Privacy & Cybersecurity in Canada, the US and the EU
This is a monthly bulletin published by the Privacy and Cybersecurity Group at Fasken, featuring noteworthy news and updates. If you have any questions about the items in this bulletin, please contact any member of the Privacy and Cybersecurity Group, and we will be pleased to assist.
Canada
Federal Government Updates its Webpage on the Responsible Use of AI in Government
On August 1, 2024, the Government of Canada updated its page dedicated to the responsible use of artificial intelligence ("AI") in government. The updated page serves as a valuable resource for understanding and implementing AI technologies. It offers a suite of tools and guidelines, including a guide on generative AI, a directive on automated decision-making, and an algorithmic impact assessment tool. The page also features foundational principles for AI use in government, as well as a timeline of AI progression.
Quebec Ministry of Cybersecurity and Digital Affairs Introduced a Set of Ten Guiding Principles for Responsible Use of AI in Public Services
In a commitment to ethical and responsible use of AI in public services, the Ministry of Cybersecurity and Digital Affairs introduced, on August 7, 2024, a set of ten guiding principles (in French only). These principles endorse respect for individual rights, inclusion, equity, reliability, security, efficiency, sustainability, transparency, explainability, and accountability in the deployment of AI. They also require public bodies to ensure that their personnel are well-trained and competent in the use of AI technologies, with the aim of enhancing the quality of services provided to citizens and businesses while ensuring the protection of personal information and the integrity of the systems.
Federal Privacy Commissioner Signs Information Sharing Memorandum With United States
On August 28, 2024, the Privacy Commissioner of Canada, Philippe Dufresne, signed a Memorandum of Understanding with the United States Federal Communications Commission. This MOU is intended to strengthen cooperation between Canada and the US, allowing the two regulators to exchange information in order to enforce compliance with laws in both countries and to share knowledge and expertise on regulatory policies.
United States
California Consumer Privacy Act Amended To Require Browsers and Mobile Devices To Support Opt-Out Preferences
On August 27, 2024, the California Senate passed AB 3048, which amends the California Consumer Privacy Act. This amendment requires all browser and mobile operating system providers to enable consumers to send an opt-out preference signal, like the Global Privacy Control, to a business with which the consumer interacts. This bill must still be passed by the assembly and signed by the governor of California, however, it is expected to move forward without issue.
Europe
Dutch DPA Imposes Fines on Clearview AI and Uber
The Dutch Data Protection Authority ("Dutch DPA") was particularly active these last months:
First, it imposes a fine of 30.5 million euros and orders subject to a penalty for non-compliance up to more than 5 million euros on Clearview AI which has built an illegal database with billions of photos of faces, including of Dutch people. The Dutch DPA warns that using Clearview's services is also prohibited. More specifically, Clearview scrapes these photos automatically from the Internet and then converts them into a unique biometric code per face, without these people knowing this and without them having given consent for this.
The Dutch DPA also imposed a fine of 290 million euros on Uber. The Dutch DPA found that Uber transferred the personal data of European taxi drivers to the United States (US) and failed to appropriately safeguard the data with regard to these transfers. The Dutch DPA found that Uber collected, among other things, sensitive information about drivers from Europe and retained it on Uber's servers in the US. It concerns account details and taxi licences, but also location data, photos, payment details, identity documents, and in some cases even criminal and medical data of drivers.
This transfer was done without using transfer tools (including standard contractual clauses). According to the Dutch DPA, this constitutes a serious violation of the General Data Protection Regulation (GDPR). In the meantime, Uber has ended the violation.
EU Commission Launches Consultation on Standard Contractual Clauses
Following Uber's decision, the EU Commission has decided to launch a consultation for standard contractual clauses for transfer to third-country controllers or processors subject to the GDPR. These potential new clauses address the specific scenario where the data importer is located in a third country but is directly subject to the GDPR. They complement the existing SCCs, which can be used for data transfers to third-country importers that are not subject to the GDPR.
In Case You Missed It!
The Fasken Privacy and Cybersecurity group published the following articles recently, that might be of interest.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.