Canadian Government to regulate use of artificial intelligence as well as enhance privacy protections

July 14, 2022 |

The Canadian government has introduced a bill titled “An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts” which establishes ten principles of a Digital Charter.

It will be interesting to see whether this proposed reform influences the Australian Government’s review of the Privacy Act 1988.

They are:

1. Universal Access:

All Canadians will have equal opportunity to participate in the digital world and the necessary tools to do so, including access, connectivity, literacy and skills.

2. Safety and Security:

Canadians will be able to rely on the integrity, authenticity and security of the services they use and should feel safe online.

3. Control and Consent:

Canadians will have control over what data they are sharing, who is using their personal data and for what purposes, and know that their privacy is protected.

4. Transparency, Portability and Interoperability:

Canadians will have clear and manageable access to their personal data and should be free to share or transfer it without undue burden.

5. Open and Modern Digital Government:

Canadians will be able to access modern digital services from the Government of Canada, which are secure and simple to use.

6. A Level Playing Field:

The Government of Canada will ensure fair competition in the online marketplace to facilitate the growth of Canadian businesses and affirm Canada’s leadership on digital and data innovation, while protecting Canadian consumers from market abuses.

7. Data and Digital for Good:

The Government of Canada will ensure the ethical use of data to create value, promote openness and improve the lives of people—at home and around the world.

8. Strong Democracy:

The Government of Canada will defend freedom of expression and protect against online threats and disinformation designed to undermine the integrity of elections and democratic institutions.

9. Free from Hate and Violent Extremism:

Canadians can expect that digital platforms will not foster or disseminate hate, violent extremism or criminal content.

10. Strong Enforcement and Real Accountability:

There will be clear, meaningful penalties for violations of the laws and regulations that support these principles.

The reforms involve:

1. The Consumer Privacy Protection Act (CPPA)

It wo;; govern the protection of individuals’ personal information and imposes obligations on organisations when  collecting, using or disclosing that information.  The intention is to  increase individuals ability to control personal information and enable them to move that information from one organisation to another securely. It will replace Part 1 of the Personal Information and Electronic Documents Act.

2. The Personal Information and Data Protection Tribunal Act

This act will be amended to  create an administrative tribunal with the power to impose penalties on organisations that breach the CPPA. The Privacy Commissioner will still have a role overseeing compliance and will have authority to issue orders against organisations and make recommendations about penalties. The Tribunal will review the Commissioner’s orders.

There will be fines for breaches of up to the greater of 5% of global revenue or 25 million Canadian dollars.

3. The Artificial Intelligence and Data Act

This legislation will regulate international and interprovincial trade and commerce in artificial intelligence systems. Organisations building high-impact AI systems must identify, assess and mitigate the risk of harm and bias. As is the way there will be another Commission , the AI and Data Commissioner, who will monitor compliance and compel third-party audits of AI systems.

The impact of the regulatory changes include::

  • Every organization will need to have a Privacy Management Program.  That will include a plan:
    • to protect personal information,
    • handle complaints
    • handle requests for information,
    • to have staff training,
  • Codification of the “Appropriate Purpose Test”.  The relevant factors include:
    • the sensitivity of the personal information,
    • the legitimate business needs of the organization,
    • effectiveness of processing personal information
  • for valid consent, including a plain language requirement for certain specified information  before or at the time when consent is sought.
  • providing individuals with details regarding the purposes for processing personal information, the manner in which the personal information is processed  which third parties will have access to personal information.
  • exceptions to consent for certain socially beneficial purposes or where the personal information is collected or used for certain business activities
  • the collection or use of personal information for business activities must be within the reasonable expectations of the individual,
  • personal information must not be collected or used for the purpose of influencing the individual’s behaviour or decisions.
  • there will be a limit on the obligations of service providers to safeguard personal information and notify of a breach to those who process the personal information
  • transparency requirements, including cross-border transfers of personal information and automated decision making
  • a right to data deletion and data mobility rights

Leave a Reply

Verified by MonsterInsights