Notes from the IAPP Canada: AI strategy, lawful access and more

With IAPP Country Leader, Canada, Kris Klein, CIPP/C, CIPM, FIP, away, he's asked me to write this week's notes, and I feel like a short-order cook dealing with a busload of tourists that just arrived while the chef is away. 

First up on the menu: Canada's national artificial intelligence strategy lands the week of 2 June. It is unclear whether a law will accompany this dish.

The Tumbler Ridge tragedy reframed the government's perspective on regulation. OpenAI flagged and banned the shooter's account eight months before the attack and chose not to inform the police. British Columbia Premier David Eby has pressed Ottawa to set minimum thresholds for when platforms must report threats of violence to law enforcement, and Canada's Minister of AI and Digital Innovation Evan Solomon said all options are on the table. The question is whether the strategy's release will impose binding obligations on AI platforms, such as reporting duties and transparency requirements.

Canada's concerns around sovereign AI have led to a many-course dinner so far:

• Six pillars previewed 28 April. The full strategy is expected next week.
• A Personal Information Protection and Electronic Documents Act-successor privacy bill is expected alongside, perhaps in the fall. A standalone AI Act could be a surprise ingredient.
• CAD66 million committed to 44 compute projects 12 May.

For the public sector palate, the Treasury Board of Canada released its "Guide on the Use of Agentic Artificial Intelligence" 22 May, distinct from the national strategy. 

The week's spicy dish was Bill C-22, the Lawful Access Act, now before the Standing Committee on Public Safety and National Security. Its Part 2, the Supporting Authorized Access to Information Act, would require electronic service providers to build interception capability and retain metadata for up to a year. 

Privacy Commissioner Philippe Dufresne welcomed the narrower confirmation-of-service demand but urged tightening the "systemic vulnerability" definition so that orders cannot weaken encryption. Apple and Meta have raised concerns; Signal has said it would leave the Canadian market, the Canadian Civil Liberties Association has filed opposition, and there has been significant criticism from privacy professionals and advocates. Opposition parties have signaled amendments. It remains to be seen if the pressure cooker will change the recipe.

Bill C-8, the Critical Cyber Systems Protection Act, sits before the Senate committee after the House removed its prior judicial authorization checks, following challenges over its reliance on executive orders. Whether the Senate will restore judicial oversight as part of the dish is an open question.

For dessert, sometime in June: The Supreme Court's Facebook judgment, reserved since March, could reset consent standards. In 2024, the Federal Court of Appeal held that clicking through terms of service does not establish meaningful consent and that Facebook failed to safeguard the data it disclosed to third parties. Facebook is appealing both findings.

Order up.