Submission to Consultation on the Office of the Privacy Commissioner of Canada’s Proposals for ensuring appropriate regulation of artificial intelligence

View full submission here.

The context in which we understand privacy is shifting in the current landscape of big data analytics, machine learning, and artificial intelligence. What was generally considered a broad topic with varying normative understandings is now at the forefront of debates and policy work as the varied stakeholders attempt to narrow its scope in the Canadian context. Simultaneously, we are seeing an increasing and more varied quantity of data being given to and collected by both private and public bodies in the name of technological innovation – most of which are fueled by data, thereby making privacy concerns more acute.

Resulting from this dichotomous relationship is a narrative where privacy is pitted against innovation; where privacy protection is seen as a check on innovation. This is a dangerous discursive framing of the issue because it implies that unless individuals want to remove themselves for this new form of a social contract, they must give up control over their personal information. AI represents a paradigm shift in technology: rather than an incremental expansion of existing methods and practices, we are seeing a revolution of Big Data, which has already had widespread and – in many cases – deleterious implication for privacy rights. The intersection of machine learning and Big Data has the potential to fundamentally alter what it means to have a ‘reasonable expectation of privacy.” The implications of AI transcend any meaningful distinctions between public and private sector (including privacy laws). Crucially, history has shown us that when new privacy-impacting technologies are adopted ahead of corresponding changes in law and regulations governing privacy, it can be difficult to ‘roll back’ established practice and undo erosions to privacy rights. Technology moves quickly from being novel and extraordinary to routine and normalized. This calls for a precautionary approach – one that involves restrictions on the adoption and use of privacy-impacting AI until such time that robust and updated legal and regulatory frameworks are in place.

We urge the policy makers to keep PIPEDA (and other legislation) technology-neutral. Privacy remains a broad concept that is not limited to technological contexts and that can also transcend any particular technology. Rather than writing a new legislation targeted specifically at AI, we maintain that existing privacy laws need to be strengthened significantly to expand their scope to be able to govern AI within the existing legal framework.

We are pleased to see that the Office of the Privacy Commissioner (OPC) is moving towards adopting a human-rights based approach to privacy rights. This framing of privacy no longer sees the interplay between privacy and innovation as zero-sum; rather, it emphasizes the foundational role of trust [through privacy] to support the digital economy. Building on this notion, we emphasize the importance of keeping meaningful consent and transparency central to data privacy and AI governance.

Lastly, we fully support the numerous calls for expanding the Information and Privacy Commissioners’ powers to support a robust enforcement regime where they can utilize ordermaking powers and administrative monetary penalties to enforce compliance. We have been calling for these changes for over a decade and believe that given the move towards more automation and increasing sophistication of data processing methods, this is a requirement now more than ever.

PIPA review presents opportunity for BC to become leader in privacy protection

Vancouver, February 24, 2020 – On February 18, 2020 the Legislative Assembly agreed that a Special Committee be appointed to review the Personal Information Protection Act (PIPA). PIPA deals with the collection, retention, use, and disclosure of personal information by private sector and nonprofit entities. The B.C. Freedom of Information and Privacy Association (BC FIPA) is pleased that this process is commencing in accordance with section 59 of that Act and looks forward to participating in the process.

“BC FIPA wants to ensure that people are empowered to maintain their right to privacy and access to information,” says Jason Woywada, FIPA’s Executive Director. “Even before consultations begin, we can anticipate a number of recommendations in areas surrounding mandatory breach notification and an expansion of the Commissioner’s powers with the ability to penalize bad actors. I remain hopeful the government will follow through and implement the recommendations from this Committee, as well as prior Committees and OIPC reports, despite the fact that hasn’t always been the case.”

In order to better protect the privacy of British Columbians, breach notifications should be required when a private sector or nonprofit entity that controls personal information becomes aware that they have lost the control of that personal information and that a significant risk to individuals is present. This provision would be similar to those that came into effect in November of 2018 in Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), and would require notifying the Information and Privacy Commissioner of BC, the affected individuals, and for the organization to keep a record of the breach.

Another major change that BC FIPA would like to see to the Act is the introduction of monetary fines to be used at the discretion of the Information and Privacy Commissioner of B.C. As private organizations move towards a business model that monetizes the collection and use of personal information, significant deterrents for breaches and misuse need to be introduced in order to protect the privacy of British Columbians.

“As we look to other international models, such as the powers ascribed to the Information Commissioner’s Office in the United Kingdom under the European Union’s General Data Protection Regulations, we see the use of fines as being an effective tool in regulating how organizations are using personal information,” says Jason Woywada. “If British Columbia wants to continue being a leader in Canada when it comes to privacy protection, we will need to see a move in this direction.”

Contact: Jason Woywada, Executive Director, BC Freedom of Information and Privacy Association

Email: Jason (at) fipa.bc.ca

Phone: 604-739-9788

-30-

The Right to Erasure

The right to erasure

This is the third in our series on the privacy promises we can expect from a Liberal minority government.

Information about the Right to Erasure is from Innovation, Science and Economic Development Canada’s ‘Digital Charter: Trust in a digital world’, and the Liberal Party of Canada’s election 2019 platform document, ‘Forward: A real plan for the middle class’ (40).

The Promise

In the Liberal Party’s election platform, they committed to a new online right to “withdraw, remove, and erase basic personal data from a platform” (40). This seems to build and expand upon the third principle contained within Canada’s Digital Charter:

Control and Consent: Canadians will have control over what data they are sharing, who is using their personal data and for what purposes, and know that their privacy is protected.”

– Canada’s Digital Charter

Unclear within this promise are two major things: what is defined as a platform; and how this new right will be different from what is currently contained within Canada’s private sector privacy legislation, the Personal Information and Protection of Electronic Documents Act.

And, on the surface, it would appear that this new right does not go as far as the European Union’s ‘Right to be Forgotten’, which is found within the General Data Protection Regulations, and allows citizens to request that personal data be erased for a host of reasons and from entities not limited to “platforms”. Notably, this includes making requests to delist website pages in search results.

The Office of the Privacy Commissioner of Canada is currently seeking a determination from the Federal Court in order to clarify whether Google’s search engine is subject to PIPEDA. Thus, it may turn out that Canadians already have the ability to request that search engine’s de-index web pages that are responsive to a person’s name should they present unwarranted reputational harm.

The Reality

So far it’s unclear how this new right to erasure goes further than the access and correction rights that currently exist within Canada’s federal privacy legislation, the Privacy Act and PIPEDA, and B.C.’s provincial privacy legislation, FIPPA and PIPA.

Currently, PIPEDA does provide Canadians with some measure of control over their personal information. It does this by allowing individuals to correct the accuracy of their personal information in the control of a private organization, to withdraw their consent for the use of personal information, and to file a complaint with the Office of the Privacy Commissioner of Canada in order to create a record of dispute.

While these are not equivalent measures to the European Union’s ‘Right to be Forgotten’, they do allow Canadians some measure of control over their personal information and at the very least present a mechanism for addressing issues related to online reputational harm. In addition, PIPEDA also contains provisions that limit the amount of time that personal information can be retained, which in turn helps to ensure that personal information is disposed of when it is no longer required.

The Future

Important questions remain though about how effective these measures are in a digital environment. PIPEDA was created in 2000, as the internet and digital technologies were only emerging. Today, the internet is being used in ways, and on devices, that could not have been predicted 20 years ago.

With private organizations becoming increasingly reliant on personal information as a fundamental component of their business model, and the storage of personal information no longer experiencing the same physical and financial constraints, more needs to be done to protect consumers and to rebuild trust.

If Canada’s federal privacy legislation is amended to contain this new right to erasure, it may create the need to amend provincial privacy legislation to also include this new right in order to retain its equivalency. As well, new powers will need to be ascribed to provincial and federal information and privacy commissioners in order for them to be able to enforce new digital rights, like the Right to Erasure.

Welcoming Jason Woywada as FIPA’s new Executive Director

Vancouver, February 12, 2020 – The beginning of BC FIPA’s fourth decade is an exciting time for the organization as we welcome Jason Woywada as the new Executive Director. After an extensive search process, the hiring committee was pleased to offer the position to Jason for his unique combination of skills, knowledge, and experience.

“Amongst a strong field of privacy and access professionals, we were very impressed by Jason’s formal communications training, his career in journalism, and his management experience in politics,” says Mike Larsen, FIPA’s President. “These experiences, rounded out by his privacy certifications and graduate studies, make him the ideal candidate.”

Jason began his career as a broadcast journalist in Manitoba during the 1990s. From 1999 to 2014, he worked in a variety of roles at the legislative assembly in Manitoba, including as the Director of Caucus Services for the New Democratic Party for over a decade.  Once in British Columbia, he began work at One Feather as a Deputy Elections Officer expanding his understanding of First Nations communities, their members, and culture.

Most recently, Jason was a Senior Legislative and Policy Analyst within the Office of the Chief Information Officer at the Ministry of Citizens’ Services in BC. This included work on the Annual Report on the Administration of the Freedom of Information and Protection of Privacy Act: 2017/18 & 2018/19, which gave him an inside glimpse into the mechanisms of FOI legislation.

Jason holds certification through the International Association of Privacy Professionals as a Certified Information Privacy Professional Canada (CIPP/C) and a Certified Information Privacy Manager (CIPM). He recently completed a Masters of Business Administration through the Australian Institute of Business.  

“I look forward to advocating for the types of changes that empower BC citizens to have greater access to information and improve their privacy,” says Jason Woywada, BC FIPA’s new Executive Director.

Contact: Jason Woywada, Executive Director

BC Freedom of Information and Privacy Association

Email: Jason (at) fipa.bc.ca

Phone: 604-739-9788

-30-