The Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (Bill 194) received royal assent on Nov. 25. Kosseim described it as "arguably the most consequential bill of the current legislative session."
The Act empowers the provincial government to issue regulations requiring public sector entities to provide information to the public about their use of AI, to develop and implement both an accountability framework and a risk management process regarding the use of AI.
The legislation also provides for the creation of regulations requiring public sector entities to use AI only for prescribed uses and to disclose prescribed information in relation to the use of AI.
In a blog post, Kosseim noted that the bill provided a chance to set statutory guardrails for public sector use of AI but left all the critical rulemaking for future regulations to be set by government overseeing its own public institutions.
“AI-enabled decisions must be traceable — institutions must clearly explain how automated decisions are made and take responsibility for the outcomes. People must be provided with ways to challenge AI decisions, and there must be independent oversight to hold institutions accountable,” she said in a blog post.
Kosseim noted that AI systems must be valid and reliable and undergo meticulous testing, with human review, to verify that they’re functioning reliably.
She added that AI must be developed using a privacy-by-design approach, with safeguards built in to minimize data collection, reduce privacy and security risks and ensure personal information is used only when necessary.
"Bill 194," she wrote, "provides no clear or direct avenue for individuals to file privacy complaints to my office if they are legitimately concerned about the over-collection, misuse or inaccuracy of their personal information and consequential decisions made about them, including through AI."
She also wrote that AI must affirm the human rights of individuals and communities and actively address historical biases to ensure that decisions made or assisted by AI are fair, non-discriminatory and respectful of human dignity.
“These are foundational principles. Yet Bill 194 mentions none of them. Instead, it authorizes the minister to set out eventual rules by way of regulation,” she said, adding that these principles should have been codified in the bill.
Kosseim also noted that the bill provides no clear or direct avenue for individuals to file privacy complaints to the privacy commissioner if they are legitimately concerned about the over-collection, misuse or inaccuracy of their personal information and consequential decisions made about them, including through AI.
“Without statutory guardrails and explicit independent oversight, Bill 194 missed the opportunity to secure Ontarians’ trust in AI’s promise to deliver a prosperous digital future for them and their children,” she wrote.
The province did not immediately respond to a request for comment.
In a Dec. 2 article published by Fasken Martineau DuMoulin LLP, the law firm notes that the only significant amendment to Bill 194 since its First Reading was to expressly exclude the Legislative Assembly of Ontario from its definition of “public sector entities."
If you have any information, story ideas, or news tips for Law360 Canada on business-related law and litigation, including class actions, please contact Karunjit Singh at karunjit.singh@lexisnexis.ca or 905-415-5859.