How should Alberta address the impact of emerging technologies like artificial intelligence on individual privacy rights? That question was at the heart of a recent consultation undertaken by the Alberta Legislature as it looked to modernize the province’s
Personal Information and Privacy Act (PIPA). The goal of this statutory review of Alberta’s privacy regime was to update and align Alberta’s regulations with national and global trends.
In our submission, Cybera made recommendations for improving the transparency of data use for individuals, as well as simplifying who is regulating new technologies as they apply to Albertans’ privacy, and how those regulators should be given “more teeth” to punish organizations that are not complying.
Keeping up with global regulations
Recent years have seen major changes in national and global privacy protection standards, centering around two important developments:
- The federal Bill C-27, currently awaiting review in Canada’s Senate, which will make several substantial changes to Canada’s privacy regime. This bill will implement a number of new standards for privacy regulation, including enhanced consent requirements, privacy management programs, and new data citizen rights, among others. It also creates a new regulator — the Artificial Intelligence and Data Commissioner (AIDC) — whose office will be the central hub for AI regulation in Canada.
- The European Union’s General Data Protection Regulation (GDPR) and Artificial Intelligence Act, which have emerged as the global standards for modern privacy regulation. Numerous jurisdictions around the world are effectively “playing catchup” to the standards and principles of these EU regulations, which include greater emphasis on data citizen rights, and the explicit acknowledgment of emerging technologies and their risks.
Currently, Alberta is one of only three provinces in Canada that has its own provincial privacy legislation and regulates its own privacy regime. To be able to do this, Alberta’s laws must be “substantially similar” to its federal counterparts. Federal changes now mean Alberta must also play catchup to national trends.
How to address the AI privacy challenge
In our submission, Cybera outlined a number of specific changes to Alberta’s PIPA to address the challenges of AI.
Acknowledge and define artificial intelligence in PIPA, and enshrine specific rules governing its use: Currently, like most other provincial privacy legislation, PIPA is explicitly technology-neutral. It is not designed to address and govern risks stemming from things like artificial intelligence. But given the new risks involved with algorithmic data processing, and because of Alberta’s uniquely independent privacy regime, PIPA should explicitly define and govern artificial intelligence.
In particular, specific rights related to artificial intelligence use — including algorithmic transparency and the right for individuals to be excluded from “algorithmic processing” — should explicitly be outlined in PIPA. Cybera suggested this could fall on the Office of the Information and Privacy Commissioner (OIPC) to monitor, regulate and enforce. Not doing so could result in Alberta organizations having two separate regulators governing their actions on privacy matters — the federal AIDC on artificial intelligence issues, and the provincial OIPC on all other privacy issues.
Implement a more explicit rights-based approach to privacy regulation: We believe PIPA should explicitly enshrine the rights of erasure, data portability and algorithmic transparency, which have all become standard in modern privacy legislation. This means individuals have the right to ask companies to delete their data, send their data to themselves or another organization of their choosing, and demand to see how decisions were made about them (e.g. algorithmic processing of bank loan requests).
More clearly defined rules around the de-identification and anonymization of data: Datasets that are scrubbed of identifiable personal information have an important role in academic research and economic innovation, and will be particularly useful in artificial intelligence applications. The revised PIPA should ensure that this data scrubbing for the purpose of research is done responsibly, and that bad actors are penalized.
Expand PIPA to formally include not-for-profit organizations and institute privacy management programs (PMPs): The current framework of PIPA only applies to specific activities of not-for-profit organizations and charities, rather than the organizations as a whole. This has, understandably, led to ongoing confusion. As most organizations want to maintain privacy best practices regardless of applicable legislation, formalizing their relationship with Alberta’s OIPC would allow for more informed internal planning. Instituting privacy management programs — which would allow these organizations to receive a formal acknowledgement and approval of their privacy practices by the privacy regulator — would provide additional assurance that they are abiding by modern best practices.
Cybera will continue to monitor the committee’s review of PIPA, including how this process will impact other legislation. Should these changes be implemented, they will have significant implications for our larger member community. In particular, Cybera is keen to see how these changes will address the important question of artificial intelligence regulation, which will create new best-practices and compliance approaches for Alberta’s public sector.