Remarks at the Canada’s Competition Summit 2024
September 16, 2024
Ottawa, Ontario
Address by Philippe Dufresne
Privacy Commissioner of Canada
(Check against delivery)
Opening Remarks
Good afternoon and thank you for the invitation to share my perspective on artificial intelligence and its impact on privacy.
AI is certainly a topic that my fellow panelists and I have spent a great deal of time discussing over the last year and a half as part of our Canadian Digital Regulators Forum (CDRF) work. I am also pleased that the Copyright Board of Canada has joined the Forum and welcome the Vice Chair and CEO’s important perspective on this topic.
Recognizing that most of you are from the competition sphere, I will begin with a brief overview of my role as Privacy Commissioner before turning to a discussion of the importance of cross-collaboration. I will also share some details about initiatives that the OPC has undertaken to assess and address the privacy implications of AI.
Who we are and what we do
As Privacy Commissioner of Canada, my mission is to protect and promote the fundamental right to privacy of Canadians. This includes overseeing compliance with both the Privacy Act, which governs the personal information handling practices of federal government institutions, and the Personal Information Protection and Electronic Documents Act, or PIPEDA, Canada’s federal private sector privacy law.
In this role, I am an independent Agent of Parliament and I report directly to Parliament.
In January, I launched a strategic plan that will guide the work of the OPC through 2027. It includes three priorities:
- Protecting and promoting privacy with maximum impact;
- Addressing and advocating for privacy in this time of technological change; and
- Championing children’s privacy rights.
The importance of collaboration
Across each of these priorities is a commitment to collaboration, be it with domestic and international privacy regulators, civil society, academics, industry, and other government departments. It has also become clear that cross-regulatory collaboration is essential if we are to better protect the rights and interests of Canadians in the digital space.
The CDRF allows us to work together on areas of mutual interest. We have also recognized that many of our shared concerns are global concerns, which makes international cooperation important as well.
To that end, the CDRF recently joined the International Network for Digital Regulation Cooperation to strengthen international ties given the scale and global nature of digital markets and the speed at which they innovate.
We are also furthering collaboration with the Organization for Economic Co-operation and Development (OECD) and I will be attending an international Forum discussion on that topic in November.
And just last month, I signed a Memorandum of Understanding with the Chairwoman of the United States Federal Communications Commission to strengthen information sharing and enforcement cooperation between our two organizations. This step recognizes the growing need to work together on matters related to consumer privacy, data protection, and also cybersecurity.
On this last point, I would note that data breaches involving ransomware and malware attacks have surged over the past decade, and credential stuffing, whereby attackers use stolen credentials from one breach to gain access to other accounts, is becoming increasingly common. Last year, 46 per cent of all private sector breaches reported to the OPC were identified as cyber incidents, a 13 per cent increase over the previous year.
AI initiatives at the OPC
While this offers an overview of some of the recent activities of my organization, given today’s focus on AI, I will expand on my second priority: addressing the privacy implications of technology – in particular related to artificial intelligence and generative AI.
The use of massive information sets – which often include personal information – to generate content such as text, computer code, images, video, or audio in response to a user prompt holds incredible promise in advancing innovation, efficiency, and convenience.
But it also comes with important privacy concerns related to the collection and use of personal information, in particular, the need for more transparency in this regard, including the potential risks to individuals’ privacy.
Organizations that are developing or refining AI models should be able to explain their data sources, and organizations using AI systems should be able to explain any decision-making processes for which those systems are used.
Other privacy concerns relate to consent mechanisms, accountability for system processes and outcomes, and the accuracy of decisions, including how those decisions have mitigated the risk of bias.
These concerns are the focus of the OPC’s work in this area.
This includes an ongoing joint investigation with my three provincial privacy counterparts in Quebec, British Columbia, and Alberta into OpenAI’s ChatGPT.
The investigation is examining OpenAI’s compliance with requirements under the relevant Canadian privacy laws in relation to consent, openness, access, accuracy, and accountability.
As well, the investigation is considering whether OpenAI is collecting, using, and disclosing personal information for an appropriate purpose.
It is a high priority investigation and I look forward to sharing the results later this year.
Furthermore, last December, I hosted an International Symposium on privacy and AI. I welcomed experts from academia, industry, civil society, and government as well as fellow data privacy authorities from Canada and around the world to gather and discuss the opportunities and risks involved in generative AI, and how all sectors can best work together to address them.
With my provincial and territorial counterparts, it was also an opportunity to launch a set of principles to advance the responsible, trustworthy, and privacy-protective development and use of generative AI in Canada.
That joint document lays out how key privacy principles apply when developing, providing, or using generative AI models, tools, products, and services.
Before closing, I would also like to mention, as many of you are aware, that Parliament continues to debate new legislation with Bill C-27 that would modernize PIPEDA and introduce a new law specific to AI. And while I strongly believe that Canada’s privacy laws need to be modernized, it is important to note that our current privacy laws apply to the use of this technology, and I am committed to their application in this space.
Thank you and I look forward to today’s discussion on our cross-regulatory efforts to tackle this important subject.
- Date modified: