AI in Canada

In another article in the AI regulation series, we briefly report on events in Canada where there has been increased interest in the applications of AI technologies and cybersecurity within the public sector in Ontario.

On May 13, 2024, the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (Bill 194) was introduced in Parliament. It seeks to strengthen and provide the groundwork for the responsible use of AI among various public sector entities. If passed, Bill 194 will notably enact the Enhancing Digital Security and Trust Act, 2024 (the Act).

The Act aims to mitigate risks associated with cybersecurity and AI systems within Ontario's public sector. This includes organizations operating in Ontario's critical public services such as those in the education, healthcare and children's services sectors.

Defining AI Systems

The Act formally defines "artificial intelligence systems" as "a machine-based system that, for explicit or implicit objectives, infers from the input it receives in order to generate outputs such as predictions, content, recommendations or decisions that can influence physical or virtual environments" (AI system).

Regulating AI and Cybersecurity in the Public Sector

While further details are to come in future regulations, the Act creates uniform AI system and cybersecurity requirements for organizations operating in Ontario's public sector. These requirements for AI system usage best practices include:

• public disclosure on its development and use;
• development and implementation of an accountability framework;
• risk mitigation requirements; and
• governance processes of AI systems concerning their use and reporting mechanisms.

In addition to these general requirements prescribed by future regulations, entities using (or intending to use) AI systems will be required to appoint an individual responsible for oversight of AI systems within the organizational structure of the entity to perform an oversight function.

From a cybersecurity perspective, public sector entities will also be obligated to develop, implement and govern cybersecurity programs with a corresponding incident reporting scheme. Moreover, specific requirements for such cybersecurity programs shall be instituted, including: defining roles and responsibilities, progress reporting, education and awareness initiatives and response and recovery measures in relation to cyber incidents.

Lastly, the Minister of Public and Business Service Delivery may make further regulations setting technical standards for the use of AI systems and cybersecurity protocols.