Canada’s new AI strategy outlines the government’s plans to generate value from AI across the economy but includes little on the legislation needed to carry out its promises around safety and governance.
The first pillar of the strategy, released today, is titled “protecting Canadians,” but the policy document does not propose new regulatory measures for how companies and individuals should use AI, experts and ecosystem leaders say. Instead, the document reiterates Ottawa’s intent to introduce new privacy and online safety laws—including updates to Canada’s 40-year old Privacy Act—which have yet to be tabled.
“Right now, we’re dealing with 21st-century problems with 20th-century frameworks.”
Ritesh Kotak,
Cybersecurity analyst
In their strategy, the feds pledge to introduce new consumer privacy legislation that will enshrine a “fundamental right to privacy,” safeguard children’s data from harm, and strengthen individual control over personal data. The new privacy laws will ensure Canadians’ data won’t be used inappropriately, such as for surveillance pricing—when companies algorithmically use individual data to set different prices for different customers.
The feds also say they will modernize online safety laws to “protect Canadians in the digital age.” This includes “legal tools” for Canadians to combat deepfakes, ensure safety in chatbot interactions, and hold those responsible for online harms accountable.
RELATED: Canada’s AI strategy contains $2.3 billion in spending but few details on new privacy regulations
Ritesh Kotak, a tech and cybersecurity analyst, said that updates to existing privacy legislation are needed. “Right now, we’re dealing with 21st-century problems with 20th-century frameworks,” Kotak said in an interview.
The strategy acknowledges that more AI adoption means AI systems will make “consequential decisions” about Canadians’ lives in hiring, lending, healthcare, and public services. At the same time, “deepfakes, synthetic media, and AI-generated disinformation are reshaping the information environment.”
Prime Minister Mark Carney reiterated the legislative plan at the AI strategy announcement Thursday morning in Toronto, and suggested that details about those proposed laws could be coming soon.
“We will also enshrine Canadians’ fundamental right to privacy, including by creating protections against harmful practices such as deepfakes and surveillance pricing, so that technology doesn’t outpace our ability to safeguard against technology ourselves,” Carney said.
The prime minister added that Canada “will make the development of child safety standards a priority at this month’s G7 summit” in Évians-les-Bains, France.
More on Canada’s AI strategy
• Canada’s AI strategy contains $2.3 billion in spending but few specifics on privacy
• Canada’s AI strategy promises to protect citizens. Critics say it still lacks teeth
• Canada’s AI strategy looks to shift government from startup supporter to stakeholder
• Canada’s AI strategy draws mixed reviews from across tech ecosystem
In French remarks, Carney added that the government will introduce legislation in the coming weeks related to the protection of children and the use of the AI.
For Helen Hayes, a PhD candidate at McGill University in communication studies, the strategy lacks safeguards such as child-focused AI risk assessments, independent safety audits, or standards for AI companions.
“When you look for concrete measures aimed at protecting young people, the strategy offers remarkably little beyond literacy initiatives and a supposed promise to put forth legislation to address online harms,” Hayes told BetaKit.
Vass Bednar, managing director of the think tank Canadian Shield Institute, told BetaKit she wishes the government had delivered a draft version of the proposed privacy law today.
“They’re right that clear governance and meaningful oversight to prevent harms from AI is a key part of any serious adoption strategy, but until we actually see the law, we can’t know if the governance framework will be successful,” she said.
“When you look for concrete measures aimed at protecting young people, the strategy offers remarkably little.”
High-profile issues have brought Canada’s lack of privacy and AI legislation to the fore in recent months. When non-consensual, sexualized deepfakes generated by Grok AI started appearing on social platform X, it highlighted gaps in Canada’s laws governing AI-generated sexualized images. For example, recourse for adults who have been the victim of AI-generated deepfakes is largely through the civil system and varies by province.
After the Tumbler Ridge, BC, mass shooting on Feb. 10, it was revealed that the perpetrator’s ChatGPT account had been banned for misusing OpenAI’s models “in furtherance of violent activities.” Canadian government consultations prompted internal changes at the AI company, but have not yet resulted in a policy change in Canada.
RELATED: Opinion: Canada’s new AI strategy is off to a bad start
Neither the privacy nor the online harms pieces are new ideas. AI and digital innovation minister Evan Solomon, whose office led the AI strategy project, said last fall that updates to privacy laws around deepfakes and protecting children were in the works. He previously said that bringing forward some elements of the feds’ previous attempt at AI regulation, Bill C-27, was part of the plan. Neither that bill nor the Online Harms Act made it into law.
Blair Attard-Frost, a Canada CIFAR AI chair and assistant professor at the University of Alberta, said in a Bluesky post today that the proposed regulatory framework Canada has is “mostly voluntary and opaque.”
“My overall impression is the [goernment] realizes they have to regulate, but are nervous about scaring investment away,” Attard-Frost wrote. “The result is a non-committal scaffold for maybe-stronger-regulation-later that creates uncertainty for both concerned citizens [and] businesses looking for clear signal of regulatory intent.”
With files from Alex Riehl.
Feature image courtesy Mark Carney via LinkedIn.