Privacy & Cybersecurity in Canada and the US

This is a monthly bulletin published by the National Privacy and Cybersecurity team at Fasken. The information contained herein includes noteworthy news, topics, discussions and cases in the privacy & cybersecurity landscape. If you have any questions about any of the topics herein, please reach out to our friendly Fasken Privacy and Cybersecurity team.

This Month's Noteworthy News

Alberta Commissioner Guidance on AI

The Office of the Information and Privacy Commissioner of Alberta has published guidance to help small custodians (as defined under the Health Information Act) manage the risks and steps to meet due diligence obligations when using AI. Although not strictly applicable to many private sector organizations, the guidance is nonetheless illustrative of the focus regulators are placing on AI and provides useful guidance for organizations grappling with onboarding AI tools and managing privacy and security risks.

Canadian Privacy Regulators Launch AI Principles

On December 7, 2023 the Privacy Commissioner of Canada, Phillipe Dufresne, announced the launch of a new principles document at the start of the international Privacy and Generative AI Symposium organized by the OPC. The joint document, principles for responsible, trustworthy, and privacy-protective generative AI technologies is a joint project of the relevant regulators across Canada. It is intended to help organizations developing, providing, or using generative AI to apply key Canadian privacy principles.

European AI Act in Force as First Regulation on Artificial Intelligence

A big step forward for the first EU AI regulation. The new rules establish obligations for providers and users depending on the level of risk from artificial intelligence. While many AI systems pose minimal risk, they need to be assessed. The risks are divided as follows

  • Unacceptable risk: Unacceptable risk AI systems are systems considered a threat to people and will be banned (e.g.: Biometric identification and categorisation of people)
  • High risk: AI systems that negatively affect safety or fundamental rights will be considered high risk and will be divided into two categories:
    1. AI systems that are used in products falling under the EU's product safety legislation. This includes toys, aviation, cars, medical devices and lifts.
    2. AI systems falling into specific areas such as law enforcement that will have to be registered in an EU database
  • All high-risk AI systems will be assessed before being put on the market and also throughout their lifecycle.
    General purpose and generative AI such as Chat GPT will have to comply with transparency requirements
  • Limited Risk: AI systems should comply with minimal transparency requirements that would allow users to make informed decisions. After interacting with the applications, the user can then decide whether they want to continue using it. Users should be made aware when they are interacting with AI. This includes AI systems that generate or manipulate image, audio or video content, for example deepfakes.

The text will then be formally adopted by both Parliament and Council to become EU law. It is expected that this will happen in early 2024.

European Regulator Decides on the Concept of Automated Individual Decision

In Court of Justice of the European Union (CIJEU), December 7, 2023, C 634/21, Schufa decision (CURIA - Documents (europa.eu)), in relation to « scoring » the Court held that it must be regarded as an 'automated individual decision' prohibited in principle by the General Data Protection Regulation, in so far as SCHUFA's clients, such as banks, attribute to it a determining role in the granting of credit.

Indeed, the Court finds the three cumulative conditions to identify such a decision: (i) existence of a decision; (ii) decision based solely on automated processing, including profiling; (iii) the decision produces a legal effects concerning the person at issue.

California Privacy Regulator Approves Legislative Proposal to Require Browsers to Offer Opt-Out Preferences

On December 11, 2023, the California Privacy Protection Agency announced the advancement of a legislative proposal to require browser vendors to include a feature that allows users to exercise their privacy rights through opt-out preference signals.

Although this requirement would only relate to California consumers at this time, the recognition of opt-out preferences is not a new topic and will certainly remain on regulators minds worldwide.

European Regulator Determines Fear of Misuse of Data is "Non-Material Damage"

In a decision indexed at CJEU, December 2023, C 340/21, VB v Natsionalna agentsia za prihodite (CURIA - Documents (europa.eu), the Court held that the fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of that regulation is capable, in itself, of constituting 'non-material damage' within the meaning of that provision.

Ontario PHIPA Administrative Monetary Penalties

As of January 1, 2024 the Ontario Privacy Commissioner's Office has the discretion to issue administrative monetary penalties as part of the enforcement mechanisms under the Personal Health Information Protection Act (PHIPA). Penalties of up to $50,000 for an individual and $500,000 for an organization may now be imposed for the purposes of encouraging compliance and preventing individuals or organizations from indirectly or directly deriving an economic benefit from violations of PHIPA. The IPC has issued guidance on its new powers, indicating generally that these enforcement provisions will be reserved for more serious violations requiring deterrence and not unintentional errors. Examples offered by the IPC of contraventions which are likely to attract AMPs include snooping into patient records, contraventions for economic gain, disregard for individual's rights of access.

New Jersey Passes Privacy Law

On January 8, 2024, the last day of the 2023 legislative session, the New Jersey Legislature granted final passage of a comprehensive privacy bill, Senate Bill 332. The bill was signed into law by Governor Patrick Murphy on January 16. The law is similar to consumer privacy laws passed in other US states, and will apply to controllers and processors operating in New Jersey or targeting New Jersey residents who meet certain applicability thresholds. This makes New Jersey the 13th US state to pass a comprehensive privacy law, contributing to the patchwork of legislation.

In Case you Missed it!

The Fasken Privacy and Cybersecurity group published the following articles recently, that might be of interest: Bill C-27: Federal Government Releases Amendments to Canada's Proposed AI Law | Knowledge | Fasken

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.