On June 4, 2026, Prime Minister Mark Carney launched "AI for All," Canada's new national AI strategy. Its most consequential regulatory choice is what it does not contain: a standalone AI statute to replace the failed Artificial Intelligence and Data Act. Instead, Ottawa is routing AI accountability through a modernised privacy law and a new online safety bill — a pragmatic bet whose durability will depend entirely on whether either bill survives parliamentary scrutiny.
AIDA's Failure Sets the Terms
AIDA was introduced in June 2022 as Part 3 of Bill C-27, bundled alongside a proposed Consumer Privacy Protection Act. It never reached third reading. When PM Justin Trudeau prorogued Parliament on January 6, 2025 — following his resignation — Bill C-27 died on the order paper after nearly three years of committee work that produced amendments satisfying almost nobody.
The substantive criticisms were legitimate. AIDA's definition of "high-impact AI system" was vague enough to capture low-stakes automation and narrow enough to potentially miss deployed models already shaping credit and hiring decisions. Ministerial discretion provisions alarmed civil society; compliance timelines alarmed industry. The Schwartz Reisman Institute at the University of Toronto concluded after AIDA's collapse that federal legislation "is far from being the only tool in our AI toolbelt," pointing to Canada's 2019 Treasury Board Directive on Automated Decision-Making and Ontario's Bill 194 — AI regulation for the public sector, enacted November 2024 — as evidence that governance can accumulate incrementally outside omnibus legislation.
The Two Legislative Vehicles
In the ten days following the AI for All launch, Ottawa tabled two bills that carry the governance load AIDA was supposed to bear.
Bill C-36 — the Protecting Privacy and Consumer Data Act, first read June 15, 2026 — would replace PIPEDA, Canada's 25-year-old federal private-sector privacy law. Its automated decision system provisions require organisations using machine learning or predictive analytics to explain their outputs to affected individuals and allow challenges to decisions with significant legal effects. A new Digital Safety and Data Protection Commission would replace the Office of the Privacy Commissioner for private-sector enforcement, with penalty powers reaching CAD $25 million or 5% of global revenue for the most serious violations. Privacy Commissioner Philippe Dufresne called C-36 "a pivotal step for privacy in Canada" in a June 15, 2026 statement, welcoming strengthened children's protections and mandatory privacy impact assessments.
Bill C-34 — the Safe Social Media Act, first read June 10, 2026 — covers social media platforms and, crucially, chatbot services. AI systems that "use a natural language interface to provide adaptive, human-like responses" are brought within scope. Chatbots must disclose their non-human status, immediately interrupt sessions involving suicidal ideation to direct users to crisis resources, and avoid manipulative engagement techniques. Penalties reach CAD $20 million or 5% of global revenue.
Neither bill is law yet. Both face full parliamentary debate when sittings resume in September 2026.
The Investment Case
Alongside the regulatory package, AI for All commits roughly $2 billion in federal spending. The centrepiece is a $700 million top-up to the AI Compute Access Fund — bringing total compute commitments to $1 billion — aimed at reducing Canadian AI research dependence on US hyperscaler infrastructure. The Canadian AI Safety Institute receives $50 million to expand model evaluations and track emerging risks. The strategy targets 250,000 new AI-related jobs over five years and seeks to raise business AI adoption from approximately 12% today to 60% by 2034.
The compute investment has concrete strategic logic. Canada's three National AI Institutes have produced world-class researchers who routinely commercialise their work in the United States. Sovereign compute infrastructure, combined with a US immigration environment generating genuine psychological fatigue among H-1B holders, gives Canada a credible talent-retention argument that the strategy is positioned to exploit.
The Strongest Case for This Approach
The most defensible argument for embedded over standalone governance is structural: a rigid sector-neutral AI statute faces an inherent calibration problem. A law designed around 2022 AI capabilities is likely miscalibrated for 2026 deployment realities, and will be more so by 2029. Embedding AI accountability in privacy law — where the harm nexus is concrete and the enforcement infrastructure already exists — is more proportionate and more adaptive. The EU's GDPR drove meaningful AI accountability through Article 22's automated decision provisions for years before the AI Act came into force. Canada's approach is not without precedent, and proportionate regulation targeted at specific harms is almost always better than omnibus statutes chasing a moving technical target.
The Gaps Critics Identify
The criticisms are pointed. Analysts writing in The Walrus noted that the phrase "human rights" does not appear once in the AI for All strategy document — a striking omission for a framework governing a general-purpose technology. Vass Bednar observed that public trust in AI requires "responsible governance and reliable products," not literacy campaigns that treat Canadians' demonstrated skepticism as a communications problem.
Legal scholar Michael Geist raised a structural concern specific to Bill C-36: transferring private-sector privacy enforcement from the independent Privacy Commissioner — an Agent of Parliament with genuine insulation from Cabinet — to a newly created Digital Safety and Data Protection Commission is unprecedented among Canada's democratic peers. No comparable country assigns private-sector data protection to a body that simultaneously polices online harms, and Geist warns the concentration risks diluting both mandates.
The most consequential gap remains the absence of explicit liability for high-risk AI applications. Hiring algorithms, credit-scoring models, and predictive risk tools may fall within C-36's automated decision provisions — but enforcement runs through a nascent commission with a crowded mandate. That is a meaningful accountability gap compared to a dedicated AI regulator.
The Bottom Line
Given AIDA's trajectory, Ottawa's choice is arguably the only politically viable one — and it may be the right one. A standalone AI act that remained unfinished after three years of parliamentary review was not delivering governance. Embedding AI accountability in privacy and safety law, where the harm nexus is clearer and the enforcement infrastructure already exists, is proportionate and more likely to reach Royal Assent.
The test is execution. Canada has replaced one ambitious, stalled statute with two ambitious bills. Whether that constitutes progress depends entirely on whether C-36 and C-34 pass — and whether the new Digital Safety and Data Protection Commission is resourced to handle a mandate that spans privacy violations, online harms, and algorithmic accountability simultaneously. If either bill stalls, as its predecessors did, Canada will have traded AIDA's failure for something no better: a governance vacuum disguised as a strategy.