Protection of Personal Information in Canada: Must we Imitate to Innovate?

It is important that we rethink the protection of personal information in the era of information technology and new business models: we need only consider Big Data, the Internet of Things, or artificial intelligence, none of which were part of everyday life a few years ago. Global opinion in this regard is unanimous today, but the solution is less readily identified. While the European Union is setting a course of its own, Canada seems to still be finding its way. Certainly we wish to innovate, but how will we go about doing so? By inventing, or by imitating? At present, our members of Parliament seem to prefer the second option: imitating our European neighbours.

A few days ago, the Standing Committee on Access to Information, Privacy and Ethics presented its five-year report to the House of Commons, entitled “Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act.” We should point out that this federal statute applies to private sector organizations that carry on commercial activities in most provinces, the exceptions, in certain circumstances, being Quebec, Alberta and British Columbia, which have their own legislation.

The parliamentary review conducted by the Committee resulted in 19 recommendations for amendments to the federal statute, based on an analysis some 100 pages long. Reading the report, however, we might be surprised at times to see so many references to the European system: the “European Union” is cited no fewer than 25 times, while the “GDPR” (the General Data Protection Regulation) is found 36 times. The new European personal data protection regulation certainly cannot be disregarded, but we are talking about Canada, with its own history and its own unique privacy concerns and issues. In addition, we must keep in mind the well-known saying that they who follow in another’s footsteps will never make their own mark. That being said, the report does offer some very worthwhile avenues for consideration, in particular concerning the “responsible” development of artificial intelligence. These “pros” and “cons” are what we would like to focus on.

The European Union and Personal Information: “Inside The Box”

We can all agree that there is no rule that forbids talking about the European regulation, or even drawing on it; it must certainly be admitted that the regulation is particularly bold and original. However, there is a fine line between “drawing on” and “copying and pasting”. In this case, the thoughts offered by the report are indeed constructive, but the analysis seems, at times, to be almost mechanical. It is as if an effort had to be made, in Canadian law, to check the boxes in European law. Thus, most of the recommendations match up with concepts that are advanced in the European regulation. This would mean having to change Canadian law to take into account legitimate business interests, fine distinctions between anonymization and pseudonymization, consent by minors, data portability, the right to erasure and de-indexing, or the concepts of Privacy by Design and Privacy by Default. Obviously, the Europeans have not cornered the market on these various ideas, but we are still left with a “one-track” feeling from the report. At this point, it should be noted that on the subject of cross-border flows of data, the concept of the “adequacy” (or equivalence) of the protections afforded to personal data is a crucial issue. A significant portion of the report is therefore dedicated to this, and rightly so. However, the quest for the “adequacy” grail certainly does not mean that the Canadian approach may, ipso facto, be dictated by the European Union.

Artificial Intelligence and Personal Information: “Outside The Box”

That being said, we would nonetheless note that the report contains some developments that are more innovative than others, particularly regarding the Privacy Commissioner’s enforcement powers or the examination of the approach taken in the United States. The accuracy of this observation is particularly evident with respect to artificial intelligence issues. The Committee urges the Government of Canada to “consider implementing measures to improve algorithmic transparency”. Given the growing numbers of projects and the many successes we are currently seeing in Canada in this sector, particularly in Montréal, and in view of the glaring need for legal security on the part of all stakeholders, including innovative businesses, this recommendation offers a glimmer of hope. There must now also be genuine discussions of the ethical issues, within a balanced and competitive normative framework. Artificial intelligence should bring all stakeholders together, not divide them.

Ultimately, the Canadian personal data protection model will have to forge its own path and find its own equilibrium. In that regard, we may do well to give more thought to what Parliament itself has said in the federal legislation: to take into account both individuals’ right to privacy and organizations’ need to process personal information, in an era where technology has redrawn the landscape.

This content has been updated on 7 April 2018 at 20 h 13 min.

Comments

Comment