3rd Session, 43rd Legislature

This HTML version is provided for ease of use and is based on the bilingual version that was distributed in the Legislature after First Reading.

Bill 51

THE PUBLIC SECTOR ARTIFICIAL INTELLIGENCE AND CYBERSECURITY GOVERNANCE ACT

(Assented to                                         )

WHEREAS artificial intelligence systems and digital communications are technological tools that have the potential to transform society in positive ways but also have the potential to be misused or to have an inequitable impact on society;

AND WHEREAS Manitobans are protected from the distribution of fake intimate images created through artificial intelligence by the enactment of The Non-Consensual Distribution of Intimate Images Act;

AND WHEREAS personal information and privacy of Manitobans as they relate to the public sector are protected under The Freedom of Information and Protection of Privacy Act and The Personal Health Information Act;

AND WHEREAS the Government of Manitoba acknowledges the increasing use of artificial intelligence systems in the delivery of public services and administrative decision-making;

AND WHEREAS the Government of Manitoba also acknowledges cybersecurity is integral to the delivery of digital services by the public sector;

AND WHEREAS the governance of artificial intelligence and cybersecurity requires regulatory frameworks that provide for transparency, accountability, impact and risk assessments and human oversight to ensure the responsible use of technology in the public sector;

THEREFORE HIS MAJESTY, by and with the advice and consent of the Legislative Assembly of Manitoba, enacts as follows:

INTRODUCTORY PROVISIONS

Definitions

1(1)   The following definitions apply in this Act.

"artificial intelligence system" means the following:

(a) a machine-based system that, for explicit or implicit objectives, infers from the input it receives how to generate outputs such as predictions, content, recommendations or decisions that can influence physical or virtual environments;

(b) a prescribed system. (« système d'intelligence artificielle »)

"cybersecurity" means the security, continuity, confidentiality, integrity and availability of digital information and the infrastructure housing and transmitting digital information, and includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and information from attack, damage or unauthorized access. (« cybersécurité »)

"minister" means the minister appointed by the Lieutenant Governor in Council to administer this Act. (« ministre »)

"prescribed" means prescribed by regulation. (Version anglaise seulement)

"public sector entity" means

(a) the government;

(b) a government agency as defined in The Financial Administration Act;

(c) any other reporting organization as defined in The Financial Administration Act;

(d) a municipality, an incorporated community established or continued under The Northern Affairs Act or a local government district. (« entité du secteur public »)

Reference to "Act" includes regulations

1(2)   A reference to "this Act" includes the regulations made under this Act.

Purpose

2   The purpose of this Act is to establish a regulatory framework to govern the use of artificial intelligence systems in a transparent and accountable manner and to set cybersecurity standards.

Application — public sector entities

3(1)   This Act applies to prescribed public sector entities.

Application — artificial intelligence systems

3(2)   This Act applies to an artificial intelligence system used by a prescribed public sector entity that is

(a) publicly available;

(b) developed or procured by the public sector entity; or

(c) developed by a third party on behalf of the public sector entity.

Conflict

3(3)   If a provision of this Act conflicts with a provision of any other enactment, the other enactment prevails.

Effect of failure to comply

3(4)   Failure to comply with this Act or any directive issued under this Act does not affect the validity of any policy, Act, regulation, directive, instrument or decision.

ARTIFICIAL INTELLIGENCE SYSTEM

Transparency, accountability and risk management

4(1)   A prescribed public sector entity that uses an artificial intelligence system must, if required by and in accordance with the regulations,

(a) provide information to the public about its use of the system;

(b) develop and implement an accountability framework about its use of the system;

(c) take steps to manage risks associated with its use of the system.

Requirements for use

4(2)   The public sector entity must use the artificial intelligence system in accordance with the regulations.

Prohibited use or purpose

4(3)   The public sector entity must not use the artificial intelligence system for any use or purpose that is prohibited by the regulations.

Oversight and additional information

5   When using an artificial intelligence system in prescribed circumstances, a prescribed public sector entity must ensure that an individual

(a) exercises oversight of the use of the artificial intelligence system in accordance with the regulations; and

(b) provides additional information about the use of the artificial intelligence system in accordance with the regulations.

Technical standards

6   A prescribed public sector entity that uses an artificial intelligence system must comply with the prescribed technical standards for that use.

CYBERSECURITY

Requirements

7   A prescribed public sector entity must comply with the prescribed requirements for cybersecurity.

Technical standards

8   A prescribed public sector entity must comply with prescribed technical standards for cybersecurity.

Directives

9(1)   The minister may, with the approval of the Lieutenant Governor in Council, issue a directive to a prescribed public sector entity respecting the requirements under section 7 and technical standards under section 8.

Directive must be specific

9(2)   A directive issued under this section applies only to the specified prescribed public sector entity. It may establish different requirements or standards and may differ from a directive issued to another prescribed public sector entity.

Compliance

9(3)   The public sector entity to which a directive is issued must comply with the directive.

Public notice of directive

9(4)   The minister must make the directive publicly available in any manner the minister considers appropriate.

REGULATIONS

Regulations — artificial intelligence system

10(1)   The Lieutenant Governor in Council may make regulations

(a) prescribing the public sector entities to which section 4 applies;

(b) governing the provision of information about the use of an artificial intelligence system, which may include

(i) prescribing the information that must be provided and to whom,

(ii) prescribing information that is not required to be provided,

(iii) specifying when information must be provided and updated,

(iv) prescribing the manner in which information must be provided and requiring that the information be communicated in a clear and understandable manner,

(v) providing an exemption from the requirement to provide information in specified circumstances;

(c) governing the development, implementation and use of accountability frameworks, which may include

(i) prescribing the form and content of the accountability frameworks,

(ii) specifying when the accountability frameworks must be developed and updated,

(iii) prescribing roles and responsibilities of specified individuals under the accountability frameworks,

(iv) requiring documentation about the use of an artificial intelligence system, including documentation respecting different phases of a system's use, performance and monitoring,

(v) prescribing the measures to be taken respecting bias detection and mitigation testing for discriminatory impacts of the use of artificial intelligence systems,

(vi) requiring the development and use of impact and risk assessment tools and mitigation measures;

(d) prescribing steps to be taken to manage risk in the use of an artificial intelligence system, including monitoring, reporting and recordkeeping;

(e) prescribing requirements for the use of an artificial intelligence system, which may include requiring that an artificial intelligence system be used only for specified purposes;

(f) prohibiting the use of an artificial intelligence system, including the purposes for which it may not be used, such as the production of artistic or creative material;

(g) prescribing the public sector entities to which section 5 applies;

(h) governing the exercise of oversight of the use of an artificial intelligence system, including by an individual;

(i) governing the provision of additional information, which may include requiring the provision of information about how to make inquiries of a public sector entity about the use of an artificial intelligence system;

(j) governing requirements, policies and procedures for procurement and contracts for services relating to the use of artificial intelligence systems;

(k) respecting any other matter relating to the use of artificial intelligence systems by public sector entities the Lieutenant Governor in Council considers necessary or advisable to carry out the purpose of this Act.

Regulations — cybersecurity

10(2)   The Lieutenant Governor in Council may make regulations

(a) prescribing the public sector entities that are required to develop and implement programs for ensuring cybersecurity;

(b) governing programs for cybersecurity, which may require specified elements to be included in the programs, such as

(i) roles and responsibilities of specified individuals within the public sector entity relating to ensuring cybersecurity,

(ii) reporting on the public sector entity's progress with respect to ensuring cybersecurity,

(iii) education and awareness measures respecting cybersecurity,

(iv) response and recovery measures for incidents relating to cybersecurity,

(v) oversight measures for implementation of the program;

(c) requiring public sector entities to submit reports to the minister or a specified individual in respect of incidents relating to cybersecurity, which may include different requirements in respect of different types of incidents;

(d) prescribing the form and frequency of reports;

(e) governing requirements, policies and procedures for procurement and contracts for services relating to cybersecurity;

(f) respecting any other matter relating to cybersecurity the Lieutenant Governor in Council considers necessary or advisable to carry out the purpose of this Act.

Regulations — technical standards

10(3)   The minister may make regulations

(a) prescribing the public sector entities to which section 6 or 8 or both apply;

(b) setting technical standards respecting the use of artificial intelligence systems;

(c) setting technical standards respecting cybersecurity.

Application and classes

10(4)   A regulation made under this section may

(a) be general or particular in its application;

(b) apply to one or more classes of public sector entities; and

(c) apply differently to different public sector entities or classes of public sector entities.

Adopting codes or standards

10(5)   The power to make a regulation may be exercised by adopting by reference, in whole or in part, a code or standard made by another government or a non-governmental body.

Changes

10(6)   The code or standard may be adopted as amended from time to time and subject to any changes that the maker of the regulation considers necessary.

Public consultation

10(7)   Except in circumstances that the minister considers to be of an urgent nature, the minister must provide an opportunity for public consultation and seek the advice and recommendations of the public with respect to any regulation proposed to be made under this section before the regulation is made.

Review

10(8)   Within three years after the coming into force of a regulation made under this section, the minister must arrange for a report to be prepared evaluating the effectiveness of the regulation.

Report to be tabled

10(9)   The minister must table a copy of the report in the Assembly on any of the first 15 days on which the Assembly is sitting after the minister receives the report.

C.C.S.M. REFERENCE AND COMING INTO FORCE

C.C.S.M. reference

11   This Act may be referred to as chapter P261 of the Continuing Consolidation of the Statutes of Manitoba.

Coming into force

12   This Act comes into force on a day to be fixed by proclamation.