While Alberta companies wait for federal AI legislation that may never arrive in its proposed form — Canada's Artificial Intelligence and Data Act (AIDA) stalled when Parliament prorogued in early 2025 — provincial regulations are creating a patchwork of compliance obligations that affect organizations across the country. Two pieces of legislation matter most right now.
Quebec Law 25: Fully Enforced
Quebec's Law 25 (officially "An Act to modernize legislative provisions as regards the protection of personal information") completed its three-year rollout in September 2024. It's now fully enforced with penalties reaching $25 million CAD or 4% of global revenue.
For companies deploying AI, the critical requirements are:
- Automated decision-making disclosure: If you use AI systems to make decisions that affect individuals — credit scoring, hiring, insurance underwriting, service eligibility — you must inform the individual that the decision was made by automated means.
- Right to explanation: Individuals can request an explanation of how the automated decision was reached, including the factors and personal information used.
- Privacy impact assessments: Before deploying any AI system that processes personal information, you must conduct a privacy impact assessment (PIA) and document the risks and mitigation measures.
- Cross-border transfer restrictions: Transfers of personal information outside Quebec require a privacy impact assessment specific to the receiving jurisdiction's protection levels.
Ontario Bill 194: Canada's First AI-Specific Regulation
Ontario's Enhancing Digital Security and Trust Act (Bill 194) received Royal Assent in November 2024, making it Canada's first AI-specific legislation for public institutions. If your organization serves Ontario government entities — provincial ministries, hospitals, universities, school boards — you're already in scope.
Key requirements include:
- AI transparency: Public institutions must disclose when AI systems are used in decision-making processes affecting individuals.
- Cybersecurity standards: Mandated cybersecurity programs for public sector entities, likely to be extended to their vendors and service providers.
- Accountability framework: Documented governance structures for AI systems including risk assessment, bias testing, and human oversight requirements.
Why This Matters for Alberta
Alberta doesn't have equivalent AI-specific legislation yet. But Alberta companies are affected in three ways:
- Cross-provincial operations: If you serve clients in Quebec or Ontario, you're subject to their regulations. A Calgary energy company with operations in Quebec must comply with Law 25. A healthcare IT vendor serving Ontario hospitals must comply with Bill 194.
- Federal procurement: The federal government is increasingly requiring AI governance documentation in procurement. Companies without a formal AI management system lose competitive position.
- EU market access: The EU AI Act applies extraterritorially to any organization whose AI outputs are used in EU markets. Penalties reach 35 million euros or 7% of global turnover. Alberta's energy and resources sector has significant EU exposure.
How to Prepare: ISO 42001 as a Unified Framework
Rather than building separate compliance programs for each jurisdiction, organizations can implement ISO/IEC 42001:2023 — the international standard for AI Management Systems — as a single governance framework that satisfies requirements across jurisdictions.
ISO 42001 addresses the core obligations that all of these regulations share: risk assessment, bias monitoring, transparency, human oversight, and documented governance. One framework, built once, applicable everywhere.
The organizations that implement AI governance now — before they're forced to — will have a significant competitive advantage as regulation accelerates across Canadian provinces and internationally.