Submission to Consultation on the Office of the Privacy Commissioner of Canada’s Proposals for ensuring appropriate regulation of artificial intelligence

View full submission here.

The context in which we understand privacy is shifting in the current landscape of big data analytics, machine learning, and artificial intelligence. What was generally considered a broad topic with varying normative understandings is now at the forefront of debates and policy work as the varied stakeholders attempt to narrow its scope in the Canadian context. Simultaneously, we are seeing an increasing and more varied quantity of data being given to and collected by both private and public bodies in the name of technological innovation – most of which are fueled by data, thereby making privacy concerns more acute.

Resulting from this dichotomous relationship is a narrative where privacy is pitted against innovation; where privacy protection is seen as a check on innovation. This is a dangerous discursive framing of the issue because it implies that unless individuals want to remove themselves for this new form of a social contract, they must give up control over their personal information. AI represents a paradigm shift in technology: rather than an incremental expansion of existing methods and practices, we are seeing a revolution of Big Data, which has already had widespread and – in many cases – deleterious implication for privacy rights. The intersection of machine learning and Big Data has the potential to fundamentally alter what it means to have a ‘reasonable expectation of privacy.” The implications of AI transcend any meaningful distinctions between public and private sector (including privacy laws). Crucially, history has shown us that when new privacy-impacting technologies are adopted ahead of corresponding changes in law and regulations governing privacy, it can be difficult to ‘roll back’ established practice and undo erosions to privacy rights. Technology moves quickly from being novel and extraordinary to routine and normalized. This calls for a precautionary approach – one that involves restrictions on the adoption and use of privacy-impacting AI until such time that robust and updated legal and regulatory frameworks are in place.

We urge the policy makers to keep PIPEDA (and other legislation) technology-neutral. Privacy remains a broad concept that is not limited to technological contexts and that can also transcend any particular technology. Rather than writing a new legislation targeted specifically at AI, we maintain that existing privacy laws need to be strengthened significantly to expand their scope to be able to govern AI within the existing legal framework.

We are pleased to see that the Office of the Privacy Commissioner (OPC) is moving towards adopting a human-rights based approach to privacy rights. This framing of privacy no longer sees the interplay between privacy and innovation as zero-sum; rather, it emphasizes the foundational role of trust [through privacy] to support the digital economy. Building on this notion, we emphasize the importance of keeping meaningful consent and transparency central to data privacy and AI governance.

Lastly, we fully support the numerous calls for expanding the Information and Privacy Commissioners’ powers to support a robust enforcement regime where they can utilize ordermaking powers and administrative monetary penalties to enforce compliance. We have been calling for these changes for over a decade and believe that given the move towards more automation and increasing sophistication of data processing methods, this is a requirement now more than ever.

Increase the powers of the Privacy Commissioner of Canada

This is the first in our series on the privacy promises we can expect from a Liberal minority government.

(From Innovation, Science and Economic Development Canada’s ‘Strengthening Privacy for the Digital Age: Proposals to modernize the Personal Information and Protection of Electronic Documents Act.) 

1. Meaningful Consent

One of the commitments to increase the powers of the Privacy Commissioner of Canada concerns their ability to determine what type of consent needs to be generated with individuals when personal information is being collected by organizations.

While the Personal Information Protection and Electronic Documents Act (PIPEDA) already requires organizations to notify individuals of the purposes of the collection, use, or disclosure of personal information, further clarifications are necessary in order to determine what constitutes meaningful consent

Canada’s Digital Charter proposes increasing the powers of the Privacy Commissioner of Canada in order to realize and enforce the enhanced consent requirements that are necessary to achieve meaningful consent.  

With funding from the Office of the Privacy Commissioner of Canada, BC FIPA is holding a Design Jam in Ottawa on March 5th and 6th that explores meaningful consent and connected devices.

2. Fining Powers

The Privacy Commissioner of Canada is somewhat limited in their ability enforce privacy laws. They are able to conduct investigations, make recommendations, expose non-compliant organizations in the public interest, and pursue recourse in the Federal court—but are not able to issue fines against offending organizations.

Recently, we’ve seen two highly publicized examples that highlight the need for the Privacy Commissioner to be able to issue fines. The first, is the investigation into Facebook’s compliance with the Personal Information Protection and Electronic Documents Act, which found that Facebook violated the consent provisions in the Act when disclosing personal information to third-parties. In this case, Facebook did not comply with the investigation and the Privacy Commissioner has stated his intention to sue the company in federal court.

The second example is the joint investigation between the Office of the Privacy Commissioner of Canada (OPC) and the Office of the Information and Privacy Commissioner for BC (OIPC BC) into the conduct of a company called AggregateIQ. Once again, the investigation found that the company violated both federal and provincial privacy laws in their business operations. Despite this, the OPC and OIPC BC are unable to issue fines for non-compliance. However, unlike Facebook, AggregateIQ has demonstrated an interest in becoming compliant.

Canada’s Digital Charter proposes financial consequences for organizations that are non-compliant with PIPEDA. This follows the order-making powers that several provincial privacy commissioners already have, that the European Union’s General Data Protection Regulations created in their Information Commissioner’s Office, and that the United States’ Federal Trade Commission has used.

This new fining power will help to deter the kinds of high-profile incidents involving breaches of personal information we have seen occurring over the last several years.

3. Cessation and Records Preservation Orders

Under PIPEDA, the Privacy Commissioner of Canada already has investigatory powers. They are able to compel evidence, administer oaths, enter premises, examine documents, and interview witnesses. Canada’s Digital Charter propose amendments to PIPEDA in order to increase the Commissioner’s ability to initiate an investigation and to create order-making power in the form of cessation and records preservation orders.

The cessation and records preservation orders will allow the Commissioner to preserve records during the course of an investigation and to stop non-compliant organizations from further harming individuals through the non-compliant collection, use, and disclosure of their personal information.

4. Privacy Research

Lastly, Canada’s Digital Charter proposes that the Privacy Commissioner of Canada be able to conduct research into privacy themes in order to provide clarity on emerging issues.

BC FIPA and BCCLA Grade the Government on its Implementation of Recommendations on PIPEDA

On November 26, 2006, BC FIPA and the BC Civil Liberties Association made several recommendations on improving the Personal Information Protection and Electronic Documents Act (PIPEDA) to the Standing Committee on Access to Information, Privacy and Ethics.

Today, both organizations jointly presented their evaluation of the government’s performance in responsding to those recommendations, as well as to the previous recommendations made by the Parliamentary Committee.

Read the report (pdf). PIPEDA Review Submission – Jan 2008

BC FIPA and BCCLA Submission on the Statutory Review of PIPEDA

BC FIPA and the BCCLA have made submissions regarding the statutory review of the Personal Information Protection and Electronic Documents Act (PIPEDA) to the House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI).

This submission highlights a number of issues which must be addressed in order to ensure that the privacy of Canadians continues to be protected by this important piece of federal legislation.

The key issues and recommendations of the submission are:

  • The Office of the Privacy Commissioner (OPC) should publicize complaints.
  • The OPC should develop an effective education function.
  • Fix the responses to security (data) breaches.
  • Address Trans-border Data Flows of Personal Information.
  • Address workplace privacy issues.
  • Address the privacy implications of Electronic Medical Records (EMR).
  • Confront the challenges of emerging privacy-threatening techonologies.
  • Review sections in PIPEDA dealing with consent that are inadequate.
  • Move away from an Ombudsman model and towards order-making powers for the Privacy Commissioner.

Read the full submission (pdf).