Canada’s Bill C-36 tackles AI privacy. Is it enough?
Announced in June, Bill C-36 is Canada’s first major overhaul of private-sector privacy legislation in more than 25 years. The bill explicitly recognises privacy as a fundamental right and also aims to give children’s personal information stronger protections, enhance deletion rights and require greater transparency where automated systems make significant decisions about people.Recommended Stories list of 4 itemslist 1 of 4FIFA has nearly 1,200 tickets still on sale for World Cup final at $7,380list 2 of 4EU says ‘addictive’ features on Instagram and Facebook breach its ruleslist 3 of 4Donald Trump removes final members of independent US election commissionlist 4 of 4How Wong Kim Ark’s legacy reignited the fight for birthright citizenshipend of listThe reforms also arrive amid growing scrutiny of AI after incidents such as British Columbia’s Tumbler Ridge shooting in February raised greater questions about AI chatbots, vulnerable users and the responsibilities of technology companies.The 18-year-old shooting suspect allegedly used ChatGPT before the attack. The victims’ families are now suing OpenAI, stating the company’s AI safety team identified violent prompts but did not alert law enforcement. This week, the province of British Columbia also announced it is “preparing legal action” against the AI company.Meanwhile, Canada’s federal government plans to modernise private-sector consumer privacy rules via Bill C-36.Evan Solomon, Canada’s minister of AI and digital innovation, told Al Jazeera that the government’s responsibility is “to protect Canadians online and to ensure Canadians can benefit from artificial intelligence and emerging technologies. These goals are not mutually exclusive”.“Bill C-36 establishes a framework for the responsible use of de-identified data. It includes safeguards designed to reduce the risk of re-identifying individuals while supporting important public-interest activities, including research, accountability and innovation.”But as AI systems become more capable of predicting, profiling and influencing people, experts say the challenge is no longer just what data companies collect — it is what AI can infer from users.The question is whether privacy legislation can keep pace with technology designed to predict, profile and influence human behaviour.Inferred informationThe biggest issue is that AI is changing where privacy harms occur, according to Ignacio Cofone, professor of law and regulation of AI at the University of Oxford.“Older privacy law assumes the danger is in what a company collects from you. The danger now is in what a company infers about you from data you never handed over, and in what it does with that AI inference.”In other words, today’s AI systems don’t necessarily need someone to disclose sensitive information voluntarily. Patterns in shopping habits, browsing history, location data or online activity can be enough for algorithms to make surprisingly accurate predictions about a person’s health, finances or behaviours.“A model trained on [anonymous] data can produce decisions that disadvantage a category of people without pointing at a named individual who can complain,” Cofone told Al Jazeera.Bill C-36 responds by expanding the definition of personal information to include inferred information and requiring organisations to explain certain automated decisions.But, as Cofone argues, the real challenge is in ensuring regulation targets harmful uses of AI rather than just data collection.“A model can predict your health, your sexuality, or your creditworthiness from unrelated traces and then act on the prediction, with no data leak or breach in a conventional sense,” he said.“That matters enormously because it moves the law toward where AI harm actually occurs, the inference a





Discussion (0)