Canada’s proposed new data privacy rules tackle biometrics bias, illegal training data
New proposed data privacy legislation tabled as part of the federal government’s Bill C-27 aims to firm up restrictions around the collection of private data, and includes an act to limit the uses of Artificial Intelligence in the private sector—but not for law enforcement.
Tabled in response to predecessor, Bill C-11 (2020), the new bill includes clearer delineations between “de-identified” information, which can be traced back to an individual, and “anonymized” information, which cannot. It also proposes the Artificial Intelligence and Data Act, to establish standard requirements for the design, development and use of AI systems, including biometrics, in trade and commerce, and penalties for those who use the technology unlawfully.
Specifically, the bill requires the development of measures to “identify, assess and mitigate the risks of harm or biased output” that could result from the use of an AI system, a going concern in facial recognition and related fields, and the appointment of a new AI and data commissioner to monitor compliance.
However, there are exemptions. The Act will not apply to activities, services or products under the direction or control of the Minister of National Defense, the Director of the Canadian Security Intelligence Service, the Chief of the Communications Security Establishment, or “any other person who is responsible for a federal or provincial department or agency and who is prescribed by regulation.”
Both the Canadian Civil Liberties Union and the outgoing Privacy Commissioner of Canada, Daniel Therrien, criticized Bill C-11, claiming it offered inadequate data privacy protections and actually weakened some existing ones. They have called for stronger measures around facial recognition technology, following revelations that Clearview AI counted the Royal Canadian Mounted Police among clients using its biometrics platform.
A Privacy Commissioner’s report published in February 2021 determined that, under PIPEDA, Clearview had “collected, used and disclosed the personal information of individuals in Canada for inappropriate purposes, which cannot be rendered appropriate via consent.”
The bill does include rules against the use of systems developed with illegally obtained personal information, an apparent reference to Clearview’s biometric training database of images scraped from the web.
Speaking at a press conference, Innovation Minister Francois-Phillipe Champagne called C-27 “one of the most stringent frameworks you would find among G7 nations” when it comes to privacy. The bill, formally called the Digital Charter Implementation Act, comprises the Artificial Intelligence and Data Act, the Consumer Privacy Protection Act, and the Personal Information and Data Protection Tribunal Act, which sets out guidelines for the creation of a three-to-six-member tribunal to oversee hearings.
Other provisions include new protections for the personal information of minors, requirements that consent be obtained in plain language an average reader “would reasonably be expected to understand,” and enables individuals to request that their data be permanently deleted if they withdraw their consent.