Op-Ed: Canada rewrites the rules on AI privacy with Bill C-36, and this is just the start


Bill C-36, the Protecting Privacy and Consumer Data Act, is a broad-based initiative to try to manage privacy issues, notably for children. This is the first major revision of Canadian privacy laws in decades, targeting AI security risks.

The Bill is also a good example of how incredibly complex the statutory regulation of data privacy has become as AI emerges as the driving factor of digital life. It’s a very demanding environment for managing basic laws at the most fundamental level.

In practice, Bill C-36 could include simple privacy issues or broad-spectrum breaches of privacy as big as the recent major data breaches. In its current form, the Bill looks very much like a catch-all for privacy issues on any scale.

With constant and increasing global demands for effective AI governance, Bill C-36 may well become a test case for the future of AI regulation worldwide.

This is also no easy target on any practical enforcement level. Bill C-36 covers such a huge range of potential future issues. The actual legislation now before for the first reading to Parliament includes 147 specific sections.  

The summary section of Bill C-36 is an indicator of degrees of difficulty:

This enactment enacts the Protecting Privacy and Consumer Data Act to govern the protection of personal information of individuals while taking into account the need of organizations to collect, use or disclose personal information in the course of commercial activities.

That’s a very broad base for the regulation of just about anything and everything related to privacy, compliance, and enforcement. The other big issue in this legislation is “data inference”, not just the hard data gathered online, but indirect profiling and patterns used to identify people and markets.

This is a major privacy issue in that people can be identified by inferences derived from both hard data and “disparate data,” building a picture of their health, financial issues, and more. It’s the working machinery of targeted ads, phishing, and the de facto source of profiling. People can be indirectly identified by behaviours and other patterns.

With the advent of AI, inferences have come into a whole new frame of reference for regulation. In legal terms, it’s a sandbox. The new terminology refers to “deidentification” and “reidentification”, which describe the process of privacy being eroded or completely destroyed by AI inferences. This also exposes the near-total inadequacy of current privacy laws. These processes didn’t even exist when most privacy laws were enacted.

The role of Bill C-36

The draft bill includes functional roles in Part 2, including multiple delegations:

 Establishment of a Commission and its powers, duties, and functions

The appointment of a Commissioner

Division

Codes of Practice and Certification

Remedies Filing of Complaints

Investigation of Complaints

Compliance Agreements

Audits

Appeals

Enforcement of Orders

Certificate under the Canada Evidence Act

Amendments and coming into force provisions

Dry as it may seem, this is a map of the entire working framework for Bill C-36, the Protecting Privacy and Consumer Data Act. This is an outline of how the Act has to work to achieve its goals. It’s effectively a new jurisdiction.

The realities of regulating AI privacy

It’s important to note that any new legislation has built-in issues, and Bill C-36 has all the ingredients for ongoing updates to manage a very nebulous legal environment:

Legislation must adapt. The Bill is just the start. Even at this early stage, Bill C-36 may be subject to amendment before it’s enacted or even redrafted to address emerging issues.

Untested legislation inevitably evolves. The real test of legislation is by challenge or dispute. By case law or by a need for new regulations, untested legislation is a work in progress from the day it takes effect. The bigger the role, the wider the scope for evolution.

The regulatory range of legislation defines its challenges. This bill, in particular, is written almost entirely on unknown legal territory, simply because of the drastic expansion of the legal framework enabled by AI’s capabilities. Every facet will be subject to court rulings and future challenges.

The “AI inference factor” is a very tough call for regulation. AI inferences work on everything from hard data to new or “unseen data. At what point does inference breach privacy laws? How do you prove a breach of privacy or the effects of a breach? This is exactly what Bill C-36 is grappling with.

Laws must be consistent and applied consistently. Laws can’t contradict each other. There are also multiple related Acts that need to be amended to cover their functions in conjunction with Bill C-36. Parts 3 and 4 of the Bill refer to 17 other Acts and the Statutes of Canada 2010.  

A first step into the future

One very strong positive for Bill C-36 is that it directly addresses the gaping holes in global data privacy and broad-spectrum regulation despite rapid enactment of laws in 140 countries. Most privacy laws around the world are a patchwork of provisions addressing privacy as an abstract concept, rather than at the functional level. They also, like the EU General Data Protection Regulation, predate modern AI, which is a critical theme of Bill C-36. Some are tougher than others, but enforcement at ground level is a very new ballgame. This is where Bill C-36 is breaking new ground.

The very fluid nature of technology has created these problems as actual circumstances of privacy breaches change. Courts are the default arbiters, but even the courts have to work with the theory of remedy and whether or not existing regulations adequately address circumstances.

The same applies to data management. It’s quite possible, particularly with AI, to unintentionally and unwittingly breach privacy without even knowing you’ve done it. This Bill at least clarifies the rules at the operational level to a large extent.

This first step is to get a grip on the realities of privacy in the Age of AI. Let’s hope it works.



Op-Ed: Canada rewrites the rules on AI privacy with Bill C-36, and this is just the start

#OpEd #Canada #rewrites #rules #privacy #Bill #C36 #start

Leave a Reply

Your email address will not be published. Required fields are marked *