The most widely read magazine for Canadian lawyers
Issue link: https://digital.canadianlawyermag.com/i/1384610
42 www.canadianlawyermag.com LEGAL REPORT PRIVACY & DATA a unified privacy regime, but there are still deviations among member states. "It's a laudable goal, and I think businesses would welcome any type of harmonization of the privacy legislation because it's becoming so challenging to know everything about every place," she says. In the meantime, "a lot of states are making their own laws to cover the gaps." Planning for change Companies should keep privacy rights in mind when designing and bringing tools, algorithms, and products to market, says Baer. Businesses should also start to think now about changes they may have to make. That's not just about updating a privacy policy, but about "privacy by design, and really under- standing your business's data flow. Where does the information go? Where did you get it from? Who has access to it? "You've got to take a real look at that," Baer says, "because what [the government is] going to look to at the end of the day is what's happening in reality, not just what you said you were doing." "If passed, it's going to have a massive impact on businesses globally because you're going to have to design your AI systems to meet those requirements." Wendy Mee, Blake, Cassels & Graydon LLP management (e.g. verification of the authenticity of travel documents); • Administration of justice and demo- cratic processes (e.g. applying the law to a concrete set of facts). The high-risk category may include AI tools used in self-driving cars, for example, or biometric identification systems used in public spaces. Technologies in this category would go through an intense assessment before being implemented. AI systems with specific transparency obli- gations would be of limited risk. These would include chatbots used for getting customer service on a website, for example, where users would be made aware that they were inter- acting with a machine and could decide to continue or not. Although the proposed rules apply to any AI system developed or used in the European Union, "if passed, it's going to have a massive impact on businesses globally, because you're going to have to design your AI systems to meet those requirements, even if you're not located in Europe," Mee says. An American patchwork In one of the first popular votes on privacy regulation in the past year, California voters backed a ballot measure that created the first bespoke U.S. data protection agency and harmonized the state with the EU's GDPR. Yet unlike Canada, which passed the Personal Information Protection and Electronic Documents Act (PIPEDA) in 2016, the United States has no federal privacy legisla- tion applying to all businesses. "Colleagues I chat with in the U.S. are skeptical" that the federal government will develop such legislation, Mee says. Europeans meant for the GDPR to provide SEVEN GUIDING PRINCIPLES FOR MEANINGFUL CONSENT 1 Emphasize key elements 2 Allow individuals to control the level of detail they get and when 3 Provide individuals with clear options to say "yes" or "no" 4 Be innovative and creative in consent processes 5 Consider the consumer's perspective 6 Make consent a dynamic and ongoing process 7 Be accountable: Stand ready to demonstrate compliance Source: Office of the Privacy Commissioner of Canada