The government today released its much-anticipated national AI strategy, an ambitious plan featuring a myriad of new programs and initiatives to support AI adoption. The strategy emphasizes trust, framing its approach as “AI for All.” Spending dominates the announcement, with money sprinkled across the economy as the government bets on the economic returns that flow from widespread AI adoption. Yet spending money is the easy part. What stands out is the deferral of many of the hard policy choices. The government has no plans for AI-specific regulation, instead relying on updated privacy rules and a reintroduction of online safety legislation. AI Minister Evan Solomon started the process by noting that the prior government had “over-indexed” on regulatory plans, and that perspective remains largely unchanged. There are real risks in bad legislation (see yesterday’s reset of the Online Streaming Act), but the Canadian government will never outspend the market on AI. For the Canadian government, supporting AI development must primarily involve creating the legal and regulatory frameworks that facilitate investment, trust, and adoption, and deferring the hard choices to later does not help.

I will leave it to others to parse through all the spending promises (I think the strategic spending on health data initiatives is worthwhile, government adoption programs have a poor track record, and replacing private-sector investment is a waste of taxpayer money). The strategy is best where it makes genuine policy choices, and several of them are the right ones. It commits to advancing open-source AI as a counterweight to dependence on a handful of proprietary systems, which lowers costs for smaller players, broadens access, and can better reflect Canadian content. The strategy supports creators not by locking content down with new licensing mandates or restrictions on fair dealing, but by enabling them to use AI as they see fit, including through a new $50 million Creative Technology Program. And it treats data as a strategic national asset to be mobilized, with new health data platforms and a recognition that reducing barriers to high-quality data is itself an AI policy.

The decision to scrap an EU-style AI Act is justifiable given that the framework has failed to take hold worldwide and the EU has struggled with implementation. But the absence of clear transparency requirements is harder to understand. I’ve urged an AI Transparency Act given that transparency is the most practical and broadly supported foundation for AI regulation, covering disclosure of where AI is used, of which works are included in training data, and of government and law enforcement demands for user information. The strategy reduces that to a promise to work on transparency over time, a reference to watermarking, and a voluntary Canada Trusted AI Certification program. It says nothing about requiring companies to disclose which works they used to train their models, the very information that would let users and creators make informed choices.

Transparency would have been a good place to start, but the strategy instead relies on privacy reform and online harms legislation as the foundation for building public trust in AI. Those legislative initiatives are necessary but not sufficient. There are real risks associated with AI that extend beyond those issues, such as automated decision-making in hiring or law enforcement use of AI, that can’t be solved solely through more funding for the AI Safety Institute.

Privacy sits at the centre of the strategy’s case for trust as it promises a bill that would recognize privacy as a fundamental right alongside stronger penalties and updated safeguards. Having lived through previous failed attempts at privacy reform, it is easy to be skeptical about renewed privacy reform promises. But as I noted in a post this morning, worse is a government that promises modernized privacy laws in the morning and then presses for mandatory metadata retention in the afternoon as is the case today with clause-by-clause review of Bill C-22. It is simply not credible to claim privacy is a priority while the same government works to undermine it.

The strategy’s sovereignty pillar acknowledges that sensitive Canadian data may fall under foreign legal regimes beyond Canada’s control and states that Canadian infrastructure must be operated under Canadian control and Canadian law. But as I have repeatedly discussed, locating data in Canada does little if Canadian privacy law is weak or if a foreign court can still compel disclosure from a provider with operations abroad under a law such as the U.S. CLOUD Act. Without a privacy regime strong enough to function as a blocking statute against foreign disclosure demands, sovereign infrastructure is sovereignty theatre, and the strategy funds the infrastructure but defers on the law. Once again, the lack of specificity on privacy undermines the strategy.

The online safety promises are similarly lacking in specifics. The government confirms that an online safety bill is coming, this time extended beyond social media to include AI. I have argued that a law based on a duty to act responsibly can be an effective, flexible measure provided the government avoids one-size-fits-all solutions. But without specifics, there is reason for concern. For example, if the bill includes mandated age verification for social media and AI chatbots that effectively establishes a ban for kids under 16. Such an approach risks undermining adoption by turning AI for All into ID for All, since everyone will be required to provide identification to use AI. The privacy risks associated with that policy are deeply concerning, requiring all Canadians to upload sensitive information to third parties. Moreover, mandated reporting requirements can turn AI companies into surveillance arms of the state, actively monitoring and reporting on their users. I believe a better approach is transparency, consistent standards, and liability for companies that fail to live up to their policies.

The AI strategy process was hard to discern from the outside, as there was a “sprint” to conduct the consultation, delays in reporting back what it heard (and even then, a disconnect between what it actually heard and what it reported), and further delays in releasing the strategy. Even with all that time, today’s release feels like AI Strategy 1.0. The 2.0 version will need to include the missing specifics on law and policy, without which this is primarily a big-spending announcement that is unlikely to meaningfully address the challenges of AI adoption and trust.