この記事は現在英語でのみご利用いただけます。
AI Regulation in Canada 2026: PIPEDA, Bill C-27, and Provincial Frameworks
Canada's federal AI legislation lapsed when Bill C-27 died on the order paper in 2025. But PIPEDA, Quebec Law 25, and sector regulators create real AI governance obligations now — and a successor AI bill is expected. The complete 2026 guide.
Key Takeaways
Bill C-27, which included the Artificial Intelligence and Data Act (AIDA), died on the order paper when Parliament was prorogued in January 2025. A new bill has not yet been introduced. However, AIDA's requirements signal the direction of Canadian AI regulation and organisations should build governance infrastructure consistent with its approach.
PIPEDA (Personal Information Protection and Electronic Documents Act) and provincial privacy laws (Quebec Law 25, Alberta PIPA) create current AI governance obligations — transparency, purpose limitation, and individual rights apply to AI data processing now.
Quebec's Law 25 (in force September 2023) includes specific provisions on automated decision-making and profiling that create obligations for organisations operating in Quebec — it is the most AI-specific privacy law currently in force in Canada.
The Office of the Privacy Commissioner of Canada has published guidance on AI and privacy that creates expectations for PIPEDA compliance — meaningful consent, transparency, and individual rights apply to AI systems processing Canadians' personal data.
Financial services AI in Canada is regulated by OSFI (banking and insurance) and IIROC (investment dealers) — OSFI's operational risk guidance and IIROC's technology risk framework both apply to AI systems.
"情報提供のみを目的としています。この記事は法律、規制、財務または専門的なアドバイスを構成するものではありません。具体的なアドバイスについては、資格を持つ専門家にご相談ください。"
Current obligations: PIPEDA and provincial law
While Canada's comprehensive AI legislation is still pending, organisations processing personal data of Canadians face real and current AI governance obligations under existing privacy law. PIPEDA's 10 Fair Information Principles apply to AI: the accountability principle requires that an organisation is responsible for personal data under its control — including data processed by AI systems it uses. The identifying purposes principle requires that the purposes for which personal data is collected are identified before or at the time of collection — using collected data to train AI models for new purposes may require a new purpose identification. The consent principle requires meaningful consent for collection, use, or disclosure — consent obtained for one purpose does not extend to AI processing for different purposes. And the individual access principle gives individuals the right to know what personal information an organisation holds about them — which extends to data used in AI systems that affect them.
Quebec Law 25: Canada's most AI-specific privacy law
Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25), fully in force from September 2023, includes specific provisions on automated decision-making that are the most advanced in Canada. Section 12.1 requires that when a person has the right to review or correct a decision made on the basis of personal information, and that decision is made exclusively through an automated process, the person must be informed that the decision was made exclusively through automated means. They must be given the opportunity to present their views to a person who is able to review the decision. These provisions parallel GDPR Article 22 and create significant obligations for organisations using AI in Quebec that make decisions affecting individuals.
AIDA: what is coming
The Artificial Intelligence and Data Act, part of the now-lapsed Bill C-27, proposed a risk-based framework for AI in Canada. While AIDA died with Parliament's prorogation in January 2025, a successor bill is expected and its provisions remain influential. Key proposed provisions were: a tiered risk classification with "high-impact" AI subject to the most demanding obligations; requirements for impact assessments, human oversight, and incident reporting for high-impact AI; transparency obligations for AI systems that interact with the public; and a new AI and Data Commissioner with enforcement powers. The timeline for AIDA becoming law remains uncertain — it has progressed through Parliament but faces committee review and potential amendments. Organisations should treat AIDA as signalling the direction of Canadian AI regulation and begin building governance infrastructure consistent with its requirements.