Series: Bringing Privacy Regulation into an AI World

Bringing Privacy Regulation into an AI World

Over the past decade, privacy has become an increasing concern for the public as data analytics have expanded exponentially in scope. Big data has become a part of our everyday lives in ways that most people are not fully aware of and don’t understand. Governments are struggling to keep up with the pace of innovation and figure out how to regulate a big data sector that supersedes national borders.

Governments are struggling to keep up with the pace of innovation and figure out how to regulate a big data sector that supersedes national borders.

Different jurisdictions have taken different approaches to privacy regulation in the new context of big data, machine learning, and artificial intelligence (AI). The European Union is in the lead, having updated its privacy legislation, established a “digital single market” across Europe, and resourced a strong enforcement system. In the United States, privacy remains governed by a patchwork of federal and state legislation, largely sector-specific and often referencing outdated technologies. The US Federal Trade Commission is powerful and assertive in punishing corporations that fail to protect data from theft, but has rarely attempted to regulate the big data market. Canada’s principle-based privacy legislation remains relevant, but the Office of the Privacy Commissioner (OPC) acknowledged recently that “PIPEDA [the Personal Information Protection and Electronic Documents Act] falls short in its application to AI systems.”[1] As the OPC states, AI creates new privacy risks with serious human rights implications, including automated bias and discrimination[2]. Given the pace of technological innovation, there may not be much time left to establish a “human-centered approach to AI.”[3]

This series explores, from a Canadian perspective, options for effective privacy regulation in an AI context. In seven parts, I discuss:

  1. Do we need to legislate AI? 
  1. Is AI compatible with privacy principles? 
  1. Big data’s big privacy leak – metadata and data lakes 
  1. Access control in a big data context 
  1. Moving from access control to use control 
  1. Implementing use control – the next generation of data protection 
  1. Why Canadian privacy enforcement needs teeth 

[1] Office of the Privacy Commissioner of Canada, Consultation on the OPC’s Proposals for ensuring appropriate regulation of artificial intelligence, 2020.

[2] Ibid.

[3] G20 Ministerial Statement on Trade and Digital Economy, 2019.

Bringing Privacy Regulation into an AI World:

PART ONE: Do We Need to Legislate AI?

PART TWO: Is AI Compatible with Privacy Principles?

PART THREE: Big data’s big privacy leak – metadata and data lakes 

PART FOUR: Access control in a big data context 

PART FIVE: Moving from access control to use control 

PART SIX: Implementing use control – the next generation of data protection 

PART SEVEN: Why Canadian privacy enforcement needs teeth