Skip to content

Ontario Bill 194: Strengthening Cyber Security and Building Trust in the Public Sector Act

Policy Brief | June 2024

Ontario Bill 194

Contributors

Christelle Tessono

Christelle Tessono
Policy and Research Assistant

Katie Gibson

Katie Gibson
Senior Fellow

Sam Andrey

Sam Andrey
Managing Director

Viet Vu

Viet Vu
Acting Director of Policy and Research

Karim Bardeesy

Karim Bardeesy
Executive Director

Tags

Share

Context

To address emerging cybersecurity challenges and the increased use of artificial intelligence (AI) systems, the Government of Ontario’s Minister of Public and Business Service Delivery tabled Bill 194: Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 on May 13th, 2024.

The Bill seeks to regulate the use of digital and AI systems by public sector entities within Ontario, which include, but are not limited to government departments, agencies, police service boards, transit commissions, children’s aid societies and school boards.

To do so, the Bill establishes a regulatory regime overseen by the Minister of Public and Business Services. This regime consists of:

1. Cybersecurity Measures: Bill 194 mandates public sector entities to develop and implement cybersecurity programs, through the publication of regulations, directives, and setting technical standards and reporting requirements.

2. AI Accountability Measures: The bill requires public sector entities using AI systems to develop accountability frameworks, manage risks, and provide public information on AI use, with regulations to enforce standards and oversight.

3. Protections for Kids: The bill includes additional provisions for handling digital information related to individuals under 18, with the potential for new standards for children's aid societies and school boards.

4. Privacy Amendments: Amends the Freedom of Information and Protection of Privacy Act, introducing definitions for information practices, requirements for privacy impact assessments, and reporting of privacy breaches.

We are encouraged to see the Ontario government’s efforts to strengthen cybersecurity and address the emerging risks and challenges caused by AI adoption in the public sector. Particularly, we welcome Bill 194’s potential to address the use of AI throughout Ontario’s broader public sector, as well as its considerations for child online safety. Our concerns lie with overall lack of enforcement for non-compliance, unclear requirements, and limited opportunities for public consultation.

We commend the government for introducing legislation that addresses fast-moving technology, and attending to the specific risks and potential harms that are associated with it in areas of provincial jurisdiction. We are eager to contribute to the development of this legislation and accompanying regulations and directives to advance secure and responsible technology governance in Ontario.

Below, we identify three broad areas for improvement with Bill 194 submitted to the Government of Ontario:

Areas for Improvement

1. Weak enforcement model

As currently drafted, Bill 194 lacks any meaningful enforcement mechanism in the event of non-compliance. The bill empowers the Minister of Public and Business Service Delivery to craft regulations and directives relating to the use of AI systems in the public sector. However, section 13 provides that failure to comply with this Act “does not affect the validity of any policy, Act, regulation, directive, instrument or decision.” In addition, section 14 provides that in the event of a conflict between a provision of this Act and any other Act or regulation, the latter prevails. 

We believe that this could provide significant room for ministries, municipalities, agencies and the broader public sector to not comply with the bill’s regulations in the event of conflict. For instance, there is already concern with the lack of compliance of police services with federal requirements regarding the use of AI. Most notably, when the Office of the Privacy Commissioner of Canada investigated the RCMP’s use of Clearview AI’s facial recognition software, they found that the RCMP had serious systemic gaps in tracking and assessing novel methods of collecting personal information. As a result, the bill would benefit from the removal or modification of those sections in order to ensure compliance. 

Furthermore, we note the potential use of prohibitions, regulations, directives, policies, risk management frameworks, and technical standards as part of the governance arsenal to ensure responsible and accountable use of AI systems. While each has its place in responsible AI governance, we recommend that any implementation of new rules and regimes be accompanied by work and resources allocated to enhance internal expertise and build in-house capacity, to effectively support the responsible use of AI systems within public sector organizations. 

To instill public trust in this bill and in the government’s use of AI systems, we recommend developing a robust enforcement regime. We propose developing the role of an independent commissioner or regulator to oversee the Act, such as the Information and Privacy Commissioner of Ontario. This entity should be provided with sufficient resources such as regulatory oversight powers, policy and technical expertise to ensure that the law can be operationalized across Ontario’s public sector. 

2. Unclear and uneven requirements

The bill provides the government broad powers to use directives, prohibitions, regulations, policies, and technical standards to ensure responsible and accountable use of AI systems. However, we are concerned by how much of the force of the legislation will be left to regulatory powers, by the absence of parameters that will guide how these interventions will be developed, and by how much guidance is left to the discretion of the Minister, rather than in the legislation itself. 

For example, one parameter that could be written into the legislation would require the use of a human rights assessment tool against which a regulation would be assessed. This is the model adopted by the European Union’s AI Act. As another example, Canada’s proposed federal AI bill requires that AI systems disclose the use of AI when a system could reasonably be perceived as communicating with a human, rather than Bill 194’s current approach, which leaves how the public will be informed to regulations.

We also caution against an overreliance on technical standards developed outside of the regulatory process, as researchers in both academia and industry have yet to achieve consensus on adequate measurement metrics for responsible AI, particularly with respect to public sector use. Currently, organizational bodies outside of government are developing standards, so we do wonder if collaborations will occur to ensure uniformity. 

As such, the bill would benefit from clarifying the role of each policy intervention by defining what technical standards are and outlining guiding principles for prohibitions based on human rights protections. 

3. Lack of public consultation prior to tabling

While we welcome opportunities such as this to engage on the bill, consultations prior to its tabling would have allowed for a greater set of perspectives to be included in consideration. 

We are particularly concerned that historically marginalized communities (e.g., BIPOC, LGBTQ+, people with disabilities, religious minorities, etc.) will not have the opportunity to substantially contribute to deliberations on this bill. This is particularly concerning as research suggests that they are disproportionately facing the harms caused by AI systems. 

Public consultations not only offer opportunities to develop appropriate policy interventions, but also an opportunity for different stakeholders to discuss with one another and instill public trust in this legislative approach. We encourage the government to consider hosting them in the coming summer months.