Global Privacy Rights Canada: Our submission on Canada’s AI Register

Global Privacy Rights Canada, (where global digital privacy rights controls are engineered) submitted comments to the Treasury Board Secretariat’s consultation on the Government of Canada’s AI Register MVP.

The decision to publish a federal AI Register is a meaningful step. We are still early in public sector AI, and there are relatively few precedents for public-facing AI registers. Canada’s choice to make this work visible, and to ask the public what should be in the register, deserves credit.

At the same time, the MVP format makes something clear: an AI register can easily become “inventory transparency” — a dataset that shows activity exists — without becoming real public accountability. If people cannot quickly understand what a system does, who is responsible, where official disclosures live, what data exposure may occur (especially cross-border), and whether anything has changed since last year, then the register won’t meet the moment.

Our submission focuses on three practical fixes that can turn the AI Register into public accountability infrastructure — something the public can use, oversight bodies can rely on, and departments can maintain without creating an impossible reporting burden.

3 fix advocacy

Fix #1: Require a stable public accountability endpoint for every entry

Every AI system listed should include a required, stable public link to an accountability page. This is the “source of truth” pointer: the authoritative place where Canadians can see who owns the system, what program it supports, how to contact the responsible institution, and where official governance disclosures can be verified.

This is the difference between a spreadsheet that describes government activity and a register that supports accountability. Without a stable disclosure endpoint, an entry may exist but remain difficult to verify, difficult to challenge, and difficult to keep current across organisational change.

Fix #2: Notice-first disclosure — plain language, no sign-in, comparable fields

The public-facing experience matters. CSV and JSON are useful formats for researchers and analysts, but they are not a public interface.

The AI Register should require a “notice-first” description for each system that is readable without sign-in and without providing any identifiers. This notice should explain, in plain language: what the system does, why it is used, what it uses as inputs, what it produces or influences as outputs, and which groups may be affected.

And just as importantly: key governance disclosures should be structured wherever possible. When essential information is buried in free text, comparisons across departments become unreliable and incomplete. A register that uses defined terms and controlled options for key fields (purpose categories, deployment status, decision impact type, human oversight presence, etc.) becomes easier to maintain internally and far more useful externally.

Fix #3: Lifecycle change control and evidence linkability

AI systems evolve. Models change, vendors change, deployments expand, and data flows shift. A public register that overwrites old information without showing what changed and when will steadily lose credibility.

The AI Register should include lifecycle transparency: last reviewed dates, material change triggers, and an append-only change log. It should also link to relevant governance artefacts — impact assessments, PIAs, audits, monitoring reports — and where those artefacts are not public, the register should still indicate whether they exist, whether they are not public, when they were last updated, and why.

This doesn’t “overburden” the register; it makes the register useful as a discovery layer that points to evidence — and makes gaps visible when evidence does not exist.

A practical roadmap: a transparency ladder

A practical way to communicate progress is a transparency ladder:

• Stage 0: no public record
• Stage 1: notice-first public disclosure (no sign-in)
• Stage 2: comparable structured disclosure, including “where information goes”
• Stage 3: lifecycle transparency with versioning and change log
• Stage 4: verifiable, integrity-protected disclosures and auditable accountability controls

What was submitted

In our consultation response we recommended that the AI Register should function as an authoritative source of truth for AI system discovery in public administration: stable identifiers, accountable owners, official disclosure endpoints, and lifecycle status — while linking out to supporting evidence and assurance records.

Global Privacy Rights Canada — https://www.globalprivacyrights.org