Australia
Voluntary AI Ethics Principles guide responsible AI development in Australia, with potential reforms under consideration.
Artificial intelligence (AI) has made enormous strides in recent years and has increasingly moved into the public consciousness.
Increases in computational power, coupled with advances in machine learning, have fueled the rapid rise of AI. This has brought enormous opportunities, as new AI applications have given rise to new ways of doing business. It has also brought potential risks, from unintended impacts on individuals (e.g., AI errors harming an individual's credit score or public reputation) to the risk of misuse of AI by malicious third parties (e.g., by manipulating AI systems to produce inaccurate or misleading output, or by using AI to create deepfakes).
Governments and regulatory bodies around the world have had to act quickly to try to ensure that their regulatory frameworks do not become obsolete. In addition, international organizations such as the G7, the UN, the Council of Europe and the OECD have responded to this technological shift by issuing their own AI frameworks. But they are all scrambling to stay abreast of technological developments, and already there are signs that emerging efforts to regulate AI will struggle to keep pace. In an effort to introduce some degree of international consensus, the UK government organized the first global AI Safety Summit in November 2023, with the aim of encouraging the safe and responsible development of AI around the world.
Most jurisdictions have sought to strike a balance between encouraging AI innovation and investment, while at the same time attempting to create rules to protect against possible harms. However, jurisdictions around the world have taken substantially different approaches to achieving these goals, which has in turn increased the risk that businesses face from a fragmented and inconsistent AI regulatory environment. Nevertheless, certain trends are becoming clearer at this stage:
Businesses in almost all sectors need to keep a close eye on these developments to ensure that they are aware of the AI regulations and forthcoming trends, in order to identify new opportunities and new potential business risks. But even at this early stage, the inconsistent approaches each jurisdiction has taken to the core questions of how to regulate AI is clear. As a result, it appears that international businesses may face substantially different AI regulatory compliance challenges in different parts of the world. To that end, this AI Tracker is designed to provide businesses with an understanding of the state of play of AI regulations in the core markets in which they operate. It provides analysis of the approach that each jurisdiction has taken to AI regulation and provides helpful commentary on the likely direction of travel.
Because global AI regulations remain in a constant state of flux, this AI Tracker will develop over time, adding updates and new jurisdictions when appropriate. Stay tuned, as we continue to provide insights to help businesses navigate these ever-evolving issues.
Voluntary AI Ethics Principles guide responsible AI development in Australia, with potential reforms under consideration.
The enactment of Brazil's proposed AI Regulation remains uncertain with compliance requirements pending review.
AIDA expected to regulate AI at the federal level in Canada but provincial legislatures have yet to be introduced.
The Interim AI Measures is China's first specific, administrative regulation on the management of generative AI services.
The Council of Europe is developing a new Convention on AI to safeguard human rights, democracy, and the rule of law in the digital space covering governance, accountability and risk assessment.
The successful implementation of the EU AI Act into national law is the primary focus for the Czech Republic, with its National AI Strategy being the main policy document.
The EU introduces the pioneering EU AI Act, aiming to become a global hub for human-centric, trustworthy AI.
France actively participates in international efforts and proposes sector-specific laws.
The G7's AI regulations mandate Member States' compliance with international human rights law and relevant international frameworks.
Germany evaluates AI-specific legislation needs and actively engages in international initiatives.
National frameworks inform India’s approach to AI regulation, with sector-specific initiatives in finance and health sectors.
Israel promotes responsible AI innovation through policy and sector-specific guidelines to address core issues and ethical principles.
Japan adopts a soft law approach to AI governance but lawmakers advance proposal for a hard law approach for certain harms.
Kenya's National AI Strategy and Code of Practice expected to set foundation of AI regulation once finalized.
Nigeria's draft National AI Policy underway and will pave the way for a comprehensive national AI strategy.
Position paper informs Norwegian approach to AI, with sector-specific legislative amendments to regulate developments in AI.
The OECD's AI recommendations encourage Member States to uphold principles of trustworthy AI.
Saudi Arabia is yet to enact AI Regulations, relying on guidelines to establish practice standards and general principles.
Singapore's AI frameworks guide AI ethical and governance principles, with existing sector-specific regulations addressing AI risks.
South Africa is yet to announce any AI regulation proposals but is in the process of obtaining inputs for a draft National AI plan.
South Korea's AI Act to act as a consolidated body of law governing AI once approved by the National Assembly.
Spain creates Europe's first AI supervisory agency and actively participates in EU AI Act negotiations.
Switzerland's National AI Strategy sets out guidelines for the use of AI, and aims to finalize an AI regulatory proposal in 2025.
Draft laws and guidelines are under consideration in Taiwan, with sector-specific initiatives already in place.
Turkey has published multiple guidelines on the use of AI in various sectors, with a bill for AI regulation now in the legislative process.
Mainland UAE has published an array of decrees and guidelines regarding regulation of AI, while the ADGM and DIFC free zones each rely on amendments to existing data protection laws to regulate AI.
The UK prioritizes a flexible framework over comprehensive regulation and emphasizes sector-specific laws.
The UN's new draft resolution on AI encourages Member States to implement national regulatory and governance approaches for a global consensus on safe, secure and trustworthy AI systems.
The US relies on existing federal laws and guidelines to regulate AI but aims to introduce AI legislation and a federal regulation authority.
AIDA expected to regulate AI at the federal level in Canada but provincial legislatures have yet to be introduced.
Canada is expected to regulate AI at the federal level, through the Artificial Intelligence and Data Act (AIDA), which forms part of Bill C-27, a bill that also includes the Consumer Privacy Protection Act (an update to the current federal privacy law) and the Personal Information and Data Protection Tribunal Act.1
At the provincial level, provincial legislatures have yet to introduce laws to directly regulate AI. The Innovation Council of Quebec, a body mandated by the government of Quebec, has however, recently recommended the adoption by the provincial legislature of a law to regulate AI specifically.2
AIDA was introduced in June 2022 and successfully passed its second reading, and was referred to the Standing Committee on Industry Science and Technology ("the Committee") on April 24, 2023.3 The original version of AIDA contained limited substantive content as it left most key elements of the legal regime to be set out at a later date in regulations (including the main compliance obligations and the definition of "high-impact systems," which are the primary focus of the Bill). The Minister of Innovation, Science and Industry, François-Philippe Champagne, subsequently presented the Committee with proposed amendments on November 28, 2023 ("the Proposed Amendments") which are substantial and have addressed some of the concerns regarding the first iteration of AIDA.4 The Proposed Amendments have not yet been officially adopted.
It is unclear when AIDA will come into effect; it is yet to be voted out of committee, and there is some doubt whether it will pass before October 2025 (the deadline to hold a federal election).5 Others have called for AIDA to be stripped out of Bill C-27 and overhauled.6
There are various laws that do not directly seek to regulate AI, but that may affect the development or use of AI in Canada, whether federal, provincial or territorial. A non-exhaustive list of related laws affecting AI includes:
Further to the Proposed Amendments, AIDA currently adopts the following definitions:
The Proposed Amendments clarify that an AI system may be a general-purpose system and a high-risk system at the same time.12
AIDA has a wide territorial scope. Per the Proposed Amendments, Part 1 of AIDA applies in respect of: (i) AI systems or machine learning models made available in the course of international or interprovincial trade and commerce (cross-border trade); and (ii) the management of the operations of AI systems used in the course of cross-border trade.13
In the event a provincial legislation would adopt its own AI law, it remains unclear to what extent AIDA would apply to activities inside this province. Per the Canadian Constitution, federal and provincial government have specific fields of competence where they have authority to legislate. It is possible that the AI law may follow the same path as privacy law: Where some provinces (like Quebec, Alberta and British Columbia) have adopted their own privacy laws, PIPEDA does not apply in their field of competence (but may regulate sectors under federal jurisdiction, like banking). However, in provinces with no general privacy laws (like Ontario), PIPEDA fully applies.
While "high-impact systems" (see below) are defined by reference to their potential use in certain classes (some of which relate to sectors), AIDA does not generally adopt a sector-specific approach. Instead, AIDA imposes different obligations on certain persons depending on: (i) the type of AI system they are involved with (i.e., general-purpose, machine-learning models, or high-impact systems); and (ii) their position along the AI value chain.14
As per the Proposed Amendments, obligations are tailored to each organization's role in the AI value chain. Specifically, the following persons have obligations under AIDA:
AIDA's stated purposes are: (i) to regulate cross-border trade in AI systems by establishing common requirements applicable across Canada, for the design, development and use of those systems; and (ii) to prohibit certain conduct in relation to AI systems that may result in serious harm to individuals or harm to their interests (in particular, biased outputs).18
If an AI system's intended use(s) falls within one of seven classes identified in the Proposed Amendments, that AI system will be considered to be a "high-impact system."19 Specifically, an AI system will be considered "high-impact" if it is used:
AIDA adopts a detailed approach to compliance requirements.21 Some of these requirements (such as those relating to risk management measures) are specific to particular roles in the AI value chain. For example:
Other AIDA requirements are tailored to the distinct challenges and objectives at each point in the AI value chain:
One of the key obligations introduced by the Proposed Amendments is the establishment and maintenance of written accountability frameworks by persons who make a general-purpose system or high-impact system available, or who manage the operations of such systems. Written accountability frameworks shall include (among other things): (i) a description of the roles, responsibilities, and reporting structure for all personnel who contribute to making the system available or managing its operations; (ii) policies and procedures respecting the management of risks relating to the system and the data used by the system; and (iii) anything else required by regulation.27
Under the Proposed Amendments, the Artificial Intelligence and Data Commissioner ("the Commissioner") nominated by the minister in charge of the Act has central responsibility for enforcing AIDA. If the Commissioner is absent or incapacitated, or if no Commissioner is designated, the relevant minister will fulfil the role of the Commissioner.28
The Commissioner has the power to:
The penalties available under AIDA were unchanged by the Proposed Amendments, although further revisions will likely be necessary.33 Currently, contravention of sections 6 through 12 and certain other offences are punishable as follows:34
General offenses35 are punishable as follows:36
1 See here.
2 See here (in French).
3 See here.
4 See here.
5 See here and here.
6 See here.
7 Note that if Bill C-27 is adopted, PIPEDA will be replaced by the Consumer Privacy Protection Act and the Electronic Documents Act.
8 See here (in French).
9 See the Proposed Amendments, p.17.
10 See the Proposed Amendments, p.19.
11 See the Proposed Amendments, p.19.
12 See the Proposed Amendments, p.19: "For greater certainty, an artificial intelligence system may be a general-purpose system and a high-impact system at the same time".
13 See the section entitled "Application", on page 19 of the Proposed Amendments.
14 See the Proposed Amendments, pp.7-8. The Minister explains that the concept of "persons responsible" has been replaced with "distinct obligations based on each organization's role with regard to the system."
15 See the Proposed Amendments, p.20, Section 7(1) (persons who make a general-purpose system available in the course of cross-border trade for the first time) and page 21, sections 8(1) (persons who make a general-purpose system available) and 8.2 (persons managing the operations of a general-purpose system).
16 See the Proposed Amendments, p.23, Sections 10(1) (persons who make a high-impact system available in the course of cross-border trade for the first time) and 10.1(1) (persons who make a high-impact system available), and page 24, section 11(1) (persons who manage operations of a high-impact system).
17 See the Proposed Amendments, p. 22, Sections 9(1) and 9(3) (person who makes a machine learning model available for incorporation into high-impact system).
18 See AIDA, Section 4. This remains unchanged by the Proposed Amendments.
19 "High-impact system" is a concept originally introduced in AIDA. The definition was amended by the Proposed Amendments, p.17. The schedule is available at p.38
20 See the Proposed Amendments, p.38.
21 As noted above, obligations vary depending on: (i) the type of AI system that persons are involved with; and (ii) their position along the AI value chain.
22 See the Proposed Amendments, p.22, Sections 9(1), and 9(1)(b).
23 See the Proposed Amendments, p.23, Sections 10(1)(b)-(c).
24 See the Proposed Amendments, p.24, Section 11(1)(c).
25 See the Proposed Amendments, p. 22, Section 9(1)(a).
26 See the Proposed Amendments, p.24, Section 11(1)(e).
27 See the Proposed Amendments, p.25, Sections 12(1)-(5).
28 See the Proposed Amendments, p.32 ("Administration and enforcement" and "Absence, incapacity or no designation").
29 See the Proposed Amendments, p.26, Sections 13(1) and (2).
30 See the Proposed Amendments, p.26, Section 14(1).
31 See the Proposed Amendments, p.26, Section 15(1).
32 See the Proposed Amendments, p.31, paragraphs 26(1)(a)-(h).
33 The Proposed Amendments did not change the sections of AIDA related to fines. Under AIDA, certain fines were issuable for certain acts related to "regulated activities" (a defined term, see Section 30(2) of AIDA). However, the Proposed Amendments have removed the concept of "regulated activities" (see page 10 of the Proposed Activities PDF). It appears that AIDA's provisions related to fines may need to be revised to account for the fact that the concept of "regulated activities" no longer exists.
34 See AIDA, Sections 30(3)(a) and (b).
35 Under AIDA, Part 2, Sections 38 and 39, general offences are committed if a person:
(i) for the purpose of designing, developing, using or making available for use an AI system, possesses – within the meaning of subsection 4(3) of the Criminal Code – or uses personal information, knowing or believing that the information is obtained or derived, directly or indirectly, as a result of (a) the commission in Canada of an offence under an Act of Parliament or a provincial legislature; or (b) the an act or omission anywhere that, if it had occurred in Canada, would have constituted such an offence; or
(ii) (a) without lawful excuse and knowing that or being reckless as to whether the use of an AI system is likely to cause serious physical or psychological harm to an individual or substantial damage to an individual's property, makes the AI system available for use and the use causes such harm or damage; or (b) with intend to defraud the public and to cause substantial economic loss to an individual, makes an AI system available for use and its use causes that loss.
36 See AIDA, Sections 40(a) and (b).
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2024 White & Case LLP
Charles S. Morgan
Partner, McCarthy Tétrault
+514 397 4230
cmorgan@mccarthy.ca
Christine Ing
Partner, McCarthy Tétrault
+1 416 601 7713
christineing@mccarthy.ca
Francis Langlois
Associate, McCarthy Tétrault
+514 397 4168
flanglois@mccarthy.ca