The State of Canadian AI Compliance 2026
A founder’s field report on where Canadian AI regulation actually stands in 2026 — the law that died, the laws still standing, the foreign rules already reaching in, and the widening gap between how fast Canadian businesses adopt AI and how slowly they govern it.
By Vivek Chakravarthy · 2026-07-12
Key findings
- 1Canada has no in-force AI-specific law. Bill C-27 — which carried the proposed Artificial Intelligence and Data Act (AIDA) — died on the Order Paper when Parliament was prorogued on January 6, 2025, and the government has confirmed AIDA will not return in its old form.
- 2The rules that actually bind Canadian businesses today are the ones that already existed: PIPEDA federally, Quebec’s Law 25 (fully in force since September 22, 2024, with penalties up to $25M or 4% of worldwide turnover), plus BC and Alberta PIPA, PHIPA and CASL.
- 3Canadian AI adoption roughly tripled in two years — from 6.1% of businesses in Q2 2024 to 12.2% in Q2 2025 to 19.2% by 2026 (Statistics Canada) — while formal AI governance lagged far behind, opening a measurable governance gap.
- 4The EU AI Act is already extraterritorial: any Canadian company whose AI output is used in the EU can be caught, with fines up to €35M or 7% of global turnover for prohibited practices — live since February 2025.
- 5Enforcement has arrived through the privacy door, not an AI statute. The landmark 2026 joint investigation into OpenAI’s ChatGPT (OPC plus Quebec, BC and Alberta regulators) found unlawful data collection under existing privacy law — proof that "no AI law" does not mean "no AI liability".
- 6Shadow AI is the quiet compliance crisis: independent surveys put internal data leakage through generative AI near half of organizations, while a minority of employees are even aware of a company AI policy.
- 7The organizations pulling ahead are treating AI governance as an operational discipline — inventory, accountability, risk assessment, monitoring — anchored to voluntary frameworks like ISO/IEC 42001 and the NIST AI RMF, well before any Canadian law forces them to.
Executive summary: the big picture in 2026
Here is the single most important fact about Canadian AI compliance in 2026, and it surprises almost everyone I say it to: Canada does not have an AI law. Not one that is in force. The bill that was supposed to give us one is dead.
For three years the conversation was dominated by Bill C-27 and its centrepiece, the Artificial Intelligence and Data Act (AIDA). Businesses waited. Consultants sold readiness assessments for a statute that had not passed. And then, on January 6, 2025, Parliament was prorogued, the Prime Minister announced his resignation, and every bill on the Order Paper — C-27 included — simply died. AIDA, the proposed federal privacy overhaul, and a new tribunal all went with it. In June 2025, the minister responsible confirmed what most of us already assumed: AIDA is not coming back as drafted.
So if you run a Canadian business using AI, the honest answer to "what AI law must I follow?" is: none, specifically. But that is the trap. The absence of an *AI-specific* statute has been widely misread as an absence of obligation, and that reading is expensive. The laws that already govern data — the Personal Information Protection and Electronic Documents Act (PIPEDA) federally, Quebec’s Law 25, British Columbia and Alberta’s private-sector privacy laws, Ontario’s health-privacy law PHIPA, and Canada’s anti-spam law CASL — apply to AI systems in full. They were written for data, and AI is a data machine. You do not need an AI law to be liable for what your AI does with personal information, and 2026 gave us the clearest proof yet of that.
Meanwhile, the ground shifted underneath everyone. Three forces now define the real compliance picture:
- Foreign law reaching in. The EU AI Act came into force in August 2024 and its extraterritorial provisions mean Canadian exporters can be bound regardless of the state of Canadian law. Prohibited-practice fines — up to €35 million or 7% of worldwide turnover — have been enforceable since February 2025.
- Adoption outrunning governance. Statistics Canada data shows business AI use roughly tripled between 2024 and 2026. Very little of that adoption came with a corresponding governance program. That delta is the story of 2026.
- Enforcement through the privacy door. Regulators did not wait for an AI act. They used the privacy laws they already had. The joint investigation into OpenAI’s ChatGPT, resolved in 2026, is the template for how AI accountability will be enforced in Canada for the next several years.
This report is my attempt, as someone who builds AI-governance and privacy software for a living, to describe the terrain honestly. It is a synthesis of public regulatory sources and published data — not a proprietary survey, and I am transparent about that in the methodology section. Its one original contribution is a practical maturity model, the AI Compliance Readiness framework, that lets you place your own organization on a five-level scale and see the next rung. If you take one thing from the pages that follow, take this: govern for the law that is coming and the foreign law already here, not the Canadian law that isn’t.
The Canadian regulatory landscape: what actually binds you
Let us clear away the fog and list the laws that are genuinely in force in Canada in 2026. None of them is an AI statute. All of them apply to AI.
PIPEDA — still the federal baseline
The Personal Information Protection and Electronic Documents Act remains Canada’s federal private-sector privacy law. It governs the collection, use, and disclosure of personal information in the course of commercial activity across most of the country. Its planned replacement — the Consumer Privacy Protection Act (CPPA), bundled into Bill C-27 alongside AIDA — died with the rest of C-27 at prorogation. So the twenty-year-old, principles-based, consent-centred PIPEDA is still what you answer to federally. Its ten fair-information principles — accountability, consent, limiting collection, accuracy, safeguards, openness, individual access — map directly onto the risks that AI creates: over-collection of training data, opaque automated decisions, inaccurate outputs about real people. PIPEDA does not mention AI once. It does not have to.
Quebec Law 25 — the toughest game in the country
Quebec’s Law 25 (formerly Bill 64) is the most demanding privacy regime in Canada and, functionally, the closest thing we have to a GDPR-grade law. It rolled out in three annual phases and reached full force on September 22, 2024, when the right to data portability took effect. Law 25 requires a designated privacy officer, mandatory confidentiality-incident reporting to the Commission d’accès à l’information (CAI), privacy impact assessments for systems handling personal information, privacy by default, and — crucially for AI — transparency and rights around automated decision-making. If a decision about someone is made exclusively by automated processing, they have the right to be informed and to have it reviewed.
The penalties are what make Law 25 impossible to ignore. The CAI can levy administrative monetary penalties of up to $10 million or 2% of worldwide turnover, and penal fines can reach $25 million or 4% of worldwide turnover, whichever is greater. Those are GDPR-scale numbers, and they apply to any enterprise carrying on business in Quebec — not just Quebec-headquartered ones.
The provincial and sectoral layer
Beyond the federal and Quebec regimes, several other laws bind depending on where and how you operate:
- British Columbia PIPA and Alberta PIPA — substantially-similar private-sector privacy laws that displace PIPEDA for organizations operating wholly within those provinces. Both figured directly in the 2026 ChatGPT investigation.
- PHIPA (Ontario) and equivalent provincial health-privacy laws — govern personal health information, which sharply raises the stakes for any AI touching clinical or patient data.
- CASL — Canada’s Anti-Spam Legislation governs commercial electronic messages and has real teeth. AI-generated or AI-personalized outbound messaging does not escape it.
Who must comply
| If you… | Then you are bound by… |
|---|---|
| Handle personal data in commercial activity anywhere in Canada | PIPEDA (or the substantially-similar provincial law) |
| Carry on an enterprise in Quebec | Law 25 — regardless of where you are headquartered |
| Operate wholly within BC or Alberta | BC PIPA / Alberta PIPA |
| Touch personal health information in Ontario | PHIPA |
| Send commercial electronic messages to Canadians | CASL |
| Make automated decisions about individuals | Law 25 ADM rules; PIPEDA accountability + accuracy |
| Sell or deploy AI whose output reaches the EU | EU AI Act (see next section) |
The pattern is clear. There is no single door marked "AI compliance" in Canada. There are five or six doors marked "privacy", "health data", "anti-spam", and "automated decisions", and your AI has to walk through all of them.
The AI rules already reaching Canada
If Canada has no AI law, why are serious Canadian companies building AI governance programs right now? Because the rules that will shape their obligations already exist — they just were not written in Ottawa.
The EU AI Act is extraterritorial, and it is live
The EU AI Act (Regulation (EU) 2024/1689) entered into force on August 1, 2024 and phases in over three years. Its reach does not stop at Europe’s borders. Like the GDPR before it, the Act applies to providers and deployers outside the EU when the output of their AI system is used within the EU. A Halifax software company whose model scores loan applications for a European client, a Montreal SaaS vendor whose AI feature is used by EU customers — both can be caught.
The timeline every Canadian exporter should have on the wall:
- February 2, 2025 — prohibited AI practices (social scoring, certain biometric categorization, manipulative systems) became enforceable. These carry the top fine tier: up to €35 million or 7% of worldwide annual turnover.
- August 2, 2025 — obligations for general-purpose AI (GPAI) models took effect, along with governance and penalty machinery.
- August 2, 2026 — the big one: obligations for high-risk AI systems under Annex III begin to apply (employment, credit, essential services, and more).
- August 2, 2027 — remaining high-risk categories and legacy GPAI models must be in compliance.
For a Canadian company, the practical takeaway is that the EU AI Act may be your binding AI regulation long before any domestic one exists. Our EU AI Act guide breaks the obligations down by role and risk tier.
AIDA’s limbo, and the voluntary bridge
With AIDA dead, the federal government’s only live AI-governance instrument is soft law: the Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems, launched by ISED in September 2023. It commits signatories — more than two dozen organizations including Canadian and global firms — to principles of accountability, safety, fairness and equity, transparency, human oversight, and validity and robustness. It was explicitly designed as a bridge to AIDA. The bridge now leads to nowhere in particular, but the principles remain a credible statement of the federal government’s expectations, and signing on is a visible good-faith signal.
The standards filling the vacuum
Where hard law is absent, standards do the work. Two matter most:
- ISO/IEC 42001:2023 — the world’s first AI management system standard, published in December 2023. It is to AI what ISO 27001 is to information security: a certifiable, auditable management-system framework covering AI policy, roles, risk and impact assessment, lifecycle controls, and continual improvement. Because it is independently certifiable, it is quickly becoming the currency of AI trust in procurement. Our ISO 42001 guide walks through what implementation actually involves.
- NIST AI Risk Management Framework (AI RMF 1.0) — released by the U.S. National Institute of Standards and Technology in January 2023, organized around four functions: Govern, Map, Measure, and Manage. Its July 2024 Generative AI Profile (NIST AI 600-1) adds twelve generative-AI-specific risk categories. It is voluntary and free, and it pairs naturally with ISO 42001 — NIST for the risk vocabulary, ISO for the management system.
The strategic reading is straightforward. A Canadian organization that builds its AI governance on ISO 42001 and the NIST AI RMF today is not gambling on which Canadian law eventually passes. Those frameworks already anticipate the substance of the EU AI Act and of any plausible successor to AIDA. You are building to the standard, not to the statute, and the standard is portable.
The governance gap: adopting faster than we can govern
This is the section I care about most, because it is where the real risk in Canada lives in 2026. It is not a gap between our law and Europe’s. It is the gap between how fast Canadian businesses are adopting AI and how slowly they are governing it.
Adoption is accelerating — fast
Statistics Canada has been asking Canadian businesses the same question since 2024: did you use AI to produce goods or deliver services in the past twelve months? The trend line is steep:
- Q2 2024: 6.1% of businesses said yes.
- Q2 2025: 12.2% — a doubling in a single year, with a further 17.9% planning to adopt AI software within twelve months.
- 2026: roughly 19.2% — triple the 2024 figure.
Tripling in two years is a genuine transformation of how Canadian firms operate. And that number understates real usage, because it captures *organizational* adoption, not the far larger volume of employees using AI tools on their own initiative.
Governance is not keeping pace
Here is the asymmetry. Adoption is an executive decision that can happen in a quarter. Governance — an AI inventory, a use policy, risk assessments, human-oversight rules, monitoring — is an operational program that takes many quarters to stand up. So the two curves diverge, and the space between them is where incidents happen.
The clearest evidence of the gap is the shadow AI phenomenon: employees using generative AI tools that their employer has not sanctioned, often pasting confidential or personal information into consumer chatbots. The published numbers vary by methodology, but every credible source points the same direction. Cisco’s 2025 research found that nearly half of organizations reported internal data leaking out through generative AI — data that left through employee prompts, not a breach. Other 2025 workforce surveys found a large majority of knowledge workers using AI at work while only a small minority were aware of any official company policy governing it. Gartner reported that most cybersecurity leaders suspect or have evidence of prohibited public GenAI use inside their organizations.
I want to be careful here, because this report’s integrity depends on it: these are third-party surveys with varying samples, not a Canuckt census. But the qualitative signal is unambiguous and it matches what I see in the field every week. Most Canadian organizations do not know what AI is being used inside their own walls. You cannot govern, redact, or risk-assess what you cannot see.
Why the gap is a compliance problem, not just an IT problem
Every one of those unsanctioned prompts is a potential PIPEDA or Law 25 event. Paste a customer’s personal information into a consumer AI tool and you have arguably disclosed personal data to a third party without valid consent, without a safeguard, and without a record. In a Law 25 jurisdiction, that is exactly the kind of confidentiality incident the CAI expects you to log and, if it carries a risk of serious injury, report.
This is the operational heart of AI governance, and it is why the two products I build exist. Valdra is what an organization uses to close the governance side of the gap — to inventory its AI systems, run the impact assessments, assign accountability, and evidence compliance against PIPEDA, Law 25, and the EU AI Act in one place. Shielk closes the data side — detecting and redacting personal information before it ever reaches a model, so that the shadow-AI prompt that would have leaked a customer’s file simply cannot. Neither is a silver bullet. Together they describe the two disciplines the governance gap actually requires: see and control your AI, and control the data that flows into it. The AI governance guide covers the program-level view.
Enforcement trends: how AI accountability is actually landing
The most common objection I hear is: "There is no AI law, so there is no real enforcement risk yet." 2026 demolished that argument. Enforcement is here. It just arrived through the privacy door.
The ChatGPT investigation: the landmark
In 2026, four Canadian privacy regulators — the federal Office of the Privacy Commissioner (OPC), Quebec’s CAI, and the information and privacy commissioners of British Columbia and Alberta — concluded a joint investigation into OpenAI’s ChatGPT (PIPEDA Findings #2026-002). The findings are a roadmap for how AI will be policed in Canada without an AI act.
The regulators found that the way OpenAI initially scraped personal information from the open internet to train its GPT-3.5 and GPT-4 models was overbroad and inappropriate under Canadian privacy law. They identified a cluster of failures that will sound familiar to anyone who has read PIPEDA: over-collection of personal information, lack of valid consent and transparency, factual inaccuracies about real people, weak mechanisms for individuals to access, correct, or delete their data, and gaps in accountability. The federal Commissioner found the complaint well-founded and conditionally resolved based on measures OpenAI had implemented or committed to. The BC and Alberta commissioners went further, concluding that OpenAI’s models rest on scraped data for which valid consent could not be obtained under their provincial laws.
Read that again in light of the earlier sections. There is no Canadian AI statute. And yet one of the most prominent AI companies in the world was formally found to have broken Canadian law — using nothing but the privacy statutes we already had. That is the whole thesis of this report, proven.
The broader enforcement picture
The ChatGPT case did not come out of nowhere. The trend has been building:
- Clearview AI (2021) established the precedent: the OPC and provincial counterparts found that mass scraping of Canadians’ facial images for a biometric AI product was unlawful. It was the first clear signal that AI trained on scraped personal data is a live enforcement target.
- Volume is rising. The OPC’s 2024–25 annual report records 446 accepted private-sector complaints and 686 data-breach reports for the year, with the Commissioner explicitly flagging privacy in an AI-driven world as a strategic priority.
- International cooperation is now standard. The OPC ran the 23andMe genetic-data breach investigation jointly with the UK’s Information Commissioner, and the ChatGPT investigation pooled four Canadian regulators. Canadian regulators are increasingly acting in coordinated blocs, which multiplies both reach and consequence.
What is actually being penalized
Strip the cases down and a pattern emerges. Regulators are not (yet) penalizing "AI" in the abstract. They are penalizing the data behaviours that AI systems make worse at scale:
- Collecting personal information you had no lawful basis to collect — the training-data problem.
- Making consequential decisions about people without transparency or recourse — the automated-decision problem, which Law 25 addresses head-on.
- Failing to safeguard the personal information flowing through AI systems — the shadow-AI and breach problem.
- Not being able to show accountability — no inventory, no assessment, no records when the regulator asks.
Every item on that list is preventable with governance, and every item is discoverable with a single well-aimed complaint or breach report. In Quebec, the price of getting it wrong runs to the millions. The enforcement risk in Canada is not hypothetical and it is not waiting for AIDA.
The Canuckt AI Compliance Readiness framework
Everything above describes the terrain. This section is the map I actually use with organizations. It is the one genuinely original thing in this report: a five-level maturity model for placing your organization on a scale from "AI is happening to us" to "AI is governed and provable." I call it the AI Compliance Readiness framework. It is deliberately vendor-neutral — you can climb it with any tools, or none.
The framework assesses five dimensions, because AI governance fails unevenly — a company can have a beautiful policy and zero visibility into shadow AI:
- Visibility — do you know what AI systems and tools are in use, including the unsanctioned ones?
- Accountability — is there a named owner, a policy, and a decision path?
- Risk assessment — do you assess AI systems for privacy, bias, and safety before and during use?
- Data control — do you control what personal information flows into AI systems?
- Assurance — can you prove all of the above to a regulator, an auditor, or a customer?
The five levels
| Level | Name | Visibility | Accountability | Risk assessment | Data control | Assurance |
|---|---|---|---|---|---|---|
| 1 | Ad-hoc | Unknown; shadow AI everywhere | No owner, no policy | None | None; anything can be pasted anywhere | Could not answer a regulator |
| 2 | Aware | Leadership knows AI is used; no inventory | AI use policy drafted; owner informal | Occasional, reactive | Guidance issued, not enforced | Some documentation, incomplete |
| 3 | Managed | Central AI inventory exists and is maintained | Named accountable owner; approved policy | Standard assessment for new AI uses | Technical controls (e.g. PII redaction) on key flows | Can produce records on request |
| 4 | Governed | Continuous discovery incl. shadow AI | Cross-functional governance function; clear RACI | Risk + impact assessments tied to lifecycle | Enforced controls across the org; monitoring | Evidence maintained continuously, mapped to law |
| 5 | Assured | Full, real-time visibility | Governance embedded in operations and board oversight | Independent validation; metrics and review | Data controls verified and tested | Third-party certified (e.g. ISO/IEC 42001); audit-ready |
How to use it
Most Canadian organizations I meet in 2026 sit at Level 1 or 2. They have adopted AI (the last section proved that), but visibility and assurance lag. The single highest-value move for a Level 1 organization is not writing a policy — it is achieving visibility. You cannot govern what you cannot see, and shadow AI is almost always worse than leadership believes.
The jump from Level 2 to Level 3 is where real compliance risk drops, because Level 3 is the first level at which you could survive a regulator’s "show me" request — the exact request the ChatGPT and Clearview cases turned on. Level 3 is a reasonable, defensible target for most small and mid-sized Canadian businesses in 2026.
Level 4 (Governed) is where I would put any organization touching regulated data — health, finance, children, or anyone exporting AI output into the EU’s high-risk categories before the August 2026 deadline. Level 5 (Assured) — with independent ISO/IEC 42001 certification — is currently a competitive differentiator; within a few years, for enterprise and government procurement, I expect it to become table stakes.
Pick your five scores honestly today. Your lowest dimension is your real risk, not your average. Governance is only as strong as the door you left unlocked.
Predictions: what’s coming in 2026–2027
Forecasting regulation is a good way to be wrong in public, so I will be specific and own it. Here is where I think Canadian AI compliance is heading over the next eighteen months.
1. Federal AI legislation returns — narrower, slower, and different
AIDA is not coming back as drafted; the government has said so. But the pressure to regulate has not gone away, and Canada does not want to be the only G7 country without an AI framework while the EU AI Act rolls out. My expectation: a narrower, more targeted federal instrument — possibly focused on high-impact or general-purpose systems, possibly folded into a revived privacy-reform package rather than a standalone AI act. Do not expect it in force before 2027. Do expect consultation drafts sooner. The organizations that built to ISO 42001 in the meantime will find the transition trivial.
2. Law 25 enforcement intensifies
The CAI now has a fully-in-force law, real penalty powers, and a mandatory incident register that quietly documents every organization’s failures. Expect the volume and visibility of Law 25 enforcement to climb through 2026–2027, with automated decision-making and inadequate consent as prime targets. Quebec will remain the most consequential AI-compliance jurisdiction in Canada, and its decisions will shape national practice.
3. The EU AI Act’s high-risk deadline forces Canadian hands
August 2, 2026 is a hard date: high-risk AI obligations under Annex III begin to apply. Canadian companies selling into Europe — or supplying AI features to European customers — will spend the back half of 2026 discovering whether their systems are "high-risk" under EU classification and scrambling to meet requirements they cannot ignore. This foreign deadline will do more to drive Canadian AI governance investment than any domestic policy.
4. Procurement becomes the real regulator
This is my highest-confidence prediction. Long before any Canadian AI law binds you, your customers will. Enterprise and public-sector buyers are already adding AI-governance and privacy questions to their vendor assessments, and ISO/IEC 42001 certification is starting to appear in RFPs. Procurement moves faster than legislation and it has a harder edge: fail the questionnaire and you lose the deal today. For most Canadian vendors, the buyer’s security-and-AI questionnaire will be the compliance deadline that actually matters.
5. Shadow AI moves from tolerated to unacceptable
As the enforcement pattern from the ChatGPT case sinks in, boards will stop treating shadow AI as an IT annoyance and start treating it as a disclosed-liability problem. Expect a wave of organizations moving from Level 1–2 to Level 3 on the readiness framework — driven less by regulators and more by their own risk committees finally asking "what data are our employees pasting into these tools?"
The through-line of all five predictions is the same: the forcing function for Canadian AI governance in 2026–2027 is not a Canadian AI law. It is Quebec, Brussels, and your own customers. Build for them.
Methodology and sources
I want to be completely transparent about what this report is and is not, because a citation-magnet asset that overstates its own authority is worthless.
What this report is. It is an analysis and synthesis of public, citable sources, written from the perspective of someone who builds AI-governance and privacy software for Canadian businesses. Every quantitative claim in it is drawn from a named public source — government statistics, regulator publications, official legal texts, or clearly-attributed third-party research — and linked inline. The categories of source I relied on are:
- Primary legal and regulatory texts — EUR-Lex for the EU AI Act, ISED for AIDA and the Voluntary Code, ISO for the 42001 standard, NIST for the AI RMF.
- Regulator publications — the Office of the Privacy Commissioner of Canada (annual report, investigation findings), and the joint federal-provincial ChatGPT investigation.
- Official statistics — Statistics Canada’s business AI-adoption series.
- Legal analysis from established Canadian firms tracking Bill C-27, Law 25, and the EU AI Act.
- Third-party industry research on AI adoption and shadow AI, cited with attribution and appropriate caution about sample and method.
What this report is not. It is not a primary survey. I did not survey a panel of Canadian businesses, and you will not find a single "we surveyed N companies and found X%" claim in these pages, because I did not do that and I will not invent it. Where I describe the shadow-AI phenomenon or the governance gap, I either cite a named external study or describe the trend qualitatively based on public data and direct field experience — and I say which.
The original contribution of this report is the synthesis itself — pulling the regulatory, adoption, and enforcement threads into one coherent 2026 picture — and the AI Compliance Readiness framework, a five-level maturity model I authored to give organizations a practical way to place themselves and find their next step. The framework is my professional model, not an empirical finding; use it as a lens, not a law.
A note on timing. The Canadian AI-policy environment is unusually fluid in 2026 — a dead bill, a promised-but-undrafted replacement, foreign deadlines landing in sequence. Facts stated here reflect the position as of July 2026 and the sources below. Where the ground moves, the sources will move first; start there.
If you want to go deeper on any single thread, the linked guides on the Canuckt learn hub — on AI governance, the EU AI Act, and ISO/IEC 42001 — unpack the practical detail this report only had room to summarize.
Sources
- EU AI Act — Regulation (EU) 2024/1689 (EUR-Lex)
- European Commission — AI Act regulatory framework and timeline
- ISED — Voluntary Code of Conduct on Advanced Generative AI Systems
- ISED — Artificial Intelligence and Data Act (AIDA)
- IAPP — Bill C-27 awaits fate after prorogation
- Gowling WLG — Federal privacy reform: where we left off and what’s next
- Osler — Law 25: enforcement scheme and penalties
- OPC — PIPEDA Findings #2026-002: Joint Investigation of OpenAI’s ChatGPT
- OPC — 2024–25 Annual Report to Parliament
- Statistics Canada — AI use by businesses, Q2 2025
- Statistics Canada — AI use by businesses, Q2 2024
- The Hub — Canadian businesses closing the AI adoption gap (StatsCan 2026)
- ISO — ISO/IEC 42001:2023 AI management systems
- NIST — AI Risk Management Framework
- Cybersecurity Dive — Enterprise data creeping into shadow AI tools
Frequently asked questions
Does Canada have an AI law in 2026?
No. Canada has no AI-specific law in force in 2026. The proposed Artificial Intelligence and Data Act (AIDA) was part of Bill C-27, which died when Parliament was prorogued on January 6, 2025, and the government has confirmed AIDA will not return in its original form. However, existing laws — PIPEDA, Quebec’s Law 25, BC and Alberta PIPA, PHIPA, and CASL — apply to AI systems in full, so "no AI law" does not mean "no AI compliance obligations."
If there is no Canadian AI law, can my business still be penalized for how it uses AI?
Yes. Enforcement in Canada arrives through existing privacy law, not an AI statute. The 2026 joint investigation into OpenAI’s ChatGPT by the federal Privacy Commissioner and the Quebec, BC, and Alberta regulators found unlawful collection of personal information using nothing but existing privacy laws. Quebec’s Law 25 alone carries penalties up to $25 million or 4% of worldwide turnover. The risk is real and current.
Does the EU AI Act apply to Canadian companies?
It can. The EU AI Act (Regulation (EU) 2024/1689) is extraterritorial: it applies to providers and deployers outside the EU when the output of their AI system is used within the EU. Prohibited-practice fines up to €35 million or 7% of worldwide turnover have been enforceable since February 2025, and high-risk system obligations begin applying on August 2, 2026. Canadian exporters and SaaS vendors serving EU customers should assess their exposure now.
What should a Canadian business do first to govern its AI use?
Achieve visibility. Before writing a policy, find out what AI tools and systems are actually in use across your organization — including the unsanctioned "shadow AI" employees adopt on their own. You cannot govern, risk-assess, or protect data you cannot see. On the AI Compliance Readiness framework in this report, that moves you off Level 1 (Ad-hoc) and is the foundation for everything above it.
Are ISO/IEC 42001 and the NIST AI RMF worth adopting if they are voluntary?
Yes, and increasingly so. Because Canada lacks a binding AI law, standards are filling the vacuum. ISO/IEC 42001:2023 is the world’s first certifiable AI management system standard, and NIST’s AI Risk Management Framework provides a widely-used risk vocabulary. Building on them means you are ready for the EU AI Act and any future Canadian law without betting on a specific statute — and ISO 42001 certification is starting to appear in enterprise and government procurement, where it functions as a de facto requirement.