Canadian Government to regulate use of artificial intelligence as well as enhance privacy protections
July 14, 2022 |
The Canadian government has introduced a bill titled “An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts” which establishes ten principles of a Digital Charter.
It will be interesting to see whether this proposed reform influences the Australian Government’s review of the Privacy Act 1988.
They are:
1. Universal Access:
2. Safety and Security:
3. Control and Consent:
4. Transparency, Portability and Interoperability:
5. Open and Modern Digital Government:
6. A Level Playing Field:
7. Data and Digital for Good:
8. Strong Democracy:
9. Free from Hate and Violent Extremism:
10. Strong Enforcement and Real Accountability:
The reforms involve:
1. The Consumer Privacy Protection Act (CPPA)
It wo;; govern the protection of individuals’ personal information and imposes obligations on organisations when collecting, using or disclosing that information. The intention is to increase individuals ability to control personal information and enable them to move that information from one organisation to another securely. It will replace Part 1 of the Personal Information and Electronic Documents Act.
2. The Personal Information and Data Protection Tribunal Act
This act will be amended to create an administrative tribunal with the power to impose penalties on organisations that breach the CPPA. The Privacy Commissioner will still have a role overseeing compliance and will have authority to issue orders against organisations and make recommendations about penalties. The Tribunal will review the Commissioner’s orders.
There will be fines for breaches of up to the greater of 5% of global revenue or 25 million Canadian dollars.
3. The Artificial Intelligence and Data Act
This legislation will regulate international and interprovincial trade and commerce in artificial intelligence systems. Organisations building high-impact AI systems must identify, assess and mitigate the risk of harm and bias. As is the way there will be another Commission , the AI and Data Commissioner, who will monitor compliance and compel third-party audits of AI systems.
The impact of the regulatory changes include::
- Every organization will need to have a Privacy Management Program. That will include a plan:
- to protect personal information,
- handle complaints
- handle requests for information,
- to have staff training,
- Codification of the “Appropriate Purpose Test”. The relevant factors include:
- the sensitivity of the personal information,
- the legitimate business needs of the organization,
- effectiveness of processing personal information
- for valid consent, including a plain language requirement for certain specified information before or at the time when consent is sought.
- providing individuals with details regarding the purposes for processing personal information, the manner in which the personal information is processed which third parties will have access to personal information.
- exceptions to consent for certain socially beneficial purposes or where the personal information is collected or used for certain business activities
- the collection or use of personal information for business activities must be within the reasonable expectations of the individual,
- personal information must not be collected or used for the purpose of influencing the individual’s behaviour or decisions.
- there will be a limit on the obligations of service providers to safeguard personal information and notify of a breach to those who process the personal information
- transparency requirements, including cross-border transfers of personal information and automated decision making
- a right to data deletion and data mobility rights