AI Regulation Tracker / Policy explainer
Canada Has No AI Act in 2026: AI Duties Run Through Privacy Law and the Treasury Board ADM Directive
The Artificial Intelligence and Data Act died when Parliament was prorogued, so there is no standalone Canadian AI statute. AI obligations now flow through federal privacy law and, for government departments and their vendors, mandatory Algorithmic Impact Assessments.
Anyone waiting for Canada to pass its version of the European Union's AI Act can stop waiting. The instrument that was supposed to become that law, the Artificial Intelligence and Data Act, was part of Bill C-27. It died on the order paper when Parliament was prorogued in January 2025 and was never enacted. As of 2026 there is no standalone federal AI statute in Canada, and none is in force to replace it.
That does not mean AI is unregulated. It means the duties arrive through instruments that already exist, applied to new technology. For a professional trying to plan compliance, the practical question is not "when will the AI Act pass" but "which existing rules already reach my AI use." In Canada in 2026, there are two answers.
Privacy law is the first channel
The first channel is federal privacy law. The Office of the Privacy Commissioner has taken the position that the Personal Information Protection and Electronic Documents Act, the country's private-sector privacy statute, applies to generative AI. In other words, the collection, use, and disclosure of personal information does not escape PIPEDA because a large language model is involved. Consent, purpose limitation, accuracy, and accountability obligations continue to apply.
Layered on top is a forthcoming privacy-reform bill. The policy direction, as articulated by Innovation, Science and Economic Development Canada, points toward updated privacy legislation rather than a dedicated AI code. That bill is not yet law, so it should be treated as a signal of direction, not as a current obligation. What binds today is PIPEDA as the Commissioner now reads it.
The Treasury Board Directive is the second channel
The second channel is narrower but more concrete. For federal departments and agencies, the Treasury Board Directive on Automated Decision-Making sets mandatory obligations when government uses automated systems to make or assist administrative decisions. Its central mechanism is the Algorithmic Impact Assessment, a questionnaire-driven process that scores a system by impact level and attaches proportionate requirements at each tier. Higher-impact systems carry heavier obligations around notice, explanation, human oversight, and testing.
The reach extends past government itself. A private company that sells an automated decision system to a federal department inherits the Directive's expectations through procurement. If your product will make or inform decisions about individuals inside a federal institution, the buyer will need it to satisfy the assessment process, which means you need to build for that from the start.
What this does not do
This framework has clear limits, and overstating it is a real risk. The Directive binds federal government use of automated decision systems. It does not, by itself, regulate a private company's internal AI deployments the way a general-purpose AI Act would have. PIPEDA governs personal information, not AI as a category, so AI uses that do not touch personal data fall outside it. And the forthcoming privacy bill is not yet enacted, so nothing in it can be cited as a current legal duty. The honest description of Canada in 2026 is a patchwork of existing law applied to AI, not a single comprehensive statute.
The cross-border angle
For a US firm planning Canadian AI compliance, the takeaway is a course correction. Building toward a dedicated Canadian AI statute is building toward something that does not exist. The workable plan is to satisfy Canadian privacy law for any system that processes personal information, and, if the firm sells into the federal government, to design to the Algorithmic Impact Assessment obligations under the Treasury Board Directive. That is a different architecture from EU AI Act conformity, and firms that assume the two regimes mirror each other will misallocate their compliance effort.
The direction could change. A future government could revive AIDA or introduce a new AI bill, and the privacy-reform legislation could reshape the first channel once passed. For now, the operative rules are the ones already on the books.
Frequently Asked Questions
Does Canada have an AI Act in 2026?
No. The Artificial Intelligence and Data Act, part of Bill C-27, died on the order paper when Parliament was prorogued in January 2025 and was never enacted. There is no standalone federal AI statute in force in Canada in 2026.
Who is affected by how Canada actually regulates AI now?
Any organization that expected a Canadian AI Act and planned around one, federal departments and agencies using automated decision systems, the vendors selling those systems to government, and any organization applying generative or automated processing to personal information under PIPEDA.
If there is no AI Act, what rules actually apply?
Two channels. Federal privacy law, with the Privacy Commissioner applying PIPEDA to generative AI and a privacy-reform bill still forthcoming, and, for federal departments and their vendors, mandatory Algorithmic Impact Assessments under the Treasury Board Directive on Automated Decision-Making.
How should a US firm plan Canadian AI compliance?
Build to privacy law and, where selling to the federal government, to the Algorithmic Impact Assessment obligations under the Treasury Board Directive. Do not build to a dedicated Canadian AI statute, because none is in force.
Sponsored Training
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.