"When I look at myself, I am discouraged, when I compare myself to others, I panic..." This distorted saying summarizes the interactions in 2017 between artificial intelligence (AI) and personal information.
While the number of AI projects and successes continues to mount in Canada, especially in Montréal, discussions on "the after" remain embryonic: how can this potential industry shift from nascent to sustainable? The fact is that this issue has failed to garner much attention. We, like several observers, believe that we must consider how to regulate, or at least control, the use of artificial intelligence at different levels. The ultimate objective is to guarantee legal security for all stakeholders (public sector, private sector and citizens), while fostering innovation and investment in this area. In other words, a balanced and competitive normative framework. We further believe that the protection of personal information is one of the most important subjects to be addressed.
Big data combined with the use of different AI techniques, including machine learning, raises new issues with respect to data processing. These include:
- the trend toward collecting and analyzing "all the data"
- the use of data for news purposes;
- the collection of new types of data (observed, derived or even inferred);
- the unpredictability of algorithms; or
- the reidentification of individuals following the "anonymization" of data.
This new reality questions the basic principles on the protection of personal information, for both organizations and individuals. How to respect the principle of transparency? How to avoid violating the principle of limiting collection and the use of personal information? How to obtain consent from every person concerned? How to preserve the rights of access and correction for individuals? All of these questions are the subject of ample dialogue across the world.
In 2017, much has been written about artificial intelligence by foreign privacy authorities. Take, for example, the document by the United Kingdom's Information Commissioner's Office on "Big Data, Artificial Intelligence, Machine Learning and Data Protection", which concretely describes the AI challenges and solutions. In France, the Commission nationale de l'informatique et des libertés published a report on December 2017 entitled "Comment permettre à l'Homme de garder la main", which offers a more high-level overview of the AI issues. More fundamentally, most of the work and analysis in the European Union have centered around the General Data Protection Regulation, which comes into effect May 2018. It contains specific provisions on "automated individual decision-making", which allows the individual concerned to object (under certain conditions) or obtain information on this subject.
Meanwhile, Canada still has work to do. The Québec Commission d'accès à l'information touched on the subject in its 2016 five-year report, referring to the terms "big data" or "algorithm" without really addressing the issue of AI. The Office of the Privacy Commissioner of Canada addressed AI in its 2016-2017 annual report as an important subject and promised to publish research on the subject. The vast consultation on "consent" and the related documents are indeed a good start. For the time being, however, there does not appear to be any concrete proposal to amend our laws on the protection of personal information from AI.
The future is now and 2018 should be the meeting point between AI and privacy. Provincially and federally, for both public organizations and private companies, we can only push for widespread consultations on AI and the review of laws on the protection of personal information. The idea is not so much "to talk for the sake of talking", even less "to change for the sake of changing", but to launch a mature discussion on the relationship between AI and personal information. In our view, that is the priority for 2018.