I think an excellent example that should be on this committee's mind and those of all Canadians is Clearview AI, which is a technology company based in the United States that takes publicly available information—your photos on Facebook, on Tumblr or whatever else—and has developed a very powerful AI-based facial recognition system, using publicly available information, with no consent for the collection or use of that. Of course, all the privacy commissioners who studied this came to the conclusion that this violates basically all existing Canadian privacy laws.
In this case, we have a company that is based in the U.S., so there are questions about how applicable the law is, but I think it demonstrates several things. It demonstrates how some of these exceptions are very susceptible to powerful forms of misuse, and then once you have ingested the data and trained the model, we also need the regulation of how it's used.
One could argue that there are some purposes where publicly accessible information can and should be collected and used. We can talk about that. However, the fact that it's not subject to any oversight—an impact assessment requirement, for example—is problematic when it comes to the CPPA part of the bill, and then we can talk separately about the many weaknesses of AIDA.