Data Privacy and AI Facial Recognition

Questions and Answers

What is the primary role of the Privacy Commissioner under PIPEDA?

To investigate all complaints and seek to educate companies on compliance matters

What kind of information is NOT protected under PIPEDA?

Business card information publicly disclosed

Who enforces the Personal Information Protection and Electronic Documents Act (PIPEDA)?

Office of the Privacy Commissioner of Canada

What is a potential risk posed by AI facial recognition technology to personal data security?

Potential misuse or unauthorized access to personal data

What is the maximum penalty a company may face for obstructing the Commissioner's investigation or destroying records?

$100,000 per case

What is the primary requirement for businesses regarding personal information under PIPEDA?

To clearly state intentions and practices for the use of personal information

Which of the following is an example of personal information protected under PIPEDA?

Home address and phone number

What applies to organizations that collect, use, or disclose personal information for commercial activity?

PIPEDA

What is the main reason behind the proposal of Bill C-27?

To protect Canadian's personal data and ensure businesses use it for intended purposes

Which of the following is NOT one of the proposed Acts?

General Data Protection Regulation (GDPR)

What is a key aspect of the CMA Code of Ethics and Standards of Practice regarding marketing to children?

Parents or guardians must provide consent for children under 13

Which province in Canada has its own legislation regarding marketing to children?

Alberta

What is a concern regarding children's personal data?

Children are unable to understand consent and require protection

What is a similarity between the proposed Acts in Canada and regulations in other jurisdictions?

They all prioritize the protection of personal data

What is the main purpose of implementing safeguards in companies?

To protect users' data from unauthorized access

What is an example of an opt-out consent language?

If you do not want to be contacted by us in the future, please check the box below

What is an exception to PIPEDA where a business may need to disclose personal information without the person's consent?

If the person has violated a law in Canada or within a province

What is the main purpose of Bill C-27?

To propose Acts related to consumer privacy, data protection, and AI systems

Why is it important to provide users with access to their personal information?

To allow them to correct inaccuracies

What is an example of a technological safeguard to protect users' data?

Data encryption

Why is it important for companies to be prepared to be challenged by users or courts regarding compliance?

To demonstrate compliance with privacy laws and regulations

What is a key principle of obtaining meaningful consent?

Using clear and specific language in consent requests

What is the main focus of Canada's Anti-Spam Legislation (CASL)?

Protecting the public from commercial electronic messages

What is the penalty for violating the Do Not Call List (DNCL)?

$1,500 per person and $15,000 per company

Which of the following is an exemption to the Do Not Call List (DNCL)?

Canadian registered charities

What is required of telemarketers under the Do Not Call List (DNCL)?

To maintain a 'do not call' list and implement requests within 14 days

What defines an 'existing business relationship' under the Do Not Call List (DNCL)?

The consumer has a written contract that is still in effect or has expired within the last 18 months

What is a requirement under PIPEDA for the collection of personal information?

Collection of personal information only for a specified purpose

What is the purpose of Canada's Anti-Spam Legislation (CASL)?

To protect the public and violators can face penalties

Under the Do Not Call List (DNCL), how long does a telemarketer have to implement a request to be added to the 'do not call' list?

14 days

What is a consequence of non-compliance with PIPEDA?

All of the above

Which of the following is NOT an exemption to the Do Not Call List (DNCL)?

Telemarketing companies

What is a principle of PIPEDA that ensures the accuracy of personal information?

Accuracy

What is a right of the user under PIPEDA?

Right to access their personal information

What is an example of a sensitive question under PIPEDA?

What is your religion?

What must a company do with personal information after the initial purpose is complete?

Destroy or render the information anonymous

What is a challenge for companies under PIPEDA?

Poorly designed websites that allow hackers to access consumer data

What is a principle of PIPEDA that ensures companies are responsible for personal data?

Accountability

Study Notes

Information and Privacy Commissioner of Ontario

• The Information and Privacy Commissioner of Ontario can be found at <a href="https://www.ipc.on.ca/">https://www.ipc.on.ca/</a>
• The Competition Bureau can be found at <a href="https://www.priv.gc.ca/en/for-individuals/">https://www.priv.gc.ca/en/for-individuals/</a>

AI Facial Recognition Technology

• AI facial recognition technology raises concerns about personal data security
• It is unclear whether facial recognition technology is considered personal data
• The use of AI facial recognition technology in public and private spaces raises concerns about data privacy and security

PIPEDA

• The Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal law that applies to organizations that collect, use, or disclose personal information for commercial activity
• PIPEDA is enforced by the Office of the Privacy Commissioner of Canada
• PIPEDA applies across Canada, but some provinces have similar legislation (BC, AB, and QC)

Role of the Privacy Commissioner

• The Privacy Commissioner investigates all complaints, but may discontinue if the complainant's issue is trivial or frivolous
• The Commissioner seeks to educate companies on compliance matters
• The Commissioner resolves issues outside of the Federal Court
• Companies that obstruct the Commissioner's investigation or destroy records face a maximum penalty of $100,000 per case

Personal Information

• PIPEDA defines personal information as "information about an identifiable individual"
• Corporate information, such as name, title, business address, and telephone number, is not protected by PIPEDA
• Personal information includes information that is not publicly disclosed, such as credit card information and personal data

PIPEDA Mandates

• Businesses must clearly state their intentions and practices for the use of personal information
• Individuals must consent to the collection, usage, or disclosure of their personal information for commercial activity
• Limits the collection of personal information to what is necessary to identify the person
• Personal info must be collected by fair and lawful means

PIPEDA Challenges for Companies

• Poorly designed websites can allow hackers to access backdoors to consumer and business data
• Businesses must clearly state their intentions and needs for consumer data and allow consumers to say "no"
• PIPEDA limits the retention of personal data and requires data to be destroyed or rendered anonymous after the initial purpose is complete
• Data breaches are a common concern

Additional Requirements under PIPEDA

• Users have the right to access their personal information from within the company
• Users have the right to correct and update their information
• Users have the right to access an organization's privacy policies and practices

Ten Principles of PIPEDA

• Accountability: Ensure compliance with how personal data is used under PIPEDA
• Identifying Purposes: Data is used to identify the user and only that user
• Consent: The user must consent to the collection of personal information by the company
• Limiting Collection: User data is collected only for an intended purpose
• Limiting Use, Disclosure, and Retention: Consent is needed if a business wishes to use personal information for other uses
• Accuracy: Data must be accurate, complete, and current as necessary for the identified purpose
• Safeguards: Companies need to implement physical, organizational, and technological safeguards to protect users' data
• Openness: Company policies allow the user full access to their data
• Individual Access: The user must be given access to personal information and the ability to correct inaccuracies
• Challenging Compliance: Organizations must ensure compliance and be prepared to be challenged by users or courts

Consent – Opt-in/Opt-out

• Language needs to be clear on consent and cannot be vague
• Opt-out: Users must check a box to decline consent
• Opt-in: Users must actively give consent
• Against the law: Pre-checking the opt-in box is not allowed
• Alternatives to consenting to company policies must be provided

Exceptions to PIPEDA

• A business may need to disclose personal info without the person's consent in certain situations, such as:
  • Breach of agreement or contract
  • Court subpoena, warrant, or order
  • Emergency threatening a person's life, health, or security
  • Information collected from a public source
  • Data gathered from a third party regarding the delivery of flowers

Bill C-27 – Digital Charter Implementation Act

• Bill C-27 contains three proposed Acts related to consumer privacy, data protection, and AI systems
• The proposed Acts are:
  • The Consumer Privacy Protection Act (CPPA)
  • The Personal Information and Data Protection Tribunal Act (PIDPTA) – Updates for PIPEDA
  • The Artificial Intelligence and Data Act (AIDA)
• Bill C-27 is still in process and has been in development since 2022

Is Your Data the New Currency?

• Tough new laws around the world, such as GDPR and CCPA, are being enforced to protect consumer data
• Marketers need to realize the shift and adapt to new laws and regulations

Collecting a Child's Information

• PIPEDA is largely silent on marketing to children, but some provinces have legislation in place (BC and AB)
• Most companies follow the CMA Code of Ethics and Standards of Practice on marketing to children under 13
• Do children understand consent?

Canada's Anti-Spam Legislation (CASL)

• Pertains to commercial electronic messages (email, text, SMS)
• Must provide an unsubscribe mechanism
• Strict legislation to protect the public, with violators facing penalties of $10 million, plus individual damages of $200 - $1 million per day

Privacy and Telemarketers

• Do Not Call List (DNCL) is managed by the CRTC
• Users can register on DNCL
• Telemarketers must maintain a "do not call" list, and when the request is made, it must be implemented within 14 days
• Violations of the DNCL result in fines of $1,500 per person and $15,000 per company that received the offending calls

Exemptions to DNCL

• Canadian registered charities
• Political parties, riding associations, and candidates
• Newspaper of general circulation soliciting subscriptions
• Organizations conducting market research, surveys, or public opinion polls
• Organizations with whom a consumer has an existing business relationship, defined as:
  • Purchased, leased, or rented a product or service from the telemarketer in the last 18 months
  • Written contract that is still in effect or has expired within the last 18 months
  • Asked a telemarketer about a product or service within the last six months

Description

Explore the use of AI facial recognition technology in public and private spaces and its impact on data privacy. Discuss potential risks and concerns regarding personal data.