Industry Committee on Nov. 23rd, 2023

Creating thresholds based on the number of employees creates incentives for businesses to stay small. While there is a desire to have these additional burdens on businesses, we have to recognize that there is a trade-off if doing so depends on the number of employees, because what you're telling businesses is that you don't want them to grow.

I am very supportive of all the comments that have been made. We had this debate when I was at the OPC. We did a public consultation, and the question came up about an AI start-up processing terabytes of data. It's not about the size; it's about the amount of data and the kind of data.

To your earlier question as well, I'll just add to some of the comments I made earlier about consent exceptions. I think there is an opportunity to align more closely with the GDPR in the sense of making it available to a broader range of organizations—small, large, etc.

When we're dealing with health data, for example—and I've seen this while working across Canada—we have some small, vulnerable population groups, and they can't anonymize that information with such a small population, so how do we bring that data together? How do we bring health care data together? It's partly through some of these current provisions where there is de-identification. We take out the person's name and we put in a pseudonym, but we still link and then produce really interesting, important statistics.

That's the one thing I wanted to bring forward.

The point about record-keeping obligations is interesting. To my knowledge, the only olive branch the GDPR hands small and medium-sized enterprises is indeed concerning their record-keeping obligations.

I would note that in the case of a children's code, which Ms. Gordon and I have spoken about, that can actually be very useful for helping businesses, because it provides them, in a way, with a starter manual for thinking through how they should design their products and services that are directed to children. You can raise protections while also being clear and helping businesses in terms of compliance.

Absolutely.

In my speaking notes, I have a footnote, so I'll just read that: “the use of a genetic algorithm, a neural network, machine learning or another AI technique in order to generate content or make decisions”.

The current definition is about any prediction model—and an average or a regression is a prediction model. The definition of an AI technique will evolve over time. What the use of “another AI technique” does is allow for the flexibility of technology to change over time, but it doesn't start regulating statistical technologies that have been around for centuries.

My starting point is that I think this legislation already is at a good starting point. Where we are right now is good. My concern about the trade-offs would be if we're adding additional things.

That said, there are two pieces that I think are particularly important. The first one is some recognition by the commissioner of the burden on small and start-up businesses. Especially, right now, the cost is borne by the person audited, even if the commissioner finds nothing. That strikes me as very risky. If we have a commissioner who decides, for whatever reason, that a particular company, especially a small company or a start-up, deserves an audit and they go through that process, for the start-ups that work with the Creative Destruction Lab, that may very well kill the company. Some reasonable expenses, in my view, should be covered by the commissioner or by the government when the audit shows no evidence of a contradiction of proposed sections 6 to 12.

Yes. I think there are two sub-aspects from my perspective.

The first aspect is the transition period. I think we should not undermine the fact that, even though there are already processes in place with PIPEDA and potentially with law 25, it does take time to have something that is meaningful.

I'm a lawyer, so I wish I could tell you that it's only a question of the papering aspect and just giving some policies and moving on. The fact is that privacy is much more than only legal professionals. I think there's an understanding internally in any organization to understand what is going on in terms of data flows and what we do to protect the information we have.

That's the reason why I tend to think that 36 months is the bare minimum. As a matter of fact, when we look around the world, that's what we are seeing. We saw with law 25 that 24 months was not sufficient. At the moment, companies are struggling very much to comply even with law 25, most of which came into force.

On the second aspect of your question, regarding what we can change, I will give you a simple example. If we go to proposed section 8 of the CPPA, it says, “An organization must designate one or more individuals to be responsible for matters related to its obligations under this Act.” I'll go back to my example of the convenience store in La Tuque. They have very little personal information. Their first question when they come to me would be, “Whom do I appoint? Who is my privacy officer?”

I think this is where it is problematic. It's not based on the size of the company; it's more a question of the volume and sensitivity of the information, the good news being that this threshold is present in Bill C-27 in some disposition. In particular, when I look at the privacy management program in proposed section 9, there is a caveat: depending on the “volume and sensitivity” of the information. I think the key aspect would be just to look at those absolute requirements and say, do we have a threshold based on the volume and sensitivity of the information? I think this could be a good exercise in the full version of the CPPA at least.

Sure. We've even seen it in other jurisdictions. Basically, the best example is probably the one of small populations. When you want to bring data together and produce.... Basically, what is anonymization? It's producing statistics. We've heard means, aggregates, averages and stuff. That's essentially what we want to do when we talk about anonymization.

If we make the threshold such that it's a zero risk, and if I have 100 people.... If I take the average age of everyone in this room, you will say, “Well, it's not anonymized enough”, but who is going to be able to identify me from the average age in this room? That's the risk. You're going so far and you're saying, “Well, 100 people are not enough. We have to go to 1,000.” Suddenly, you cannot generate the statistics that we currently generate for things like.... In our submission, we included opioids and mental health. These are examples where it would be very hard to create the granular data to see trends over time in different age groups and in different provinces.

From my read of the bill right now, it is not addressing AI and copyright.

I think there are important trade-offs to recognize in thinking through this. On the one hand, it's very important that artists and other people who create work get compensated for it. It is also important that we recognize that there has to be some aspect of their use.... When we, ourselves, read a document and then write something two or three years later, that document might somehow be in the back of our mind as we're drafting it up. We might cite that original person, or we may not, but we don't owe that person funds for copyright.

The first response is that, from my understanding, this bill does not address that. There are reasons to think that clarity will be good. Wherever we land, with a lack of clarity, it is going to be difficult for businesses to build AI systems, and it's going to be difficult for copyright owners to get compensated for their work. Clarity is good. As I understand it, it's not in this bill.

Second, I think it's important to recognize that some of the ways in which copyrighted work is input as data into the AI systems are very clearly related to the value of the copyright. If you ask it to write a song in the style of The Tragically Hip, it will. That's the style of The Tragically Hip, and that seems related to The Tragically Hip copyright. In contrast, if you ask it to create something that rhymes and somehow, in the dataset, there is some copyrighted work that rhymes, thinking through how every single copyright owner who's written something that rhymes should be compensated will be quite a nightmare.

I was at a recent poetry reading, of all things, at an AI conference. The poet used AI to develop her poetry, and it was amazing and fascinating and a pleasure to listen to. That's creativity enabled by AI. That poet got to copyright her work. The other poems that were inputs into the overall database at that point did not get to benefit from their copyright.

The reason I tell that story is to recognize that for cultural creativity, going forward, there are reasons to want a very open use of these AI systems. There's incredible creativity coming out of these AI systems—not the [Inaudible—Editor], to be clear. One of the things I love about the bill itself is that it's so clear that humans make decisions and not machines, so the creativity is human creativity enabled by AI systems.

In the process, though, we need to make sure that when copyright is violated in a particular way—for example, it's clear that you were trying to mimic a particular artist's style—it gets protected.