Industry Committee on Nov. 30th, 2023

I think using the Privacy Commissioner's expertise on privacy and other issues in artificial intelligence is a good way to leverage the expertise that is already there. I think a centralized entity that is able to audit companies for privacy and also for fairness and explainability would be the more efficient way to go forward, rather than splitting this into different entities that would have to coordinate anyway, because this issue is intricate. If you are a machine learning engineer and you have to implement privacy, fairness and explainability in your AI model, there is tension and synergy between these issues, and you cannot do them separately. I think the auditing part would also be one entity with the expertise to do that.

I think that the bill, as it stands today, doesn't go far enough to regulate the black box. That's really the issue.

You're asking whether data use should be regulated. I think that it should. As you said a number of times, I think that the Privacy Commissioner can play a major role in raising awareness.

In all honesty, the data can be used for any purpose. I can give you any application. You click on the accept button and you're told that your request has been sent. As a consumer, you have no idea whether it has actually been sent. In the age of big data, managing hundreds of millions of data items is a complex business.

Will the bill make it possible to control everything? Personally, I'm not sure. It is possible to set out ways to train and educate people on data definitions, data selection and the use of data in artificial intelligence systems? I think so.

This can go beyond the data. It can even affect the teams that choose the data. This choice can have a major impact on discrimination. We've seen this in applications where certain categories of people weren't included in the data selection process. As a result, certain groups received positive treatment. However, one segment of the population received negative treatment. There are some examples of this issue.

In my opinion, the bill can be improved to better regulate data use; ensure greater accountability on the part of companies; and give the Privacy Commissioner a bigger role and more powers, by boosting the commissioner's ability to raise awareness and educate people about data use.

There can always be a tougher penalty system. However, as I said earlier, these systems aren't foolproof. The flawed nature of these artificial intelligence systems must be taken into account. A company may comply with all the processes, but in the end, the results may not be consistent or expected. Also, when a company uses artificial intelligence data and sees hundreds of millions of data items, there's no guarantee that all the data is clean or compliant.

In my opinion, if restrictions on data use become much tighter, it could also hamper economic development. This ecosystem is developing at breakneck speed, and our companies must remain competitive. To that end, they need to use data. If data control is too restricted, it could slow down the development of systems. A smart system isn't developed overnight. It takes time.

As a result, data use must be controlled, but this control can't be exhaustive. There could be a form of supplementary control. This matters given that data lies at the heart of artificial intelligence. The more restrictions and reporting requirements are imposed on companies, the more it will adversely affect the economy. I don't know the extent of that impact. That said, global competition in this area is enormous.

It's necessary to look at the reason for an adverse effect. A violation of privacy may be good for a company, but is it good for the consumer? There's always some sort of dilemma.

For example, a person's consumption habits can reveal very private information. For instance, these habits can show whether a person has started a diet, bought a house, cut back on spending or changed jobs. A company could get hold of this person's data to create a profile. The company could then notice that the person has changed their consumption habits and that they could benefit from new discounts. Technically, this would be a monetary benefit for the consumer. However, I personally don't think that it's good for a company to have that much information on a person.

The idea is to identify what qualifies as a positive or adverse effect using case studies. The consumer must always come first. When a company collects too much information on a person, it can become a major issue for them.

Yes. In Europe, the General Data Protection Regulation covers the entire continent and is extremely specific when it comes to legitimate interest. It also provides for various exemptions. It even establishes what qualifies as direct marketing and the circumstances that prohibit it. A number of bills determine whether highly targeted and relevant advertising can be deemed positive or adverse. Once again, Australia does more or less the opposite. It prohibits direct marketing, except in certain cases, and it clarifies these exceptions.

There are a number of good practices. The advantage of lagging behind the rest of the world in this area is that we can choose the approach that suits us best.

The good news is that the CFPB released its first set of rules a couple of weeks ago, which closely look at what it wants to do. Of course, the CFPB doesn't care about everything and it takes more of a laissez-faire approach on some stuff, but for the first time, it clearly outlines that it wants to create a universal data protectivity right, and it's going to be imposed on financial institutions. Once that's done and we have the same approach—and I know people at Finance Canada are talking to people from the CFPB as well—I don't think it's going to be that difficult to do trade across the border, because the big team and the base principle are quite similar.

Absolutely, and they can choose the time of exposure. For example, if you want to try two different companies for the same product and you prefer one of them, you can drop the other one immediately. Therefore, your data is not used by this company anymore.

It's really about the power of the consumer and the time in which you can revoke your consent.