Transcript
Transcript: The Current State of Artificial Intelligence Regulation
[00:00:01 Text appears on screen that reads "Welcome".]
[00:00:06 The screen fades to Vanessa Vermette in a video chat panel.]
Vanessa Vermette (Canada School of Public Service): Good afternoon, everyone, and welcome. My name is Vanessa Vermette and I have the pleasure of serving as your moderator for today's session, focusing on the current state of artificial intelligence regulation. Before we start, I'd like to acknowledge that I'm joining you all today from the traditional unceded territory of the Algonquin Anishinaabe people. I offer my sincere gratitude to the generations of Algonquin people, past and present, who have been the stewards of this land.
I invite you all to take a moment to reflect on the significance of this place or of the lands you're joining us from today, and to honour the ongoing presence and contributions of Indigenous peoples. Today's session is designed for public servants to think critically about how artificial intelligence is reshaping governance, law and accountability. As AI tools become increasingly embedded in public decision-making, it's essential that we understand not only their potential for innovation, but also the legal and ethical frameworks needed to guide their use responsibly.
In a time when governments around the world are moving quickly to regulate AI, today's conversation offers insights into how Canada can develop approaches that balance innovation with transparency, fairness and public trust. It's a really juicy topic and we have a fantastic speaker with us today. So, there will be an opportunity for a Q&A session. I encourage everyone who's joining us today to submit your questions for our speaker using the bubble icon on your webcast interface.
Now, I'm very pleased to welcome our guest speaker today. Abdi Aidid is an assistant professor at the University of Toronto Faculty of Law, also the Canada Research Chair for Artificial Intelligence and Access to Justice and coauthor of The Legal Singularity: How Artificial Intelligence Can Make Law Radically Better.
[00:01:52 Abdi Aidid is shown in a separate video chat panel.]
His research explores how emerging technologies intersect with legal systems, regulation and institutional design. Professor Aidid is a leading voice on the role of AI in transforming how law is created, interpreted and applied. Issues that are increasingly relevant to policymakers and public servants alike. He also recently became a visiting scholar with us here at the Canada School of Public Service through the Ian D. Shugart Visiting Scholar Initiative, which we're very excited about. Today, he will provide an overview of the current landscape of AI regulation in Canada and globally, highlighting key developments, emerging trends and the diverse governmental approaches to managing AI-fueled innovation.
He will also discuss how Canada can strengthen accountability while enabling progress and what this means for the public sector's future role in shaping AI governance. With that, please join me in welcoming Professor Abdi Aidid. Abdi, it's a pleasure to have you with us today. Over to you. The floor is yours.
Abdi Aidid (Visiting Scholar, Canada School of Public Service): Thank you, Vanessa, for the really kind introduction. I hope everyone can hear me well. I'm just going to adjust a little bit here. I can't see you all out there, but I hope you're doing well. And I'm really excited to be here again, chatting with public servants who I think in many ways are at the cutting edge actually of AI use, which might surprise some of you to hear that about yourselves. But really, you're taking risks. You're dealing with challenging material. You're trying to figure out how to absorb tools into your practice in ways that I think the public is really interested in hearing about. And so, these are high stakes applications of tools that sometimes still feel speculative. And so, I want to commend everybody who's thinking about ways to use AI in their day-to-day and to let you know it's hard, it's tricky. And part of why we're having discussions like this are to help to make sense of what seems like sometimes an uncertain future. Let me tell you a bit about how I come by my interest in this topic, which I think can help ground things. I want to put my cards on the table. Vanessa mentioned that I wrote a book called 'The Legal Singularity'. And the subtitle of that is 'How Artificial Intelligence Can Make the Law Radically Better'. You might mistake that for being the text of an evangelist, but the key word is 'can'. 'Can' make the law radically better, because I don't think it's a guarantee that AI is going to do much of anything at all necessarily to… it's actually a deeply human enterprise, and it's entirely up to us to ensure that it inures to our benefit when it could very well go the other way.
And so, as excited as I am about what the AI future might portend, I also really believe that it's on us to figure out how to work it and to work it to our advantage. And actually, in my view, to subordinate it to our interests. Almost to conquer the thing that we know is AI. I've used this before, but I really do think about AI the way I think about air travel. I think we're all in agreement that it's the fastest way to get from point A to point B over a long distance. At the same time to get to my office today, I didn't take a plane. So, it's maybe not situationally always the thing that you necessarily want to use, but also you make certain demands of air travel at this point, like you want to believe there's a pilot in the cockpit, and there's a Transport Canada checking the nuts and bolts. And I think, you want there to be an ecosystem of constraints around it, like there's flight schools to make sure the pilots are well trained. And there's a number you can call if something goes wrong with your ticket. All of those systems and supports are things that are critical to ensuring that the plane lands effectively.
And the true state of artificial intelligence right now is that we haven't really invested in that ecosystem of constraint. The current state of AI regulation in Canada in just a couple of words is pretty bare bones. We don't really have a general AI law right now. We'll talk about why that's the case compared to, say, the European Union, which has the AI Act, which is a piece of comprehensive AI legislation.
Beyond that, we also are dealing with AI posing a bit of an existential challenge to the traditional ecosystem of constraints, which is law. For example, some of you are hearing about things like agentic AI. Agentic AI is when you take all of the cool data science techniques and artificial intelligence and invest them in a persona that's able to engage in unsupervised transactions, just to give it a hyper simplified conceptual understanding.
Well, what is that going to mean for contract law? Because if it's going to be able to make purchases on your behalf, part of what we expect from a contract is mutual promises and obligations, a meeting of the minds. Well, there's no mind available in this context. What does an autonomous vehicle mean for our system of negligence, where someone is considered to be responsible for damage that they caused by not taking sufficient precautions? Well, what about if it's fully automated and you don't have an individual to take precautions in the first place. What does it mean for intellectual property? What does it mean for even Charter rights? There's an acute challenge that AI is posing to all areas of law that make it less capable of constraining the phenomenon that is AI as well. And that's especially the case in the absence of what you might consider traditional, comprehensive AI legislation.
With that said, I think there's a lot to be excited about, and I'll tell you why for a couple of reasons. Well, one thing to be really excited about is that the upside of artificial intelligence is something that we already have the technical capability of achieving and sharing. The things that make our lives easier as public servants are not necessarily going to be the newfangled applications of artificial intelligence that are coming down the pipeline in 10 or 15 years. They're going to be the kind of technologies already available that we can get our feet wet right now with. So, for example, using generative AI for better responsiveness, for initial drafting of documents. Those things, those are constituent parts of our day-to-day that we can begin to figure out ways to use AI to supercharge are already technically possible.
I think that's not the case in all other fields. So, for example, if you're a surgeon right now or if you're someone who's doing something like robotics engineering, you're still waiting for technology to cross a certain threshold before you can figure out ways to work with it in a division of labour. I think today, we have a sense of what we can use AI for. And so, we can begin to experiment and we can begin to practice, which also means for people like me that we need to start getting ahead of developing rules and frameworks for responsible use. So, that's a positive. The other major positive, I think, is that the public sector is in a position right now where it's going to, I suspect that compared to your peers that are operating in the private sector, you have a good case for tapping the brakes lightly.
Why? Because you recognize that on the other end of all the services programs, policies that we work on, that we design, is a public who has interests. They have interests that AI can sometimes be threatening to. They have an interest in accuracy. They have an interest in fairness. They have interest in programs that are delivered without bias. They have an interest in Charter compliance. They have an interest in program quality. So, this is not the same as us trying to figure out ways to use agentic AI to supercharge our call centre. We're trying to figure out how to better meet people's needs, and so, sometimes that means more careful consideration. So, we're in a place where the technology is already useful to us in critical ways, but we're also in a place where there's a shared understanding that we should be careful before we get it too wrong. And so, I think between those two things is really a great opportunity to be really thoughtful and intentional about our own AI use. So, I hope an important part about this is understanding in the background what the law says, so far.
So, I did mention that we don't have any general AI legislation yet in Canada. That is really a function of what you might call an aborted attempt about a year ago. So, some of Bill C-27. Bill C-27 was supposed to be a piece of privacy legislation.
[00:10:57 A slide titled "Bill C-27" is shown. A circle containing the acronym "PIPEDA" is shown and crossed out next to an arrow that shows a circle containing the "Consumer Privacy Protection Act" next to a plus sign and two additional circles containing "Personal Information and Data Tribunal Act" and "Artificial Intelligence and Data Act", respectively.]
We have PIPEDA, which is our private sector privacy law. We have the Privacy Act, which is a federal privacy law. And these are what some critics might say a generation out of date, in part because they don't really contemplate our current information technology environment or things like frictionless data exchange. My more cynical colleagues might say that we have a privacy law that's built around faxing more or less. And the challenge there is that we're constantly having to stretch and strain what our privacy law is supposed to do. So, for example, the kind of safety and security measures that firms need to undertake in order to make sure that people's data is not lost didn't contemplates, say, mass warehousing, frictionless mass warehousing of people's information, rapid collection, using AI to glean insights about people even without their personal information. Those are things that weren't really anticipated by the privacy law. And so, part of what we were trying to do was overhaul it, make it more responsive to modern conditions, actually contend with technology. And the promise was Bill C-27 which was going to do a couple of things. First, it was going to supplant most of PIPEDA and in its place put forth the Consumer Privacy Protection Act, which is actually quite an intellectual achievement. It was a privacy law that was actually going to more adequately contend with the challenge of technology and give people robust rights. For example, it was going to give people things like data mobility rights, which it didn't have under PIPEDA, which meant things like, you having some control over where your data lives and whether it can move with you in certain contexts, etc. We were also going to create something called the Personal Information and Data Tribunal, which is going to be a quasi-adjudicative body that could deal with this emerging cohort of what you call privacy harms. So, people have grievances. They ought to have a body to resolve those grievances. It has some power to issue orders, make judgments. But the big surprise, even to people who were anticipating an overhaul of the privacy law, is that there was also an additional law appended to it, which was the AI and Data Act, AIDA or AIDA. I mean, tomato/tomato.
Actually, we don't even know if PIPEDA is PIPEDA. It depends who you're talking to. But the AI and Data Act was our attempt in Canada at creating a general artificial intelligence regulation. Now, a couple of challenges. Number one is how do you really regulate for AI, when you can't really be sure what's necessarily coming? And this is an important thing I want folks to think about, because many people are critical of places where AI is not meaningfully regulated. And the question I always follow up with is, I agree with you, it should be regulated. But the next question is how exactly do you want to do it? So, zooming out a little bit, I want you to think about, in law, we have really two types of laws. We have something called rules and standards.
So, a rule is a specific law. For example, you can't drive more than 50 kilometres an hour on Yonge Street. Okay? That's a rule. Why? Because no amount of context that you add to that bears on whether or not you violate the rule. So, if I'm driving 51, I broke the law. So, if a police officer stops me, I can't say, "Officer, there was no one around. I'm not in a school zone. I checked my brakes, they're working." If I'm driving 51 kilometres an hour, I violated the law. It's up to the officer whether to give me a ticket or not. Compare that to a law that said something like 'proceed reasonably safely on Yonge Street'. That's a standard. And then, context matters. It's not a binary violated or not. Context matters. Then, it starts to be like, were you proceeding reasonably safely? Well, there was no one here. It's not during rush hour. I'm not near a school zone. There are no pedestrians around. That bit of contextual information begins to bear on whether or not you violated the law.
Now, in what context would you want a rule versus a standard? Well, rules are good in context where you have perfect information. So, for instance, we know all the things that could happen on the streets. We know how more dangerous it is to drive 70 than it is to drive 50. We also don't want people making discretionary moral choices every time they're driving a car. We don't want people to be determining what counts as reasonable safety in their mind when they're driving cars, because then those streets would be full of chaos. Also, and this is important, we want things to be predictable. I want to be able to say, hey, my Google Maps told me that I'm going to get there in 20 minutes and that be like a real thing that I can bank on. And so, we try to have a specific rule in those kinds of contexts.
What are standards for? Standards are for circumstance where we can't exactly anticipate all of the different situations where the rule might be useful. So, think about merging. When you're merging in traffic, we say things like proceed reasonably safely. Merge when safe. Why do we do that? Because to put it in the most geeky way possible, the social activity is heterogenous. There are all kinds of circumstances that could occur that can make you decide whether or not to merge. It could be that there's a car speeding by. It could be that there's another car making a lane change. It could be that there's someone behind you pressing the horn. It could be that there's a truck and you're concerned about their braking distance. And so, the law invests discretion in you because it recognizes that it can't anticipate every possible circumstance.
So, when we're talking about regulating AI, we tend to prefer standards. Why? Because we can't imagine all the possible situations in which we might need an AI law where a law might be useful. We can't even anticipate what kind of technology is coming. So, we end up having broad standards like build responsibly, build safely, be accountable, be transparent. And then, we expect that people are going to use their discretion and to make those determinations. So, we start from a principle-based regulation. Now, over time, courts will specify what the contours of that standard are. It's not just that you can merge any time. We know that you can get ticketed or maybe arrested if you're merging, say, under X circumstances versus Y circumstances. So, over time, we supply the law with some context. And the hope for AI regulation is that we can start with broad principles because we can't anticipate all the social circumstances in which we might need it, and then we end up trying to specify the content of it later.
Standards tend to have a longer shelf life because if the social conditions that underlie them change, they don't suddenly become useless. They can become flexible and adapt, whereas rules have a smaller shelf life. Imagine we create an AI law, that was hyper specific that said when you're using GPT or when you're using NotebookLM or when you're using and we specify exactly the circumstances or when we say things even like generative AI versus machine learning, we are making bets on which technology is likely to have a long shelf life.
[00:18:50 A slide titled "Bill C-27" is shown. A circle containing the acronym "PIPEDA" is shown and crossed out next to an arrow that shows a circle containing the "Consumer Privacy Protection Act" next to a plus sign and two additional circles containing "Personal Information and Data Tribunal Act" and "Artificial Intelligence and Data Act", respectively.]
And so, necessarily, it's a first principles thing I want everyone to understand. Necessarily, AI regulation is going to be less specific, and part of it is because we're trying to contend with uncertain, yet-to-emerge social circumstances. And so, this is one of the big critiques of the AI and Data Act when it first emerged. People said it was skeletal, that it didn't actually contend with a lot of what was going on. And the response was largely that, well, we're going to be able to elaborate it as social conditions change. Because think about it, if we tried five years ago to develop an AI law, it would overindex on machine learning because that was the predominant kind of AI technology that we were building and developing. By November 2022, when generative AI becomes the wave, that AI law would have been useless.
And because we don't have a legislative system that auto updates, you still need to develop something that can endure. And so, one of the major reasons why AI regulation has been unsatisfying for people is partially because it necessarily is underspecified and overinclusive. And so, even despite that, Canada wasn't able to pass the AI and Data Act in part because when the government was prorogued, before the most recent federal election, it was terminated in committee, it hadn't yet received Royal Assent.
And so, the question now is how much of the AI and Data Act is going to be reintroduced? Now, I do want to say to people, the absence of general AI legislation doesn't mean there can't be other laws that contemplate AI. In some circumstances, you might think of our privacy law as being something that is effectively about AI because it polices what kind of data and what circumstances the data can be used, processed, disclosed for AI companies. You could argue that our tort law, which is a more common law or our constitutional law, are external constraints on AI because they articulate the conditions under which there might be liability for AI developers. And so, there's a way in which the rest of the law is crowding in on AI and acting as a shadow regulator. But we don't have the general legislation. Also, we don't really have what you might call pervasive AI regulation. So, one way to do this is to have a general AI law, like the AI and Data Act or Europe's AI Act. Another way to do it is to modify a bunch of domain specific laws to have some AI provisions.
If you look at the proposed Bill C-2, which I guess now is C-12, the government's proposed border security bill, making no comment on the bill itself, it's an omnibus bill that does a few things. It modifies a bunch of different pieces of legislation. It modifies the Customs Act, the Immigration Act, the Criminal Code, recognizing that they all ought to say something on the government's theory about borders.
So, imagine rather than an AI and Data Act potentially in the future, a piece of legislation… a scattershot regulatory effort that modifies the banking law and the Criminal Code and the tax code to include some AI provisions that way we're regulating more pervasively. That's a model that is contemplated in some jurisdictions, though not done effectively anywhere yet.
So, you have both the traditional law crowding in on AI to try to say things about AI, but sometimes it does so via clunky analogies. Students are always interested in hearing whenever I talk to my students about the way we analogize in legal settings. The famous example in the U.S., the law around search and seizure, whether or not the government is able to search your phone, for example, depends a lot on an analogy.
For example, is your phone more like a garbage receptacle or is it a more like a briefcase? The idea being you have no reasonable expectation of privacy in a garbage receptacle. Why? Because this stuff is discarded. So, you're not making efforts to protect it. So, if your phone is unlocked, it's more like a garbage receptacle. If your phone has a passcode, it's much more like a briefcase where you have a reasonable expectation of privacy because it's carrying your private effects. That's a clunky analogy that actually was the buffer between a constitutional arrest and one that violates constitutional principles. So, a lot of the law is trying to analogize from old jurisprudence to try to contend with modern contexts. And so, what we're doing right now is trying to analogize in that way. We're trying to imagine a law that's made around horses and buggies having to regulate road safety. We're doing that right now in the context of AI. And so, it's only a matter of time before those analogies are so strained that they snap and we actually are going to need more specific law. But the is crowding in on AI. There's no general AI rule, there's no pervasive AI regulation.
[00:23:32 A small yellow triangle with an exclamation point in it appears on the slide along with the note "(Not in force)".]
[00:23:34 A slide titled "Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems
From: Innovation, Science and Economic Development Canada" is shown.]
[00:23:55 A slide titled "Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems
From: Innovation, Science and Economic Development Canada" is shown.]
Does that mean that AI is totally unregulated? Not quite. So, we have other things that are creating some, let's call it upward pressure on ethical AI development. And some of them are voluntary codes. So, for example, the Government of Canada has a "Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems". This is a framework that allows developers to… has launched in September of 2023. So, about a year after generative AI became the most popular form of artificial intelligence. And signatories have to adhere to a whole host of good, positive principles around accountability, transparency, ensure that the data has the correct and good provenance, etc. And so, participation with these voluntary frameworks has somewhat increased and has been, like I said, is creating a bit of upward pressure on what you might call compliance.
And the truth of the matter is sometimes that's fine. What do I mean by that? So, if we depended on the privacy law to guarantee our privacy, we'd probably have less than we have. Why? Because the privacy law articulates a set of minimum conditions. But your average privacy policy, even with respect to a company that maybe you don't necessarily trust, probably makes more robust guarantees than the privacy law's minimum dictates. And the reason why is because there's upward pressure from competition, consumer expectations. Sometimes, there's some best practices that companies try to adhere to. And so, it's not like the law necessarily is always going to articulate the ceiling. Sometimes, it just articulates the floor, establishes the floor. And so, these voluntary codes are doing some work. The other thing that's doing a lot of meaningful work are what you might call industry standards or professional certifications.
[00:25:35 A slide appears listing:
"ISO/IEC 22989
Information technology - Artificial intelligence - Artificial intelligence concepts and terminology
Published in 2022 CHF0
ISO/IEC 42005
Information technology - Artificial intelligence (AI) - AI system impact assessment
Published in 2025 CHF177
ISO/IEC 23894
Information technology - Artificial intelligence - Guidance on risk management
Published in 2023 CHF 132
ISO/IEC 42001
Information technology - Artificial intelligence - Management system
Published in 2023 CHF 199
ISO/IEC 42006
Information technology - Artificial intelligence - Requirements for bodies providing audit and certification of artificial intelligence management systems
Published in 2025 CHF 155
ISO/IEC 38507
Information technology - Governance of IT - Governance implications of the use of artificial intelligence by organizations
Published in 2022 CHF 155"]
[00:26:02 A slide appears listing:
"ISO/IEC 22989
Information technology - Artificial intelligence - Artificial intelligence concepts and terminology
Published in 2022 CHF0
ISO/IEC 42005
Information technology - Artificial intelligence (AI) - AI system impact assessment
Published in 2025 CHF177
ISO/IEC 23894
Information technology - Artificial intelligence - Guidance on risk management
Published in 2023 CHF 132
ISO/IEC 42001
Information technology - Artificial intelligence - Management system
Published in 2023 CHF 199
ISO/IEC 42006
Information technology - Artificial intelligence - Requirements for bodies providing audit and certification of artificial intelligence management systems
Published in 2025 CHF 155
ISO/IEC 38507
Information technology - Governance of IT - Governance implications of the use of artificial intelligence by organizations
Published in 2022 CHF 155"]
So, some of you know about ISO, the International Standards Organization, they have a set of measures and standards that they present around artificial intelligence and responsible AI development, and specifically around some information technology guidelines that are becoming increasingly industry standard or acting as template material for what you're seeing in industry. And so even if somebody doesn't necessarily want to make the most ethical AI compliance program possible, what they often do is rely on an already prefigured AI framework and then adopt it wholesale.
This is how we started having standard contracts in just every area of life, was we started the proliferation of template agreements that then people started to adopt. And so that's happening a little bit in AI is, hey, you know what will adequately derisk you, if you use the ISO material or if you adhere to the voluntary framework. And so, there's a way in which we're almost automatically beginning to raise the floor in ways that are hopefully beneficial. I do want to say, though, the AI and Data Act, which is dormant for now, may meaningfully reemerge. But there's some question as to whether or not Canada is well positioned to have an exacting piece of AI regulation.
Part of it is that Canada is sometimes caught between a rock and a hard place. So, I'm speaking only for myself here. But the United States is next door and the U.S. doesn't have AI regulation. People ask me, I was teaching in the U.S. last year, teaching actually, obviously in data governance and of course, on AI law in the U.S. last year and students were asking me, when is the U.S. going to have AI regulation? And I said, probably the day after never. And part of why is because they actually don't even have federal privacy law. The U.S. has some subject matter, specific privacy law like HIPAA, and they have some constitutional principles, but they don't have a federal privacy law. We have PHIPA and the Privacy Act, there is no equivalent in the United States. And if you look at places that have AI regulation, these are leveraging their privacy law institutions. The AI Act in the European Union depends a lot on the GDPR, the General Data Protection Regulation, already existing, which is the EU's privacy law.
So, it looks like AI is going to be effectively unregulated at the federal level in the U.S., which is the level at which their large multinational technology companies play. And so, Canada is a country of 40 million people, and a lot of its technology companies are developing for external markets, often for the U.S.. Especially its larger ones. And so, there's some question about whether or not it would be too onerous to have stricter regulations than the U.S. has for Canadian companies who are wanting to sell to the U.S. market, there could be a quote unquote, double tax on them. That's one concern. But then there's the opposite tendency coming out of the European Union. The EU has the AI Act, and in the European Union, they have a set of advantages. For example, it's a supranational institution, which means it can impose things on its member states. Each member state wants to comply so they can do business with the other member states. But it also has a long arm reach. So, for example, part of the reason that we have the privacy law we have is because the European Union effectively insisted on it, because when the EU passed their own privacy law, they said that member states and companies in the European Union can't transfer data except to jurisdictions that have equivalent data protection.
So, the rest of the world was like, let's step it up. If we want to be able to do business in Europe. And so, you might see a little bit of that. The European Union casting a long shadow and again engaging in that floor raising. And so, my best bet is that we're going to have something, though I'm not sure it'll be the same-, that it'll look, it'll have the same touch and feel as the AI and Data Act. But until then, we have to operate assuming that there isn't meaningful AI regulation.
The other thing almost all of these general AI regulatory tools are focused on what's called high impact AI systems, meaning the productivity app that you use in your office and the various kind of enterprise solutions that we use are highly likely to, even in the best-case scenario, escape regulatory attention. Why? Because what is the government interested in? They're interested in ensuring that you don't have significant social or population level effects if you're building AI tools. It's focused on the big stuff that's likely to create the greatest amount of risk. And because of that rule standard problem, I told you earlier about the risk of over specifying it can't purport to contemplate every local application of AI.
There's a way structurally that a lot of AI will forever be unregulated, because of the small use cases and fragmented use cases. And so that's a challenge. That's one that I'm keen to talk to people about in the Q&A as well. Vanessa, how am I doing on time?
Vanessa Vermette: You have about two more minutes.
[00:31:05 A slide appears showing boxes containing the words "Information Collection" "Information Processing" and "Information Dissemination" with arrows pointing towards a central sphere with the words "Privacy" in it.]
[00:31:07 A slide with the title "Privacy Laws in Canada" appears showing two Venn diagrams separated by a plus sign. The first Venn diagram shows the intersection of "Federal", "Provincial" and "Sectoral/Matter Specific". The second shows the intersection of "Tort Law" and "Con Law".]
[00:31:08 A slide with the title "European Union's AI Act". A triangle is shown listing the types of risk, with "Minimal Risk – Code of Conducts" forming the base of the triangle and increasing with "Limited Risk – Transparency", "High Risk – Conformity Assessment" and "Unacceptable Risk – Prohibited"]
[00:31:38 A slide with the title "European Union's AI Act". A triangle is shown listing the types of risk, with "Minimal Risk – Code of Conducts" forming the base of the triangle and increasing with "Limited Risk – Transparency", "High Risk – Conformity Assessment" and "Unacceptable Risk – Prohibited"]
Abdi Aidid: Okay, I'm going to do two more minutes. I'll take a second here and talk about the European Union's AI Act, which I think is really important for folks to talk about, the construction of some of our discussion. So, I talked earlier about the rule standard idea and about regulatory models where you can have general legislation or you can have pervasive omnibus legislation that could modify different laws so that there is regulations closer to the ground. For example, if you have a piece of general AI legislation, it might not necessarily contemplate how you should use AI as a tax authority or in a tax professional service context, whereas maybe if you modified Income Tax Act to include some AI provisions, you could better get to where the rubber meets the road. That's a model. We appear to prefer the general legislation model. In the European Union, they prefer the general legislation model and AI Act.
But rather than do the thing that we're struggling with everywhere in the world, which is try to develop a law that's going to be useful across all these contexts, what they've done is approach it from what's called a risk regulation model, where they're mostly focused on working backwards from harm. So, imagine a legislative exercise where you're imagining all the bad things that could occur, and then developing a system to work backwards and try to mitigate against those. And so, what they've done is create a tiered risk. They basically said, look, not everything is our concern necessarily. At the same time, we want to make sure that the big things don't escape our attention.
So, they said, let's modulate the amount of scrutiny that we perform based on how risky something is. They created this tiered structure where there are certain categories of artificial intelligence technologies at the bottom which pose minimal risk. These are your enterprise applications, your local enterprise applications, for example, where a code of conduct is sufficient, they basically want you to do the work of adhering to standards that are consistent with the AI Act and that's enough. Up from that are ones that are what's called limited risk, which may have application in certain sensitive environments or will have a larger catchment population. And for those, not only do you have to have a code of conduct but you have to have transparency. For example, you might have to be able to produce something about the source code or the underlying data and provide some information and make flexible liberal disclosure to the public. Above that you have tools that we consider high risk. These are ones that typically will operate in areas like health, public safety, credit and financial services where we say there's a high propensity for harm, there's a significant risk of population level effects. And these are the kinds of areas where bias and discrimination are acute concerns. And in those contexts, not only you have to have codes of conduct and transparency, but you have to perform a conformity assessment. That is, you have to represent and warrant in advance that the technology conforms with certain dictates under the AI Act. And then there's a category where we consider unacceptable risk, which are per se prohibited. That upper category includes things like facial recognition in the public square. So, if you're trying to build a tool that helps to spot people's faces in the mall and run that against a privately held database, you just can't.
And now what's interesting here is that they're saying that we have scarce resources, we have divided regulatory attention. Let's make sure it's calibrated in such a way that it focuses on the most harm producing activity. And that's an interesting model to give some thought to because not only is it interesting to consider as an approach that we could have in Canada, but it's also maybe the way you might think about internal, even office level AI use frameworks. Maybe don't perseverate over someone using AI for spellcheck as much as you might for someone using a high for in a manner that's more likely to generate some risk of harm like external communication, for instance. And so, I'll stop there and hope to have a conversation with you all.
Vanessa Vermette: Thank you so much Abdi. What a great explainer to start us off. I'll invite everybody who's on the line. As a reminder, you can submit your questions for Abdi using the bubble icon at the top of your webcast window. But in the meantime, maybe let's pick up where you just left off in terms of the balance between innovation and kind of accountability within the public sector. When we talk about innovation and accountability, how can government institutions encourage progress without compromising fairness or transparency or quality and all those things that we strive for?
Abdi Aidid: Yeah, I mean, I take the view that you need to give some thought to which AI deployments are the most fraught. And for a while park those and figure out ways to prove the concept in less fraught, lower risk contexts. So, I'll give you an example, that's not about Canada, but everywhere in the world people are conceiving of AI as helping to solve processing problems, so they end up deploying it in environments where there's things like a backlog of applications and whatnot, and these end up being often some of the most socially fraught contexts, like Immigration and Refugee Board applications, for instance.
And so, people are doing the work of identifying a problem, seeing that AI, has computing power, a privileged vantage point, it could synthesize large volumes of data and and and, but not recognizing that actually there's asymmetric risk here because even if it's good at those things, the type of errors that it might generate are ones that we can't actually tolerate in this context.
That's not to say that you shouldn't use AI in those contexts, it's to say that that's certainly not a low-risk deployment. And so, maybe that shouldn't be the first one? So, think about opportunities that you have to gain experience with AI in ways where there's already maybe an additional layer of review and there's less broad public investment in the outcome. Because you want to work your way up to that. And you'll find there's actually so many of those. And so, you'll gain the experience with AI in no time, such that you can actually sit with your back straight and with confidence, so to deploy in environments that are a little more challenging.
Vanessa Vermette: That's really great advice. Thank you so much.
Abdi Aidid: One other thing I want to add to that is you also want to assess the quality of your data. So, there's a whole other challenge here, which is the thing about data, like gas in a car, the more you have, the faster you can drive or the more distance you can cover. And so, if you're in a situation where you're running low, then you should, maybe consider parking the car. So, assess the maturity and the quality of your data, if it's unstructured, if it needs some cleanup, those are prerequisites before any kind of risky deployment.
Vanessa Vermette: Yeah, I always like to think that it's just going to make us wronger, faster if we don't do that.
Abdi Aidid: (Inaudible)
Vanessa Vermette: So, we have questions starting to come in. I'm going to go to our participants and the first question is 'AI is rapidly evolving. Do you think that regulation can keep up with the pace of innovation?' Like do we have a hope here?
Abdi Aidid: Yeah, this is why I talked about the whole rule and standard thing, because standards have a built-in auto update feature because they're broad enough that they can accommodate different circumstances. The problem is that when they become so broad that they are effectively meaningless, like if someone tells you like 'behave' or if someone says, 'be transparent', what does that exactly mean?
My view is that we might have to do something very different than traditional legislation for artificial intelligence where we have to think about ways to regulate more dynamically. Imagine a future, we can do science fiction now, where speed limits on roads are not posted numbers, but they're actually dynamic. It's a screen that has a dynamic speed limit based on the time of day or based on it ingesting traffic data and understanding what the optimal safety speed might be.
There's plenty of times on Yonge Street where 50 is too fast, there's times where it feels too slow. Maybe the tool could ingest all the data about safety, traffic, population, how many pedestrians are here and give you a dynamic speed limit. That's kind of… I mean, I don't know that I would be in favour of that one but the idea here is that there's ways in which we can use technology and the advent of big data, and the proliferation of big data, and our own synthesis of data and information to inform what the applicable standards might be at a given time. I think that that's an interesting potential. But that's in the future, if we can't do that, then maybe we ought to put more of an onus on AI developers to show us their work in advance.
So, maybe the idea here is that we articulate broad principles, but we regulate by delegating, which is here's a principle you adhere to it by developing your compliance program and you show us your work. Show us what you're doing to represent and warrant people's safety and try to create a race to the top as opposed to the bottom.
Because you don't want people playing the audit lottery. The audit lottery is when you try your chances because you understand that regulatory scrutiny is rare or that the regulators time and effort is divided. There are plenty of people who read articles about the CRA being overloaded and then they play tax games. You don't want encourage that kind of behaviour.
Vanessa Vermette: Yeah. You don't want it to become just a cost of doing business to play the audit lottery. Okay, so I have another question for you, shifting gears a little bit, around trust. So, trust is a big recurring theme when we have conversations about AI and if you look at some recent surveys over the last several months, a lot of Canadians are a bit lukewarm on the trust factor when it comes to artificial intelligence.
So, what can governments do to make their own use of AI more transparent and understandable and therefore hopefully trustworthy to the Canadian public?
Abdi Aidid: Let me say one thing about trust first in general. Students ask me things about… let me put it this way, the generation below us, they don't trust anything, but they're also nihilists about privacy. So, for example, in law, we have things like the standard of a reasonable expectation of privacy. Well, what about people who just expect no privacy at all?
And so even though they both distrust things, but they're also okay with impositions on their freedom and their privacy, for example. And so, trust is not the whole thing. It's important to trust to have things, and you only use tools that you trust, but it's also important to have a strong sense of what you can tolerate and what you shouldn't tolerate. So, I just want to say that. The other thing is trust is culturally coded and relative. I'll explain what I mean by that. When GPT came out, there were a lot of people who were panicking about GPT being insecure and they were concerned that things they put into GPT maybe would get out one day or be used to train the model or have some other pernicious use. And those very same people are confidently using Outlook and Gmail and those kinds of things. And I always flagged that, not to say that you should trust GPT in an unqualified way, but to say that it's actually all risky. A tool like GPT doesn't pose a bigger safety concern for you than the traditional applications which you make pretty liberal use of.
And so maybe I'm actually saying you should trust it all less. The point here is that familiarity sometimes accounts for trust, and I want people to be more vigilant than that. To not just think that something is trustworthy because it's familiar, but to actually scrutinize terms of service, especially in a public sector context. If you're going to be using a tool and it's been provided to you by a vendor or you're using a tool that you're finding in some free browser based tool, scrutinize the terms of service. They're written in language that actually are increasingly accessible to all of us. And don't let trust just be a proxy for familiarity. Let it be something more principle-based.
In terms of how we can encourage more trust in AI amongst the public, I think it's about reducing the incidence of horror stories. I think people really hear bad things and those loom really large in their brain. A good example is hallucinations. Some people are obsessed with this idea of AI hallucinating. In law, we have situations where lawyers will submit cases to courts that are hallucinated material because they pulled it off of GPT. And now the whole legal profession is obsessed by it and we have conferences and trainings about how to stop hallucinations and whatnot. And hallucinations aren't the immutable problem in law, in part because actually everybody, be they the most evil people in the world or the smartest people in the world are all working together to reduce the incidence of hallucinations. Whereas everybody's trying to make deepfakes more deceptive. That's a bigger problem for us.
But because of the horror stories looming so large, our focus has been on hallucinations. And so, so long as we can reduce the incidence of those horror stories, I think people will be able to breathe easy. And so that's an important challenge for technologists, which is if you actually want to encourage adoption… because Canada's pretty low in AI adoption. Recent data showed that we were dead last in the G7 and OECD at a firm level adoption of AI. If technologists really want to encourage adoption of AI, then they have to work hard on adopting constraints such that these horror stories don't continue because it's not the shininess or the quality of the technology that's accounting for the lack of use. It's the trust gap. And I think this EU style pyramid is a good way of approaching that.
Vanessa Vermette: Super. Well, here's another question that picks up on something you were saying around our ability to scrutinize some of those terms of service. So, the question is 'We often see statements on forums explaining how our data will be used, for example, to provide a service. Under today's laws, how much flexibility do companies actually have to use that data for AI related purposes beyond the original intent?'
Abdi Aidid: Yeah, I mean, right now companies actually have a lot of flexibility and it's not for the reason you think. So, PIPEDA prevents companies from using data, for example, for purposes that are inconsistent with the purpose for which they collected them. But sometimes they get away with that by having an overbroad request of you, because consent wins in the end. So, if they ask you, 'Can I use all your data?', then they theoretically can use all your data, you just have to be vigilant and police the line. But again, the challenge is that you often don't have a meaningful choice. So, let's say there's like, I don't know, two delivery services and they both have the same terms of service, and you're someone in need of a delivery. Can you really be off the grid, so to speak, in the same way? So, as a matter of fact, there's a lot they can do, but there's something even more challenging than that, which is that they don't actually need your data anymore in the same way that they used to. Our privacy law is all built around like individual rights, like, don't tread on me, don't touch my data, don't learn anything about me. But actually, because of AI and the ability to synthesize large volumes of data, they don't really need your data as much as they need to be able to create like a synthetic rendering of who you are and what your preference might be, which they can do based on really general impersonal information.
So, maybe some of you have heard of the famous case involving Target, the American retailer where they were able to… they basically were sending mailers to people's homes, advertising products or whatever, and they basically were sending ads to a home with a father and a young daughter who was a teenager. And they basically were sending pregnancy related and early motherhood related products. It turns out they were able to predict the teen daughter's pregnancy. And a lot of people were like, wow, they were able to predict her pregnancy, because people imagine things like WebMD searches for morning sickness and that kind of thing. That's not it. They can get as granular as doing things like who's buying unscented hand lotion, because scent aversion is consistent with sometimes first trimester symptoms. And it's not as if they even need to know who the person is. They simply need to reconcile that information, those purchasing habits against, say, demographic data, income data, the incidence of teenagers in an area and they're able to make some pretty good guesses.
Companies know consumer behaviour almost never changes except around big anchor life events. So, for example, people only really change their buying patterns when they have children, when they start a new career, when they get divorced, when there's those kinds of things. And so, companies are invested in predicting those events in your life, and they can do so within a margin of error. Probably credit card companies are probably better predictors of divorce than divorce counselors might be. Really. And they're not doing it always based on invasive data. They're doing it because they're able to take innocuous pieces of data, but reconcile them in a way that allows them to glean an important insight. And so, the privacy law polices your personal information. What about a bunch of impersonal information about me that altogether adds up because of your newfangled data science techniques? That's something I don't want you to know. That's a concern. We have no rules for any of that.
Vanessa Vermette: Yeah.
Abdi Aidid: And there's somebody, remember Ralph Nader? Famously, you now, 2000 election spoiler.
Vanessa Vermette: Yes.
Abdi Aidid: But before that, Ralph Nader was a well-known consumer advocate. He's one of the reasons why we have certain safety standards in cars. He was a plaintiff's lawyer, he would take it to GM in particular, and actually not GM, GM, Ford and Chrysler. The big Detroit three. There is a called 'Nader v. GM'. What happened? So, the companies who found him to be a thorn in their side were pursuing him. And they were following his car. And he basically said that's a violation of my privacy, and the argument, of course, is that it's your car and you're going in public places. You're driving around. Nothing that you're actually doing here is private and the argument that the court ended up accepting from Nader was no one snapshot of anything I'm doing is necessarily a violation of my privacy. But the full picture together tells a narrative about my life that someone would only know if they were stalking me.
And that's the challenge that we have right now in the world of privacy and AI. It's a bunch of innocuous pieces of data that are reconciled against other innocuous pieces of data, but add up to a story about you where people are able to make predictions about your life and are able to actually leverage your profile for all kinds of things. Now, here's another. I'll say this one last thing. Here's what's so fascinating about that. Remember I said that the privacy law is all about, don't tread on me, don't get in the way, don't intervene in my affairs, don't look at me, basically. Well, imagine this. In a world of algorithmic decision making, I actually have an interest now in you actually having accurate personal data about me. Why? Because if you're going to discern my mortgage worthiness, my credit worthiness, my access to certain products, my access to certain insurance premiums, on the basis of this non-specific general information, I'd rather you actually use my information so that it's correct about me so that I can get the stuff right. And so the whole set of privacy laws and rights are totally inverted. We're kind of in the middle of a privacy paradox because of AI.
Vanessa Vermette: Yeah, I kind of have the opposite instinct with respect to dynamic pricing. I kind of don't want them to know who I am because then I want to see, I want to compare the prices if I'm logged in to something or not, and using a VPN to see how it shifts because that's something that I'm seeing more and more, which is like we are in the sci-fi world right now already.
Abdi Aidid: Totally, except what if it starts to be, what if they start to look at your demographic profile and, say, driving insurance premiums and you're like, actually I've been safe.
Vanessa Vermette: Yeah.
Abdi Aidid: Actually, I have a flawless record. Then you start to want to intervene with your own personal information. Now imagine that at scale.
Vanessa Vermette: Yeah, mind boggling. So, this is flying by and you've been answering these questions really thoroughly with a lot of exciting nuggets that I want to dig into. But we're going to get into the closing, so I want to get your thoughts on what direction do you think Canada is headed when it comes to AI regulation? Are we headed in the direction of this pyramid? Are we headed in a different type of sectoral approach? What do you think is going to happen here?
Abdi Aidid: Yeah, I think I think we're actually in a privileged position right now because we can see what's happening in the European Union. The enforcement phase just began. And so, we're going to start to see what kind of AI harms that the AI Act is surfacing in Europe. And if they have success contending with those then it proves that it's an interesting model to adopt. I'm actually someone who believes that the best way to regulate AI is kind of at the root. Something more domain specific. So, you should have AI provisions of your health law, your tax law, criminal code, etc., because then you can actually have rules that are meaningfully responsive to the social conditions that produce the harm.
And so maybe our omnibus legislation style is going to really pay off in this context where we might have an opportunity to regulate more pervasively. The bottom line, though, is that Canada is between a rock and a hard place, between the European Union as a main, as a significant partner culturally, economically, that wants to regulate more and the U.S., which is our major trade partner and giant next door which doesn't really want to regulate at all. So, I don't imagine that Canada will be… that those conditions will change either.
Vanessa Vermette: So, zooming in on one area of harms that we haven't talked about, but that does come up a lot with our audience is what are your thoughts or predictions on AI in regards to its environmental impact and how do we regulate for that?
Abdi Aidid: Yeah, so two things I want to say about that. Again, I think people talk to me about artificial general intelligence and when the robots are going to take over. And my bigger concern is the planet burning up before that happens. In part because these technologies make such profound physical infrastructural demands. And the simple thing, I'll say two very quick things. One is the same way I talk about the interest convergence, trying to reduce the incidence of hallucinations. Well, actually, everybody's trying to reduce AI's dependence on physical infrastructure and computing power. And so, the trend is towards more efficient models that make fewer demands. And so, unlike, say, renewable energy, the industry is actually actively sort of trying to gallop towards more efficiency. And so, in some ways they might even outpace the regulation in trying to like reduce the dependence on physical infrastructure.
With that said, we're going to have to figure out ways to more evenly distribute the burden. One big challenge right now is that the places that are well-positioned to host things like data centres, it kind of tracks the logic of which communities want things like prisons or want things like wastewater treatment facilities or want things like large waste management plants. It's often downtrodden communities that are in need of work. And when they're so exposed to things like the data centres, then they're the ones who are going to have the cold showers at night and they're the ones that are going to have the local ecological damage. And so, what we need to do is figure out ways to more equitably distribute some of those burdens and it's not going to do the work of helping us solve all the economic problems. But that's a low hanging fruit thing that we need to give some thought to right now.
Vanessa Vermette: Thanks so much. I think we're going to leave it there. I think it's both hopeful and a call to action for us as public servants and policy professionals here in Canada. I just want to on behalf of the Canada School, thank you, Abdi, for this conversation. Thank you for your presentation. Thank you for your generosity and sharing your knowledge in response to our audience questions. I also want to thank all of you, members of our audience today for being part of the discussion and for submitting your questions. I really hope that you found the conversation inspiring, thought provoking, a little bit terrifying, but also helpful. And I encourage you all to visit our website, keep up to date and register for our future learning opportunities on this topic and other related ones. So, thank you again, everyone. Have a wonderful day.
[00:56:53 The CSPS logo appears onscreen.]
[00:56:58 The Government of Canada logo appears onscreen.]
