This seven-part series explores, from a Canadian perspective, options for effective privacy regulation in an AI context.
In this series on bringing privacy regulation up to date for a world of big data and AI, I have discussed the need for revised legislation, the continued relevance of privacy principles, and the potential of use control as a new approach to big data governance. One last key piece remains: privacy enforcement.
I hope that my exploration of use control has made clear that AI systems can be designed to comply with privacy principles. The fact that they are not, reflects the reality that it is not in the interest of corporations to do so. The business advantage provided by privacy-invasive data analytics far outweighs the cost of non-compliance with privacy laws.
We are beginning to see the balance of this equation shift, two years after the entry into application of the European Union’s General Data Protection Regulation (GDPR). The GDPR allows national data protection authorities to issue fines up to €20 million (over $30M CDN), or 4% of an organization’s worldwide annual revenue of the prior financial year, whichever is higher. Multinational Internet corporations such as Facebook and Google are currently facing large penalties for non-compliance, and have been forced to change some of their data analytics practices. Penalties work.
Canadian privacy authorities currently do not have the power to issue compliance orders or fines, and I strongly believe that they need this power. Without significant penalties, it is impossible to make corporations accountable for their data processing practices. Any regulation should also ensure that penalties extend to third party data providers; organizations must be accountable for their data sharing practices. Canada needs to give privacy commissioners the power to issue binding orders and fines to organizations that violate privacy laws. Only when there are significant consequences for privacy non-compliance will we see corporate practices begin to change. Privacy is a fundamental right, and our legal system needs to give it a higher value.
Bringing Privacy Regulation into an AI World:
PART ONE: Do We Need to Legislate AI?
PART FOUR: Access control in a big data context
PART FIVE: Moving from access control to use control
PART SEVEN: Why Canadian privacy enforcement needs teeth