I had the privilege of appearing before the Standing Committee on Industry and Technology (INDU) which is studying “Opportunities, Risks, and Regulation of AI in Canada’s Strategic Industries”.
My opening submission and opening remarks are set out below.
Madam Chair and members of the Committee, thank you for the opportunity to appear today.
I am senior counsel with McCarthy Tetrault and a member of its Technology, Cyber-Data, and Intellectual Property groups. I am also the author of several books including the 8 volume book Sookman, Computer, Internet, e-Commerce and Artificial Intelligence Law published by Thomson Reuters and have been an adjunct professor of intellectual property law at Osgoode Hall Law School. I am here in my personal capacity only.
As a technology lawyer for over 30 years, I have negotiated hundreds of agreements. Many of these have been negotiated with the backdrop of laws and regulations including those related to privacy and data protection, guidance from regulators including OSFI’s B-10 Outsourcing Guidelines, Technology and Cyber-security advisory, and Guideline E-23 regulating Model Risk (including AI models), and AIDA (before it was dropped).
I have seen how laws governing the uses of technologies including AI affects the costs, willingness, and timing of their deployments. Tbis is what I want to speak about.
First, new laws to specifically regulate AI technologies will slow down their deployment. Organizations, both Canadian and foreign, need to assess whether the technologies will comply with applicable laws. Canada is not the most important market for most technology companies that would deploy AI in Canada. Many international companies roll out their technologies by selecting those jurisdictions with the greatest market potential and ease of meeting regulatory and localization requirements. Having unique domestic requirements will slow or chill deployment and Canadian adoption.
Second, the development and deployment of AI systems most frequently involves global supply chain agreements with many parties including developers of AI technologies, application and library developers that rely on AI models, consultants, and ultimate users. When technologies including AI technologies are regulated by specific or prospective laws like AIDA, the contracting process becomes protracted – sometimes very considerably, and sometimes it just grinds to a halt as parties cannot agree on allocations of risk, standards, and flow down terms. This is especially the case when the counterparties are non-Canadian and where our laws, present or contemplated, diverge from those in major markets such as the U.S.
We need to take this real politic into account when deciding whether and how to regulate AI in Canada, especially given the divergences in approaches internationally.
Canada stands at a pivotal moment in the development and governance of artificial intelligence. AI systems are moving rapidly from research settings into widespread commercial and social deployment, and the choices we make now will shape whether Canadians primarily experience AI as builders, investors, and beneficiaries, merely as downstream users of systems designed elsewhere, or worse.
Canada has contributed enormously to the foundations of modern AI, yet we have struggled to retain talent, attract capital at scale, and build globally leading AI firms. A poorly designed regulatory approach could entrench that problem at exactly the wrong moment.
The reality is that a disproportionate amount of cutting edge AI is built in the U.S. including by thousands of ex-pat Canadians who left Canada to pursue opportunities they could not find at home. If our regulatory framework is excessively prescriptive or misaligned with other innovation-intensive jurisdictions of our trading partners, we should expect talent, capital, and product deployment to migrate accordingly.
The result would not be safer AI in Canada; it would simply mean less Canadian participation in shaping the technology.
My central submission is this: decisions as to how AI should be regulated in Canada must recognize the need to foster and not unduly slow down or create impediments to innovation. Thus, ideally, the regulatory frameworks to adopt, if determined necessary, must factor in these key principles:
- Regulate what are truly high risks to the public.
- Regulate using truly interoperable laws that will promote fast deployment in Canada by companies that already must meet similar requirements. By that I am not referring to requirements under the EU AI Act.
- Regulate using internationally recognized risk management standards and frameworks.
- Recognize that AI will have the ubiquity of electricity and micro-chips, so avoid regulating the technology, regulate the uses.
- As a follow on principle, put the regulatory authority in the body with the most experience e.g. OSFI for FIs, Health Canada for health related AI applications. Do not vest the authority in a single department, though a single department can play an important coordination role.
There are a plethora of laws affecting AI enacting by U.S. States. Some of these provide good examples of laws that have been enacted that AI companies already have to comply with including Canadian business seeking to do business in the United States.
For example:
- Regulation of deceptive AI in political advertising.
- Deepfakes and digital replicas.
- Sexual and child-safety harms involving generative AI
- High-impact automated decision-making.
- Government use of AI.
- Requiring transparency in generative AI training data, in the use of generative AI bots and chatbots, and in safety measures for AI controlled infrastructure and frontier models.
- Regulation of algorithmic discrimination including by use of dynamic pricing.
I am not advocating for any of these laws specifically. But, I am pointing out that many U.S. companies already have to comply with such laws.
I do not subscribe to the assumption that widespread AI adoption in Canada will only occur or be spurred by trust and confidence provided by new regulation of AI.
Lack of trust in AI because of inadequate regulation and uptake are not generally correlated. Canadians and organizations worldwide including in the U.S. and U.K, have worries about AI reliability but are adopting it anyways, because it is useful. However, the adoption is associated with uptake in AI specific governance guardrails. This is driven by customer AI policies and demand, professional standards, and reputational concerns — not by the prospect of any federal AI specific law.
In fact, deployment has accelerated during the precise period in which there are no specific federal laws governing the use of AI.
Nor is it true that AI specific regulation necessarily produces a trust premium that spurs adoption. The jurisdiction that has gone furthest in this direction — the European Union — has not produced a measurable trust adoption advantage over comparator jurisdictions, and many organizations believe that its regulatory architecture is itself undermining EU competitiveness.
A good example of the trust and adoption relationship is in the legal profession where there has been huge investments and adoption of AI – despite well known limitations in generative AI models including tendencies to “hallucinate” – and despite evidence that even with good governance all risks are not mitigated. How the legal profession in Canada regulates AI use is a good model the Committee should consider.
Where I do think caution is warranted is in relation to increasingly autonomous frontier systems that may pose catastrophic risks,[1] and in critical AI controlling critical infrastructure that are subject to State laws such as in California,[2] New York,[3] and Montanna.[4]
I am not minimizing the risks of AI. As Pope Leo warned in his recent Encyclical Letter,[5] AI systems can contribute to discriminatory decision-making, result in consequential decisions about individuals they do not understand, create worker displacement, have effects on children, and create serious other harms. But, in many, but not all cases, they are familiar types of harms arising through a new technical medium which can be regulated through existing or amended laws and existing sectorial bodies. I have written extensively on this.[6]
There are also issues of data protection that remain to be resolved.
To sum up, in considering whether and how to regulate AI in Canada, we should not hinder innovation based on the false assumption that AI will be adopted only at the speed at which trust and confidence are promoted through regulation. But, in some cases regulation may be necessary to help resolve uncertainty or to address specific issues. As a guiding principle, we should maintain Canada’s ability to compete, and intervene with AI specific interoperable laws where clearly called for, and where possible, by incremental adaptation of existing laws and existing regulatory bodies.
These approaches will better protect Canadians while also giving Canada a realistic chance to participate in building the technology that will shape the coming decades. We are at a critical juncture and we fall behind at our peril.
You can watch the video of my appearance here.
[1] “Catastrophic risk” means a foreseeable and material risk that a frontier developer’s development, storage, use, or deployment of a frontier model will materially contribute to the death of, or serious injury to, more than 50 people or more than one billion dollars ($1,000,000,000) in damage to, or loss of, property arising from a single incident involving a frontier model doing any of the following:
(A) Providing expert-level assistance in the creation or release of a chemical, biological, radiological, or nuclear weapon.
(B) Engaging in conduct with no meaningful human oversight, intervention, or supervision that is either a cyberattack or, if the conduct had been committed by a human, would constitute the crime of murder, assault, extortion, or theft, including theft by false pretense.
(C) Evading the control of its frontier developer or user.
[2] California SB53, requires large frontier AI developers to publish safety frameworks, assess catastrophic risks, and report critical AI safety incidents.
[3] New York, Responsible Ai Safety and Education (raise) Act, imposes safety, transparency, testing, and reporting obligations on developers of advanced frontier AI models.
[4] Montanna, SB212, requires deployers of AI-controlled critical infrastructure to implement AI risk management policies based on recognized standards.
[5] MAGNIFICA HUMANITASOF HIS HOLINESS POPE LEO XIV ON SAFEGUARDING THE HUMAN PERSON
IN THE TIME OF ARTIFICIAL INTELLIGENCE, online: https://www.vatican.va/content/leo-xiv/en/encyclicals/documents/20260515-magnifica-humanitas.html
[6] Barry Sookman, “AIDA’s Regulation of AI in Canada: Questions, Criticisms and Recommendations” (30 January 2023), online: https://barrysookman.com/2023/01/30/aidas-regulation-of-ai-in-canada-questions-criticisms-and-recommendations/; Barry Sookman, “AIDA: My Appearance Before the INDU Committee” (29 November 2023), online: https://barrysookman.com/2023/11/29/aida-my-appearance-before-the-indu-committee/.
