Canada AI regulation in 2026, where things stand
Canada's AI regulatory landscape in 2026 is a patchwork: a federal AI bill that was shelved, a province with fully operational AI-relevant privacy legislation, sector-specific rules, and a direction of travel that is clear even if the timeline is not.
Bill C-27 and AIDA, the federal picture
The Digital Charter Implementation Act (Bill C-27) was introduced in June 2022. It contained three parts: the Consumer Privacy Protection Act (CPPA) to replace PIPEDA, the Personal Information and Data Protection Tribunal Act (PIDPTA), and the Artificial Intelligence and Data Act (AIDA), Canada's first proposed federal AI-specific law. AIDA would have established requirements for high-impact AI systems including risk mitigation measures, record-keeping, impact assessments, plain-language descriptions, and prohibitions on certain AI behaviours that may cause significant harm.
Bill C-27 was shelved in early 2025 and has not been enacted. However, the Government of Canada continues to signal interest in AI regulation. Budget 2025 announced $925.6 million over five years for large-scale AI infrastructure. The direction of travel, risk-based regulation of high-impact AI systems, is established even if the specific legislation and timeline remain uncertain.
Quebec Law 25, already in force
Quebec's Law 25 (An Act to Modernize Legislative Provisions Respecting the Protection of Personal Information) is fully in force and imposes obligations directly relevant to AI. Organisations under Quebec's jurisdiction must: notify individuals when decisions are made via automated processing; provide individuals the opportunity to present observations to a person in authority; conduct privacy impact assessments before deploying AI systems that process personal information. Penalties reach C$25 million or 4% of global revenue.
For any organisation with Quebec customers or employees using AI, Law 25 creates active compliance obligations right now, not future obligations contingent on federal legislation.
Existing federal law that applies to AI
PIPEDA (Personal Information Protection and Electronic Documents Act) applies to private sector organisations handling personal information in commercial activities across Canada (except in provinces with substantially similar legislation). It requires consent, purpose limitation, and accountability, all applicable to AI processing personal data.
The Directive on Automated Decision-Making (2019) applies to federal government departments using automated systems for administrative decisions. It requires: algorithmic impact assessment; transparency requirements scaled to impact level; human-in-the-loop for decisions with higher impact; peer review for high-impact systems.
Canadian Human Rights Act and Employment Equity Act apply to AI in employment decisions. The Air Canada chatbot case (Moffatt v Air Canada, 2024 BCCRT 149) established that organisations are liable for commitments made by their AI systems.
What companies operating in Canada should do
Comply with Quebec Law 25 if you have Quebec customers or employees. Comply with PIPEDA for personal data processing. Implement AI governance practices aligned with the AIDA framework, even though AIDA hasn't passed, building compliance now positions you ahead. Monitor the federal legislative calendar for AIDA's potential reintroduction. For government contractors, comply with the Directive on Automated Decision-Making.
Primary sources: ISED, AIDA Companion Document · Department of Justice, Bill C-27 Charter Statement
Related reading
- Canada AI Governance 2026: AIDA Is Dead, Quebec Law 25 Leads, and What Organisations Must Do
- UAE AI Governance: DIFC Regulation 10, Federal PDPL, and the World's Most Ambitious AI Strategy
- Brazil LGPD and AI Governance 2026: ANPD Priorities, Enforcement, and What Organisations Must Know
- AI Governance in India: DPDP Act, SEBI, RBI, and the Emerging Regulatory Landscape