It is no secret that training and using AI involves the collection, disclosure, and processing of information, which also includes personal information. In Canada and most other jurisdictions, the collection, use, and disclosure of personal information is regulated to some extent. Data “scraping” is a live issue and concern. Developing AI or using AI can pose various privacy issues that need to be addressed in a way that protects the organizations from compliance risk as well as the privacy of those whose information is being processed in this context. Using personal information in AI may also be a matter of ethics in some cases.
Just because there is not yet an AI-specific legislation in Canada does not mean there are no Canadian laws that protect the use of personal information in AI. The Personal Information and Protection of Electronic Documents Act (“PIPEDA”) and its provincial substantially similar counterparts, govern the collection, use and disclosure of personal information in the course of “commercial activities.” Quebec has enacted a regime with monetary penalties in this regard.
Public-sector freedom of information and privacy legislation, as well health-specific legislation are present in every province. The themes in many of these legislative instruments include: ensuring organizations are accountable and transparent; obtaining individual consent when appropriate; limiting collection, use, disclosure and retention of data; and, employing security safeguards.
The call for legislation specific to AI has arisen contemporaneously with the innovation of new and emerging AI technologies. AI tools raise issues concerning (data scraping) privacy rights: non-consensual collection, biased inputs resulting in discriminatory outputs, and use or intentional misuse in the hands of malicious actors. For example, AI tools can be manipulated through the poisoning of data sets and can be used to execute cyberattacks such as malware and phishing attacks.
Miller Thomson’s Privacy and Cybersecurity Team have been monitoring developments and continue to guide clients through balancing the innovation of new AI technologies while ensuring compliance with existing and new privacy, data protection and AI-specific legislation.
