The Regulation of Artificial Intelligence in Canada and Abroad: Comparing the Proposed AIDA and EU AI Act

“High-risk system” means:

• the AI system is intended to be used as a safety component of a specified regulated product, or is itself a specified regulated product (e.g., machinery, toys or radio equipment), that is subject to regulatory approvals before being placed on the market; or
• specified AI systems which pose a high risk of harm to health and safety or the fundamental rights of persons (e.g., systems for biometric identification and the management and operation of critical infrastructure).

• the death of a person or serious damage to a person’s health, to property or the environment; or
• a serious and irreversible disruption of the management and operation of critical infrastructure.

• processing or making available for use of any data relating to human activities for the purpose of designing, developing or using an AI system; and
• designing, developing or making available for use an AI system or managing its operations.

• “Providers” (including a natural or legal person, public authority, agency, or other body) of AI systems who place on the market or put into service such systems, irrespective of whether those providers are established within the EU or in a third country;
• Users of AI systems located in the EU; and
• Providers and users of AI systems located outside the EU, where the output produced by those systems is used in the EU.

• government institutions as defined in section 3 of the Privacy Act; and
• products, services or activities that are under the direction or control of specified federal security agencies, such as the Minister of National Defence and the Director of the Canadian Security Intelligence Service.

The EU AI Act does not apply to:

• AI systems developed or used exclusively for military purposes; and
• foreign public authorities or international organizations who use AI systems in the framework of international agreements for law enforcement and judicial cooperation with the EU or EU Member States.

AIDA does not stipulate an outright ban on AI systems presenting an unacceptable level of risk.

It does, however, make it an offence to:

• possess or use personal information for the purpose of creating an AI system if the personal information was not lawfully obtained;
• knowingly (or with reckless disregard) use an AI system that is likely to cause serious physical or psychological harm to an individual or substantial damage to property, if such harm occurs; or
• make an AI system available for use with the intent to defraud the public and to cause substantial economic loss to an individual, if such loss occurs.

The EU AI Act prohibits certain AI practices and certain types of AI systems, including:

• systems aimed at distorting a person’s behaviour that are likely to cause physical or psychological harm to an individual by using subliminally manipulative techniques or techniques exploitive of individual vulnerabilities based on their age, physical or mental incapacities;
• social scoring systems used by public authorities, or on their behalf, that lead to unjustified, disproportionate or unrelated detrimental or unfavourable treatment of certain persons or groups; and
• the use of AI systems for “real-time” biometric identification of individuals in publicly accessible spaces for law enforcement purposes. [3]

Persons who process anonymized data for use in AI systems must establish measures (in accordance with future regulations) with respect to:

• the manner in which data is anonymized; and
• the use or management of anonymized data.

High-risk systems that use data sets for training, validation and testing must be subject to appropriate data governance and management practices that address:

• design choices, data collection and data preparation;
• the formulation of assumptions;
• assessments of the availability of data; and
• an examination of possible biases and the identification of any possible data gaps or shortcomings.

Data sets must:

• be relevant, free of errors and complete;
• account for the characteristics or elements of the specific geographical, behavioural or functional setting within which the AI system is intended to be used; and
• only include special categories of personal data if appropriate safeguards are in place.

• AI systems with “unacceptable risk” are prohibited;
• AI systems with “high risk” are permitted, subject to a conformity assessment and compliance requirements, including a certification scheme;
• AI systems with “transparency risks” are permitted, subject to transparency obligations; and
• AI systems with “minimal or no risk” are permitted with no restrictions.

• establish measures (in accordance with future regulations) to identify, assess, and mitigate the risks of harm or biased output that could result from the use of the system; and
• establish measures (in accordance with future regulations) to monitor compliance with such mitigation measures.

• undergo a conformity assessment procedure and be registered with a “declaration of conformity” before being put into use;
• have a risk management system to identify and evaluate risks through the system’s lifecycle;
• have automatic event logging capabilities;
• be sufficiently transparent to allow users to interpret the system’s output and use it appropriately;
• be accompanied by concise and clear instructions for use that includes the relevant information set out in the EU AI Act;
• allow for effective human oversight to prevent or minimize risks to health, safety or fundamental rights; and
• achieve an appropriate level of robustness and cybersecurity.

Transparency. Persons responsible for “high-impact systems” must publish on a public website a plain-language description of the AI system which explains:

• how the system is intended to be used;
• the types of content it is intended to generate and the decisions, recommendations or predictions that it is intended to make;
• the mitigation measures established in respect of the system; and
• any other information required by future regulations.

Transparency. AI systems which interact with individuals and pose transparency risks, such as those that incorporate emotion recognition systems or risks of impersonation or deception, are subject to additional transparency obligations.

Regardless of whether or not the system qualifies as high-risk, individuals must be notified that they are:

• interacting with an AI system, unless this is obvious from the circumstances and context of use; and
• exposed to an emotion recognition system, a biometric categorisation system, or a “deep fake” (i.e., AI generated or manipulated image, audio or video content).

Persons responsible for AI systems must keep records (in accordance with future regulations) describing:

• measures they have established to identify, assess and mitigate the risks of harm or biased output that could result from the use of the AI system; and
• reasons to support their assessment of whether or not the AI system is a “high-impact system”.

High-risk AI systems must:

• have technical documentation drawn up before being placed on the market or put into service; such documentation must, amongst other things, demonstrate compliance of the high-risk system with the requirements set out in the EU AI Act; and
• be designed and developed in such a way as to enable automatic event logging capabilities while in operation, consistent with recognized standards or common specifications (more prescriptive requirements apply to high-risk systems performing biometric identification and categorisation).

Providers of high-risk AI systems must:

• develop a quality management system to ensure compliance; and
• establish a post-market monitoring system to monitor the performance and compliance of high-risk AI systems throughout their lifecycle.

The Minister of Industry may designate an official to be the Artificial Intelligence and Data Commissioner, whose role is to assist in the administration and enforcement of AIDA. The Minister may delegate any of their powers or duties under AIDA to the Commissioner.

The Minister of Industry has the following powers:

• Public awareness. Promote public awareness of AIDA and publish recommendations or guidelines with respect to compliance with AIDA.
• Record collection. Order the production of records that a person is required to maintain under AIDA (i.e., system assessment, risk management, monitoring measures, and data anonymization).
• Auditing. Order an audit with respect to a possible contravention of AIDA and subsequently order corrective or preventive actions pursuant to the audit report’s findings.
• Cessation. Order that a person responsible for a high-impact system cease using it if there is reason to believe that the system gives rise to a serious risk of imminent harm.

The European Artificial Intelligence Board will assist the European Commission in providing guidance and overseeing the application of the EU AI Act. Each Member State will designate or establish a national supervisory authority.

The Commission has the authority to:

• maintain a publicly accessible database of information concerning high-risk systems;
• oversee the conformity assessment process for high-risk systems; and
• oversee market surveillance activities.

Persons who commit a “violation” of AIDA or its regulations may be subject to administrative monetary penalties, the details of which will be establish by future regulations. Administrative monetary penalties are intended to promote compliance with AIDA.

Contraventions to AIDA’s governance and transparency requirements can result in fines:

• up to the greater of $10 million and 3% of global revenues, or, when prosecuted as a summary offence, the greater of $5 million and 2% of global revenues; or
• for individuals, an amount at the discretion of the court, up to a maximum of $50,000.

Persons who commit more serious criminal offences (e.g., contravening the prohibitions noted above or obstructing or providing false or misleading information during an audit or investigation) may be liable to:

• a fine of up to $25 million or 5% of global revenues; or
• in the case of an individual, a fine at the discretion of the court or imprisonment. 

• up to 6% of total global annual turnover, or 30,000 EUR in the case of an individual, for engaging in prohibited practices or failing to meet data governance requirements;
• up to 4% of total global annual turnover, or 20,000 EUR in the case of an individual, for any other violation; and
• additional fines applicable to EU institutions, agencies and bodies.