Industry Committee on Nov. 28th, 2023

Yes. I was discussing the various legal bases for processing personal information.

Mr. Chair, while we're waiting, can I respond to the question from Mr. Williams on legitimate interest?

Thank you very much for that question. I have concerns about legitimate interest as well.

As to whether it is weaker or stronger than the GDPR, it is substantially weaker than the GDPR in its wording. The GDPR, like the CPPA proposal, has a balancing.... It has no “get out of jail free” card. There must be a balance and the use must be appropriate, and it can't adversely affect individuals.

However, unlike the GDPR, it doesn't apply to disclosures, which is very significant. For example, search engines or AI companies are either not going to be able to operate in this country without an amendment, or they'll operate and they won't be subject to the law. This section needs to be fixed.

The other thing is that it has additional tests, which aren't in the GDPR, about a reasonable person having to expect the collection of such activity. That is tethered to an old technology—a known technology—rather than a technologically neutral approach. We want something that's going to work in the future, and this language doesn't work.

I think the problem is actually the opposite of what you were asking for. We need to fix it so that it works properly but still protects the public.

My experience with countries in the global south is.... If you take Africa, for example, and South America, many of those nations are not copying and pasting the GDPR, but they are certainly taking inspiration from the GDPR.

I think the GDPR is a global standard. There are different cultures and different legal systems, which means that it's not going to look the same as the GDPR, but certainly the principles are the same. Respect and the need for privacy and data protection are fundamental rights.

The Middle East is different again. I was recently in Dubai. I met with the minister for AI and talked to many businesses in the Middle East about their approach to data protection and transporter data flows. It certainly is innovation-forward. It's taking a different track than what I see happening in the global south. India's law is also being amended, reformed and passed. It's a very exciting time to see what's happening in that country.

I think fines are important. There's a lot of focus in this legislation on providing the commissioner with fining power, but fines are so 20th century. Although you need to have fines available for the worst cases and for the bad actors that continue to contravene the legislation, what's more impactful and where I see more modern tools are things like stopping processing orders or the disgorgement of data. This would mean that a company can no longer use its algorithmic models, that it has to destroy data that was fed into a model, because it was collected illegally.

We see the Federal Trade Commission in the U.S. using these kinds of powers. You see that happening in Europe and the U.K., because at the end of the day what is most impactful for significant contraventions of the law is what actually impacts a business model, and not a fine that is just the cost of doing business.

I think there's a rethink that's needed to give the commissioner modern tools, and I look at fines as a last resort.

As I said, in the U.K. there is a tribunal system, and administrative tribunals are used across many areas of law. In the U.K., when it comes to freedom of information, data protection, cybersecurity or electronic marketing—all of those areas the commissioner is responsible for—the decisions that the commissioner fines and sanctions are subject to a review by the first-tier tribunal. Then the case can actually go to appeal at the second-tier tribunal, and then on to the court.

That sounds like what could be a very lengthy process. However, I think that over time the tribunals have become expert tribunals, so you're not taking a very specialist policy area like data protection and having a general court look at the issues.

I think there are pluses and minuses. Obviously, the government wants to make sure there is administrative fairness and an appeal system, because otherwise you have too much power concentrated in a government body.

You could understand why there should be appeals, but my argument is that, if there is going to be a tribunal, then the standard of review needs to be reasonableness, as it is in British Columbia. Also, the members of the tribunal need to be independent and appointed that way. Finally, I think it's really important that the tribunals not conduct an inquiry from scratch, because I think that undermines the commissioner's expertise.

If there is no tribunal, then I agree with the Privacy Commissioner's recommendation that an appeal go directly to the Federal Court of Appeal, rather than starting at the tribunal and then going to Federal Court.

The structure of the adjudication of issues, where they start and how they get appealed, is a very important question. We have to recognize that, with the importance of privacy and the amount at stake for the public and organizations, getting it right is really important.

The powers of the Privacy Commissioner are very broad. There's really only anorexic protection procedurally, yet the Privacy Commissioner makes the determination as to whether there's a breach and can make a recommendation as to whether there are penalties.

The appeal goes to the tribunal, but the tribunal only has the power to order a reversal if it's an error of law. It has no power to do anything if it's a mixed question of fact and law or a question of fact. When you look at the way the CPPA operates, there are going to be huge numbers, almost invariably a huge number of questions of fact and law. This means that, effectively, there are almost no procedural protections before the Privacy Commissioner, and any decisions are virtually unappealable. Also, the constitution of a tribunal doesn't require a judge, which is required in other contexts. I do think there needs to be procedural protection in front of the Privacy Commissioner.

As for the appeal, you heard Ms. Denham talk about at least a reasonableness standard. That doesn't even exist before the tribunal. That would only exist on a further judicial review, but it's almost impossible to get there.

I do think the structure really needs to be changed to provide at least a modicum of procedural protection.

Thank you for your question.

I think that is a fantastic question.

The private member's bill that you referred to is also an attempt to have an agile mechanism for the regulation of AI. There are two things about that bill that I think are fundamentally important. If this committee is going to make recommendations for improvements, two things can be taken from that bill, which I would strongly recommend.

First, the secretary had the power to enact regulations in the first instance. The regulations only become effective when they're passed by a resolution in both Houses of Parliament. Regulations that don't have that procedure can be annulled by either House of Parliament.

In my mind, that is a way to give effect to the important principle of parliamentary sovereignty. That way, the government can go ahead with its regulatory analysis, but at the end of the day, it's still regulated by a mechanism of Parliament. I think that's a brilliant approach to solving the problem of parliamentary sovereignty.

The second thing about the draft AI bill that I think is really important is that it contains the principles for guiding the legislation. If you look at AIDA, it doesn't define “high impact” and it tells you nothing about what the principles should be that would guide regulation. What this bill does is provide a good first look at what could be an approach.

It starts off with saying the principles should be fundamental ethical principles for responsible AI. They should deliver safety, security, robustness and those sorts of things. Secondly, any business that's going to engage in AI—in this case, I would say a high-impact system—should test it thoroughly and should be transparent about its testing. Thirdly, it has to comply with equalities legislation—that is, discrimination, which is extremely important.

Lastly—and this is completely missing in our bill—a consideration has to be that the regulation benefits outweigh the burdens and that the burdens of the restriction don't prejudice and would enhance the international competition of the U.K.

I think having a set of principles like that to guide the regulatory framework would be very useful. When I saw that bill, I thought, this is genuis. This is from a private member.

That's a private member's bill, as my colleague has just said, so I haven't studied that.

The government's direction right now is not to regulate AI, but rather to give existing regulators the powers that they need, which includes running sandboxes to beta-test generative AI and machine learning applications.

The government has said that yes, there's a set of principles. The U.K. government of the day has said that it's not going to regulate a specific technology at this point. Instead, it's creating an AI institute to look over all digital regulation and to encourage digital regulators to work together. That is in contrast with the EU, which is in trilogue right now, as you know. The EU has an AI act that is comprehensive and reads like a product safety statute.

There may be a brilliant private member's bill, but the government's preference is really to support existing regulators when it comes to this new technology. It's taking a “wait and see” approach.

Yes, the global summit that was sponsored by the Prime Minister in the U.K. was really important, because there was an outcome that was an agreement of leading nations around the world around the approach towards AI. There was a declaration that came out of that meeting, and it included China. I think that is quite astonishing to a lot of people.

You see, ultimately, I think what we're going to need is an international solution. In the same way that we regulate civil aviation around the world, I can see that we need a world where we are regulating AI, at least to a high level of principles and standards. I think that's what was achieved at the British meeting a few weeks ago, and I think dialogue is a good thing.