How should Alberta address the impact of emerging technologies like artificial intelligence on individual privacy rights? That question was at the heart of a recent consultation undertaken by the Alberta Legislature as it looked to modernize the province鈥檚
Personal Information and Privacy Act (PIPA). The goal of this statutory review of Alberta鈥檚 privacy regime was to update and align Alberta鈥檚 regulations with national and global trends.
In our submission, 知阴视频 made recommendations for improving the transparency of data use for individuals, as well as simplifying who is regulating new technologies as they apply to Albertans鈥 privacy, and how those regulators should be given 鈥渕ore teeth鈥 to punish organizations that are not complying.
Keeping up with global regulations
Recent years have seen major changes in national and global privacy protection standards, centering around two important developments:
- The federal聽 Bill C-27, currently awaiting review in Canada鈥檚 Senate, which will make several substantial changes to Canada鈥檚 privacy regime. This bill will implement a number of new standards for privacy regulation, including enhanced consent requirements, privacy management programs, and new data citizen rights, among others. It also creates a new regulator 鈥 the Artificial Intelligence and Data Commissioner (AIDC) 鈥 whose office will be the central hub for AI regulation in Canada.聽
- The European Union鈥檚 General Data Protection Regulation (GDPR) and Artificial Intelligence Act, which have emerged as the global standards for modern privacy regulation. Numerous jurisdictions around the world are effectively 鈥減laying catchup鈥 to the standards and principles of these EU regulations, which include greater emphasis on data citizen rights, and the explicit acknowledgment of emerging technologies and their risks.
Currently, Alberta is one of only three provinces in Canada that has its own provincial privacy legislation and regulates its own privacy regime. To be able to do this, Alberta鈥檚 laws must be 鈥渟ubstantially similar鈥 to its federal counterparts. Federal changes now mean Alberta must also play catchup to national trends.
How to address the AI privacy challenge
In our submission, 知阴视频 outlined a number of specific changes to Alberta鈥檚 PIPA to address the challenges of AI.
Acknowledge and define artificial intelligence in PIPA, and enshrine specific rules governing its use: Currently, like most other provincial privacy legislation, PIPA is explicitly technology-neutral. It is not designed to address and govern risks stemming from things like artificial intelligence. But given the new risks involved with algorithmic data processing, and because of Alberta鈥檚 uniquely independent privacy regime, PIPA should explicitly define and govern artificial intelligence.
In particular, specific rights related to artificial intelligence use 鈥 including algorithmic transparency and the right for individuals to be excluded from 鈥渁lgorithmic processing鈥 鈥 should explicitly be outlined in PIPA. 知阴视频 suggested this could fall on the Office of the Information and Privacy Commissioner (OIPC) to monitor, regulate and enforce. Not doing so could result in Alberta organizations having two separate regulators governing their actions on privacy matters 鈥 the federal AIDC on artificial intelligence issues, and the provincial OIPC on all other privacy issues.
Implement a more explicit rights-based approach to privacy regulation: We believe PIPA should explicitly enshrine the rights of erasure, data portability and algorithmic transparency, which have all become standard in modern privacy legislation. This means individuals have the right to ask companies to delete their data, send their data to themselves or another organization of their choosing, and demand to see how decisions were made about them (e.g. algorithmic processing of bank loan requests).
More clearly defined rules around the de-identification and anonymization of data: Datasets that are scrubbed of identifiable personal information have an important role in academic research and economic innovation, and will be particularly useful in artificial intelligence applications. The revised PIPA should ensure that this data scrubbing for the purpose of research is done responsibly, and that bad actors are penalized.
Expand PIPA to formally include not-for-profit organizations and institute privacy management programs (PMPs): The current framework of PIPA only applies to specific activities of not-for-profit organizations and charities, rather than the organizations as a whole. This has, understandably, led to ongoing confusion. As most organizations want to maintain privacy best practices regardless of applicable legislation, formalizing their relationship with Alberta鈥檚 OIPC would allow for more informed internal planning. Instituting privacy management programs 鈥 which would allow these organizations to receive a formal acknowledgement and approval of their privacy practices by the privacy regulator 鈥 would provide additional assurance that they are abiding by modern best practices.
知阴视频 will continue to monitor the committee鈥檚 review of PIPA, including how this process will impact other legislation. Should these changes be implemented, they will have significant implications for our larger member community. In particular, 知阴视频 is keen to see how these changes will address the important question of artificial intelligence regulation, which will create new best-practices and compliance approaches for Alberta鈥檚 public sector.