Has Canada's AIDA passed into law?

As of mid-2026, AIDA is part of Bill C-27 which has been moving through parliamentary review. AIDA has not yet received Royal Assent and is not in force. However, the compliance planning window is now — impact assessments, bias testing, and record-keeping requirements all require pre-deployment work. Organizations with AI systems likely to be classified as high-impact should conduct gap assessments against the anticipated regulatory scope.

What AI systems qualify as 'high-impact' under AIDA?

The exact high-impact definition will be set by regulation. Government consultations consistently indicate high-impact covers: AI making or significantly influencing credit decisions, employment decisions (hiring, performance, termination), healthcare treatment decisions, insurance pricing or eligibility, housing access decisions, and large-scale biometric identification. AI used to assess criminal behavior or recidivism is also within the anticipated high-impact scope. Organizations building AI for these use cases for Canadian markets should plan for high-impact classification.

What must an AIDA impact assessment include?

AIDA Section 7 requires that impact assessments identify the system and its purpose, assess risks of harm to individuals, identify mitigation measures, and be available to the Minister on request. Best practice based on government guidance: document the intended use case and affected population; training data sources and known limitations; bias testing results and disparate impact analysis; human oversight mechanisms; and incident response procedures. The assessment is a pre-deployment requirement.

What does AIDA's biased output prohibition actually prohibit?

Section 15 prohibits making, using, or making available high-impact AI systems that produce biased output causing significant harm. Biased output means AI output that differentiates individuals disadvantageously on protected grounds under the Canadian Human Rights Act — race, national origin, colour, religion, age, sex, sexual orientation, disability. Significant harm means material, real harm — not merely statistical disparities. Organizations must conduct bias testing before deployment and ongoing monitoring post-deployment. Discovered bias must be remediated and documented.

How does AIDA interact with CPPA?

Bill C-27 pairs AIDA (AI obligations) with the Consumer Privacy Protection Act (CPPA, replacing PIPEDA). AI systems processing personal data must comply with both. CPPA gives individuals the right to know AI was used in significant decisions and to request explanations. AIDA requires organizations to build transparency mechanisms so individuals can access those explanations. Together they require: individual-facing explanation systems; per-decision audit trails; bias testing; human oversight; and incident reporting. Organizations should design a unified compliance system satisfying both frameworks.

How does AIDA compare to the EU AI Act?

Both are risk-tiered AI regulation frameworks. Similarities: both define a high-risk/high-impact category requiring impact assessments, transparency, and human oversight; both prohibit manipulation AI and biometric mass surveillance; both apply extraterritorially to organizations serving the jurisdiction's users. Differences: AIDA's high-impact definition is set by regulation (flexible but currently uncertain); EU AI Act uses Annex III use case lists (more predictable). EU AI Act requires conformity assessment and CE marking; AIDA does not. EU AI Act is in force (high-risk obligations August 2026); AIDA is still pending Royal Assent.

How does Tenet AI support AIDA compliance?

Tenet supports three AIDA obligations. Impact assessment evidence: decision analytics provide empirical data on AI behavior — input distributions, output patterns, anomaly rates — that supports risk documentation. Transparency: per-decision records with input features and contributing factors enable the individual-specific explanations AIDA Section 8 requires. Bias monitoring: Tenet's anomaly detection and decision logging enable ongoing fairness monitoring — identifying unexpected shifts in decision patterns that may indicate biased outputs, triggering the incident reporting workflow when harm thresholds are crossed.

Canada AIDA: Artificial Intelligence and Data Act — High-Impact AI Systems Compliance Guide

Q: Who must comply with AIDA?

AIDA applies to persons subject to federal jurisdiction making or using high-impact AI in Canada. Federal jurisdiction covers: banks and federally chartered financial institutions, telecommunications carriers, broadcasters, interprovincial transportation companies, and federal Crown corporations. Non-Canadian organizations making high-impact AI available to Canadian users through digital channels are also within scope. The 'available for use in Canada' language has extraterritorial application similar to GDPR's market-targeting approach.

Canada's Artificial Intelligence and Data Act (AIDA), Part 3 of Bill C-27, establishes risk-based obligations for "high-impact AI systems" — AI used in employment, credit decisions, insurance underwriting, healthcare, housing, and other contexts with significant effects on Canadian individuals. High-impact AI systems require: pre-deployment impact assessments documenting risks and mitigation; transparency mechanisms so affected individuals can know AI was used and request explanations; risk mitigation measures including bias testing across protected characteristics; human oversight capability; and incident reporting for serious harms. AIDA Section 15 prohibits high-impact AI systems that produce biased outputs causing significant harm — this is a substantive fairness obligation, not just documentation. AIDA is paired with the Consumer Privacy Protection Act (CPPA) in Bill C-27, which replaces PIPEDA and requires meaningful explanations for automated decisions. Criminal penalties for prohibited AI: up to C$25M or 5% of global revenue. Administrative penalties for non-compliance: up to C$10M or 3% of global revenue.

AIDA Risk Tiers: General, High-Impact, and Prohibited AI Systems

AIDA takes a risk-tiered approach. General AI systems — tools without significant effects on individual rights or safety — face no specific AIDA obligations beyond standard CPPA data protection. High-impact AI systems — those with significant effects on individuals' health, safety, fundamental rights (employment, housing, education), or economic interests (credit, insurance) — face the full suite of AIDA obligations. Prohibited AI — systems designed to manipulate individuals without awareness, AI using unlawfully obtained data to cause harm, AI generating child sexual abuse material, real-time biometric mass surveillance — face absolute prohibition with criminal penalties up to C$25M or 5% of global revenue. The exact definition of "high-impact" will be specified in regulations post-enactment, but government consultations consistently indicate the high-impact category covers credit scoring, employment AI, health AI, insurance pricing, housing decisions, and biometric identification.

Impact Assessment: Required Before High-Impact AI Deployment

AIDA Section 7 requires that before making a high-impact AI system available for use in Canada, a responsible person must complete an impact assessment. The impact assessment must: identify the high-impact AI system and its intended purpose; assess the risks of harm to individuals; identify the measures taken to mitigate those risks; and be made available to the Minister of Innovation on request. The impact assessment is a pre-deployment gate — it must be completed before the system goes live, not retrospectively. The assessment should document: the intended use case and affected population; training data sources and quality; known limitations and failure modes; bias testing results and disparate impact analysis across protected groups; and the human oversight mechanisms implemented. For AI systems already deployed before AIDA takes effect, a transition period will require retroactive assessments within a specified timeframe.

AIDA's Biased Output Prohibition: What AI Fairness Means Under Canadian Law

AIDA Section 15 is among its most substantive provisions: it prohibits making, using, or making available a high-impact AI system that results in biased output causing significant harm. "Biased output" means AI output that differentiates or treats individuals disadvantageously on grounds protected under the Canadian Human Rights Act — race, national or ethnic origin, colour, religion, age, sex, sexual orientation, marital status, family status, or disability. "Significant harm" sets the threshold above minor statistical disparities — the harm must be material and real. Implications: organizations must conduct pre-deployment disparate impact testing; ongoing monitoring is required because model drift can introduce bias post-deployment; discovered bias must be remediated AND documented (remediation alone without records violates the record-keeping obligation); and vendor contracts must address what happens when a third-party AI model produces biased outputs in a high-impact application.

AIDA and CPPA: Parallel Compliance for AI Systems Processing Personal Data

Bill C-27 pairs AIDA's AI-specific obligations with the Consumer Privacy Protection Act (CPPA), Canada's modernized private sector privacy law replacing PIPEDA. AI systems processing personal data of Canadians must comply with both frameworks simultaneously. CPPA adds automated decision-making provisions: individuals affected by significant automated decisions (credit, employment, healthcare) have the right to know that AI was used and to request an explanation of how the AI contributed to the decision; they also have the right to challenge automated decisions. These CPPA rights are individual-facing while AIDA's transparency obligation creates the mechanism — organizations must build explanation systems that satisfy both AIDA's availability requirement (explanation available on request) and CPPA's individual rights (explanation delivered to the affected person). CPPA enforcement: administrative fines up to C$10M or 3% of global revenue; criminal penalties for reckless or intentional violations up to C$25M or 5% of global revenue.

Who Must Comply With AIDA and What Federal Jurisdiction Covers

AIDA applies to persons subject to federal jurisdiction that use or make high-impact AI systems available in Canada. Federal jurisdiction under the Constitution Act covers: banks and federally chartered financial institutions; telecommunications carriers and broadcasters; interprovincial transportation companies; federal Crown corporations; and industries whose activities are in and for the general advantage of Canada. This covers virtually all major Canadian financial institutions (which are federally chartered), major telecom providers, and federal government agencies. It also reaches non-Canadian organizations that make high-impact AI available to Canadian users through digital channels — the "available for use in Canada" language has extraterritorial application similar to GDPR's market-targeting approach. Provincial jurisdiction entities (provincially chartered credit unions, provincial utilities, healthcare providers in provinces with provincial health systems) may face provincial AI regulation separately.