Skip to content

Our Ontario Lawyers

When success matters, there is no substitute for the advantage that comes from experience.

Search for a lawyer below:


Search Results

We're sorry, We cannot locate any lawyers with that criteria. Please search again.

Sort By:

Experience and Expertise:

How Can We Help? We’ll be happy to match you to the right qualified Lerners Lawyer.

Bill 194, Part II: Enhancing Digital Security and Trust Act, 2024

4 minute read

Since the world was introduced to ChatGPT, privacy and data security experts have been calling for increased regulation regarding Artificial Intelligence (AI). In particular, the Information and Privacy Commissioner (IPC) of Ontario has called specifically for legislation governing the use of AI by public entities in this province. Of course, the ongoing and arguably increasing threat of cyber incidents and breaches has also led to demand for regulatory oversight to compel cyber security. It appears these calls have been responded to, if not yet directly answered.

As described in Part I of this two part bulletin, on May 13, 2024, the Ontario government introduced Bill 194, An Act to enact the Enhancing Digital Security and Trust Act, 2024 and to make amendments to the Freedom of Information and Protection of Privacy Act respecting privacy protection measures.  See Part I for an overview of the proposed amendments to FIPPA.  In this Part II, an overview of the proposed new law, Enhancing Digital Security and Trust Act, 2024, relating to cyber security and artificial intelligence, is provided.

Key features of the new proposed Act are:

  • The Act will apply to all public sector entities as defined in the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act, children’s aid societies, and school boards— all of which are included in the definition of “public sector entity”.
  • Regarding cyber security, the Act provides for the enactment of regulations that will:
    • Require public sector entities to develop and implement programs for ensuring cyber security;
    • Govern such cyber security programs, including requiring specific elements;
    • Require the submission of reports in respect of incidents related to cyber security, including the form and frequency of such reports; and
    • May also include roles and responsibilities of specified individuals, reporting on progress towards ensuring cyber security, education and awareness measures, response and recover measures for incidents, and oversight measures for implementation of cyber security program.
  • The definition of artificial intelligence includes AI that is developed or procured by a public sector entity, or developed by a third party on behalf of a public sector entity. It is also clearly stated that the collection, use, retention or disclosure of digital information by a public sector entity includes such activities conducted by a third party on its behalf. In other words, the public sector entity will have obligations to ensure the compliance of any third party acting on its behalf.
  • Regarding the use of artificial intelligence:
    • The relevant provisions of the Act will apply to public sector entities “as may be prescribed” if they use or intend to use an AI system in the “prescribed circumstances”, which implies that the regulatory requirements regarding the use of an AI system will not apply to all public sector entities in all circumstances.
    • Prescribed public sector entities in prescribed circumstances, may be required to: provide public disclosure about the use of an AI system, develop an accountability framework, manage risks associated with the use of the AI system, and shall use the system in accordance with any prescribed requirements, and not for a prohibited use.
    • For specified uses of an AI systems, as prescribed by the regulations, a public sector entity will be required to disclose information and ensure that an individual exercises oversight in accordance with the regulations.
  • Bill 194 also addresses digital technology affecting individuals under age 18 and includes provisions for the proposed Act that will allow for regulations regarding the collection, use, retention and disclosure of digital information by children’s aid societies and school boards, including prescribing technical standards and issuing directives with which these entities will be required to comply.
  • It is specifically stated that nothing in the proposed Act or any regulation or directive made under the Act establishes a private law duty of care owed to any person.

Although Bill 194 will ultimately address the pressing concerns of cyber security and artificial intelligence in Ontario’s public sector, the current proposed Act, for now, merely sets out a framework to do so. While it is now clear that new obligations regarding both cyber security and the use of artificial intelligence are forthcoming, perhaps imminently, the substance of those obligations will not be fully known until the new regulations are introduced.

In the meantime, public sector entities in Ontario can expect they will be required to implement or revise their cyber security programs to match regulatory requirements and be prepared to provide reports regarding cyber incidents. In addition, at least some public sector entities in certain circumstances will also be required to ensure they are using AI systems appropriately, which will likely include enhanced transparency and data protection. Importantly, the obligations imposed by the Act will require public sector entities to ensure that any third party acting on their behalf is also meeting regulatory requirements.

LERNx Sidebar


Our lawyers are committed to making the law easier to access for all by publishing high-quality and industry-leading content.

Jennifer L. Hunter

We are here to help.

Do you have any questions about your unique scenario? Feel free to reach out directly by visiting my Lerners Profile View My Full Profile