(Disponible en français : Avancées technologiques et protection de la vie privée)
Some of the technological advances that have emerged in the last few years have had or could have a significant impact on privacy and data protection. For instance, federal privacy laws are not necessarily equipped to respond to the challenges presented by the growth of online services, e-commerce, the Internet of Things, and technology companies’ use of increasingly powerful algorithms and artificial intelligence (AI). Thus, a number of recommendations have been made to amend privacy legislation to address these issues.
Recent technological advances
Growth in online services and e-commerce
Since the mid-1990s, online services and e-commerce have increased exponentially. This rapid growth of the digital economy has led to a number of provincial and federal laws being enacted, but challenges remain as regards the protection of personal information.
For example, in June 2019, the Libra Association (of which Facebook is a founding member) launched a project to create a global cryptocurrency called Libra that uses blockchain technology. Facebook also announced the creation of a subsidiary, Calibra, that would be involved in the blockchain project.
On 5 August 2019, in response to these developments, a number of representatives of data protection and privacy law enforcement authorities, including Daniel Therrien, Privacy Commissioner of Canada, published the Joint statement on global privacy expectations of the Libra network. The signatories to this statement expressed their shared concerns about the privacy risks posed by the Libra digital currency and infrastructure. These concerns stem from the fact that Facebook and Calibra have failed to specifically address the information-handling practices they would follow to secure and protect users’ personal information. The signatories pointed out that Facebook has expansive categories of data collection on hundreds of millions of users. They also mentioned that Facebook’s handling of personal information had not met the expectations of regulators or of Facebook users. According to the joint statement, the “combination of vast reserves of personal information with financial information and cryptocurrency amplifies [their] privacy concerns about the Libra Network’s design and data sharing arrangements.”
Internet of Things
More and more everyday objects, so-called “smart” devices, are connected to the Internet. These include watches that track user fitness, refrigerators that inventory what foods are eaten and televisions that catalogue all viewed content.
According to a document issued by the Office of the Privacy Commissioner of Canada (OPC), subject-matter experts predicted that 50 billion devices would be connected to the Internet by 2020. The OPC added that these objects range “from ‘smart home’ technologies such as security systems and digital assistants to connected toys to sensor-equipped cars that can diagnose engine problems and track how fast” a vehicle is travelling.
Connected devices offer users a variety of benefits. However, these conveniences are also associated with increased privacy risks. Personal information collected by connected devices could be shared, used or disclosed improperly or without the consent of the individuals involved.
Algorithms and artificial intelligence
Digital platforms such as Facebook or YouTube have access to data from billions of users. They analyze the data in various ways using powerful algorithms, in part to personalize the user experience. However, the way companies create and use these algorithms – with the help of AI – raises a number of ethical issues. The most obvious challenge is the lack of transparency shown by these companies concerning algorithms and AI. This lack of transparency has significant implications for privacy, particularly as regards how personal information is shared with third parties.
The Montreal Declaration for a responsible development of artificial intelligence, issued in 2018, addresses the ethical issues associated with AI development. This declaration proposes 10 principles and has the following three objectives:
- to develop an ethical framework for the development and deployment of AI;
- to guide the digital transition so everyone benefits from this technological revolution; and
- to open a national and international forum for discussion to collectively achieve equitable, inclusive and ecologically sustainable AI development.
In April 2019, the European Union (EU) published the Ethics Guidelines for Trustworthy AI and announced legislative proposals for a coordinated approach to considering the effects of AI in both human and ethical terms. According to the EU, privacy and data governance is one of the “seven essentials for achieving trustworthy AI.”
Recommendations to modernize privacy legislation
Canada’s Digital Charter
Between June and October 2018, the Government of Canada carried out national digital and data consultations. The following May, it published Canada’s Digital Charter. The charter was based on these consultations and outlines 10 guiding principles. Two of these principles address privacy directly: one deals with control and consent, and the other with transparency, portability and interoperability.
In addition, the government published proposals to modernize the Personal Information Protection and Electronic Documents Act (PIPEDA). The proposals to amend the Act, which applies to the private sector, are based on trust, which the government said is “the lynchpin of the digital and data-driven economy.” The following four themes were defined:
- enhancing individuals’ control;
- enabling responsible innovation;
- enhancing enforcement and oversight; and
- areas of ongoing assessment (clarity of obligations and scope of application and accountability).
Recommendations made by the House of Commons Standing Committee on Access to Information, Privacy and Ethics
Following its consideration of PIPEDA, the House of Commons Standing Committee on Access to Information, Privacy and Ethics published a report in February 2018 that contained 19 recommendations to modernize PIPEDA. The Committee made other recommendations in the same vein in the interim and final reports for its study on the breach of personal information involving Cambridge Analytica and Facebook. One of the recommendations in the final report addressed algorithmic transparency: giving a regulatory body the authority to audit algorithms.
This overview raises the question: Can existing privacy legislation be amended to address all the challenges stemming from technological advances and adapt to the fast pace at which businesses are innovating? Whatever the answer, legislative proposals on privacy and data protection can be expected during the 43rd Parliament.
Office of the Privacy Commissioner of Canada, The Internet of Things – An introduction to privacy issues with a focus on the retail and home environments, Research paper prepared by the Policy and Research Group, February 2016.
Alexandre Plourde, Retour vers le futur : l’Internet des objets et la protection de la vie privée, Développements récents en droit à la vie privée, Éditions Yvon Blais, Montréal, 2019, pp. 33– [in French only]
Author: Maxime-Olivier Thibodeau, Library of Parliament