragement of participation in a commercial activity. Furthermore, section 2(3) states that “an electronic message that contains a request for consent to send a [commercial electronic message] is also considered to be a commercial electronic message”. So if X wishes to share information about entity Y (i.e. a business, band, or any other entity that can potentially be viewed as carrying on a commercial activity), and X invites his friends to subscribe to an e-mail list (made available through a mechanism set up by Y) or to join a Facebook group of Y, this may constitute a contravention of the provision against unsolicited electronic messages. Despite the exception to express consent between those who have a personal relationship, as found in section 6(5)(a), the mere fact that the receiver of the invite is on the e-mail list or friends list of X may not be sufficient enough to constitute a personal relationship.

The vicarious liability provision of section 32 maintains that principals are liable for the actions of agents who act “within the scope of their authority”. It may be argued that the existence and use of mechanisms of promotion set up by Y to be used by X can be said to entail that X has in fact acted within the scope of his authority as an agent of Y. Furthermore, because section 32 does not require that an agent even be identified in order for a principal to be liable, it is also possible that the manufacturer of a product, for example, may be unfairly responsible for the actions of agents of its distributors and retailers. This would be the case despite the possibility that these agents may never be found, and even though they may have been acting on their own and had virtually no connection to the manufacturer.

As a separate matter, the ECPA does not seem to address any issue of reduced liability regarding a system that has become infected by malicious software and that sends out unsolicited electronic messages to others unbeknownst to its user. Though the defence of due diligence is allowed under section 33(1), it is difficult to assess the level of care that is expected to prevent infection of one’s computer. Would obtaining standard anti-virus software suffice? If it is found that one’s system has been infected, but the exact consequences are unknown, would the user be required to stop usage and go as far as reformatting to completely eliminate any possibility of a threat to others? Because malicious software is constantly evolving, it is possible that what may be considered due diligence right now will not cut it next year, so that the burden users will be expected to bear will continue to increase in weight.

Section 8 of the ECPA prohibits installing computer programs, as defined in the , onto another person’s system without their express consent. From section 342.1(2) of the Criminal Code, a computer program is “data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function". This provision is meant to prevent the installation of malicious software and spyware, however, it will no doubt affect other aspects of internet browsing. For example, it seems as though JavaScript would fall within the ambit of this section, despite its common appearance on many websites for the purposes of enhancing the user’s experience and allowing for added functionality. In order to obtain express consent, according to sections 10(1) and 10(2), a variety of specific information (that most users will likely not be interested in) will have to be conveyed and accepted, thus slowing down the process of everyday browsing.

There is an interesting comment on Michael Geist’s by one Stephen Tyers, a Canadian living in New Zealand. He states that the ECPA closely resembles a New Zealand law that was recently passed, which I presume is the . He believes that businesses were advised to play it safe and so they ceased contact with past subscribers who may have been interested in remaining on their contact lists but would not have necessarily been considered to have given implied consent under the law. He also believes that the uncertainties in the law can be exploited, resulting in further losses to businesses in the form of litigation costs.

Obviously it is a difficult task to create legislation that delineates the types of electronic transmissions that we do not want, since it is the specific nature of a particular message that makes it spam. A balance should be reached that considers methods of preventing nuisances and threats that we would like to see eliminated as well as the resulting hindrances that are created by any new measures. Ultimately, Parliament must essentially make a judgment call about how far to cast their net of regulations so as to produce an optimum level of efficiency for both consumers and businesses.

The post Bill C-27: An Early Critical Look at the Electronic Commerce Protection Act appeared first on IPOsgoode.

]]>