Privacy Law

Update on International Regulation of AI: Recent Principles Established in Canada

By Michela Fiorido

Canada’s Artificial Intelligence Data Act (AIDA) was introduced as part of Bill C-27 in June 2022 but will not likely be in force until 2025. While there are obvious challenges in establishing regulations for rapidly and perpetually evolving technology, privacy authorities in Canada saw a need to provide some immediate direction about generative AI in particular.

On December 7, 2023, the Office of the Privacy Commissioner of Canada issued a joint document describing a set of principles for responsible, trustworthy and privacy-protective generative AI technologies in coordination with provincial and territorial privacy authorities.

While the principles (which are briefly described below) are by no means exhaustive, they do offer valuable insight for organizations who develop, provide or use generative AI.

Privacy Principles for Organizations Who Use Generative AI

Legal authority and consent – Organizations should establish legal authority for the collection and use of personal information and be mindful that the inference of information about an identifiable individual (such as outputs about a person from a generative AI system) will be considered a collection of personal information, and as such would require legal authority. When consent is the legal authority relied upon, it should be valid and meaningful.

Appropriate purposes – Organizations should only collect, use or disclose personal information associated with a generative AI system for appropriate purposes.

Necessity and proportionality – Organizations should establish the necessity and proportionality of using generative AI to achieve intended purposes. This includes considering whether there are other more privacy-protective technologies that can be used to achieve the same purpose.

Openness – Organizations should inform individuals what, how, when, and why personal information is collected, used or disclosed throughout any stage of a generative AI system’s lifecycle.

Accountability – Organizations should establish accountability for compliance with privacy legislation and principles, including by having policies and practices that set clear expectations for privacy compliance and by undertaking assessments such as privacy impact assessments to identify and mitigate against potential or known impacts that generative AI may have with respect to privacy.

Individual access – Organizations should ensure that there are processes in place to allow individuals to access or correct their personal information contained within an AI model. This includes maintaining adequate records when generative AI is used as part of a decision-making process in order to facilitate meaningful access.

Limiting collection, use and disclosure – Organizations should limit the collection, use and disclosure of personal information to only what is needed for an appropriate, identified purpose and should avoid indiscriminate collection of personal information based on assertions about the breadth of potential purposes for generative AI applications.

Accuracy – Organizations should ensure that personal information is as accurate and complete as necessary for the identified purpose whenever it is entered into a generative AI prompt or is used for training a generative AI model.

Safeguards – Appropriate safeguards should be in place to protect personal information throughout the lifecycle of a generative AI tool, proportionate to the sensitivity of the information.


Forgot Password

Enter the email associated with you account. You will then receive a link in your inbox to reset your password.

Personal Information

Select Section(s)

CLA Membership is $99 and includes one section. Additional sections are $99 each.

Payment