AI must become compliant with privacy rules: regulator

Government seeks input on 11 proposals that ensure PIPEDA-compliance

AI must become compliant with privacy rules: regulator

Canada’s privacy regulator is requesting feedback on implementing new guidelines for companies that employ artificial intelligence (AI) to collect personal and private data.

The Office of the Privacy Commissioner of Canada (OPC) has given a March 13 deadline for Canadian experts to weigh in.

“We are paying specific attention to AI systems given their rapid adoption for processing and analyzing large amounts of personal information,” says the regulator. “Their use for making predictions and decisions affecting individuals may introduce privacy risks as well as unlawful bias and discrimination.”

While the implementation of AI is well underway and provides many benefits to businesses, “the impacts to privacy, data protection and, by extension, human rights will be immense if clear rules are not enshrined in legislation that protect these rights against the possible negative outcomes of AI and machine learning processes,” says OPC.

With respect to the Personal Information Protection and Electronic Documents Act (PIPEDA), the OPC wants input from experts on a number of proposals including:

  • incorporate a definition of AI within the law that would serve to clarify which legal rules would apply only to it, while other rules would apply to all processing, including AI
  • adopting a rights-based approach in the law, whereby data protection principles are implemented as a means to protect a broader right to privacy, recognized as a fundamental human right and as foundational to the exercise of other human rights
  • creating a right in the law to object to automated decision-making and not to be subject to decisions based solely on automated processing, subject to certain exceptions
  • providing individuals with a right to explanation and increased transparency when they interact with, or are subject to, automated processing
  • requiring the application of Privacy by Design and Human Rights by Design in all phases of processing, including data collection
  • including in the law alternative grounds for processing and solutions to protect privacy when obtaining meaningful consent is not practicable
  • requiring organizations to ensure data and algorithmic traceability, including in relation to datasets, processes and decisions made during the AI system lifecycle
  • empowering the OPC to issue binding orders and financial penalties to organizations for non-compliance with the law.

Latest stories