This Privacy Regulation Roundup summarizes the latest major global privacy regulatory developments, announcements, and changes. This report is updated on a monthly basis. For each relevant regulatory activity, you can find actionable Info-Tech analyst insights and links to useful Info-Tech research that can assist you with becoming compliant.
AI Regulation: Insights From the IAPP Canada Privacy Symposium 2024
| Canada | USA | Europe | APAC | Rest of World |
| ✔ |
Type: Conference
Date: June 2024
Summary: During the week of June 10, global privacy professionals attended the IAPP Canada Privacy Symposium 2024 (CPS), which featured sessions on AI governance, privacy assessments, Indigenous privacy issues, and healthcare privacy, among others.
Philippe Dufresne, Canada's Privacy Commissioner, announced in his keynote a joint investigation with the UK Information Commissioner’s Office into the October 2023 data breach at 23andMe. He also provided updates on ongoing investigations into OpenAI and TikTok, coordinated with provincial data protection authorities, as part of efforts to use existing laws to address new privacy challenges.
Dufresne, who also chairs Canada’s Digital Regulators Forum (CDRF), emphasized the forum’s role in leveraging collective expertise from members, including his office, the Canadian Radio-television and Telecommunications Commission (CRTC), and the Competition Bureau. The CDRF aims to develop a unified understanding of AI, establish common definitions, raise awareness of AI’s complexities, and discuss principles for AI regulation.
In a breakout session, a senior technology advisor from the Commissioner's Office, Vance Lockton, outlined their strategy for regulating AI. Despite the absence of AI-specific laws, the agency and global data protection authorities are targeting developers of foundational AI models to ensure lawful deployment of generative AI technologies. The focus is on whether large language models (LLMs) use web scraping for training data, a method that is likely to fail any genuine interest or reasonable person test.
The management of AI models and protection of personal information were major concerns for privacy professionals at CPS, as organizations worldwide are integrating AI, and they are increasingly responsible for managing the privacy aspects of deploying AI technologies.
Analyst Perspective: It is evident that privacy regulators are taking a proactive and collaborative approach toward AI regulation. In the absence of AI-specific legislation, regulators are looking to leverage existing laws and coalitions to tackle challenges posed by AI. Using the tools currently available is a pragmatic approach while new, more specific regulations such as Canada's Bill C-27 are being developed.
The establishment of the CDRF under Dufresne's leadership signifies a move toward creating a cohesive framework for AI regulation. Canada has experienced the advantages of such a partnership through the $9 million settlement with Facebook regarding its privacy practices that was achieved in 2020 by the Competition Bureau – despite the lack of prerogative at the Office of the Privacy Commissioner of Canada (OPC).
Lockton’s mention of a reasonable person test in the context of AI regulation, despite the absence of legislation, indicates that principles of duty of care and negligence could potentially be used to subject organizational AI governance to judicial oversight. It is, nonetheless, reassuring to see privacy professionals becoming involved in the AI system development process and playing a vital role in shaping AI governance programs within organizations.
While significant challenges remain, particularly in balancing innovation with regulation and achieving global coordination, the steps outlined at CPS indicate a proactive and evolving regulatory landscape aimed at ensuring that AI technologies develop in a manner that respects and protects privacy rights.
Analyst: Safayat Moahamad, Research Director – Security & Privacy
More Reading:
Canada’s Privacy Commission Releases Results of Privacy Survey on Canadian Businesses
| Canada | USA | Europe | APAC | Rest of World |
| ✔ |
Type: Announcement
Announcement Date: May 2024
Summary: The Office of the Privacy Commissioner (OPC) of Canada has released its biyearly survey pertaining to privacy issues and practices implemented by Canadian businesses. The survey, which was conducted late last year, interviewed 800 companies across Canada and provided the OPC with insights on businesses’ awareness of privacy protection and measures they have in place to protect consumer data.
The survey found that almost 25% of businesses intend to use AI within the next five years. It also found that 80% of businesses consider the protection of customers’ personal information to be of high importance, with many respondents taking actions to manage their privacy obligations. Over half of the businesses have designated a privacy officer and have internal privacy policies as well as procedures to handle complaints.
With respect to knowledge of OPC resources, over 40% of businesses are aware of the information and tools provided by the OPC, with over a quarter leveraging resources that assist organizations in complying with privacy obligations. The findings of this survey will assist the OPC in improving its outreach efforts to businesses and continuing to provide guidance on privacy issues at both the individual and organizational levels.
Analyst Perspective: The results of the survey conducted by the OPC showcases the shift in businesses becoming more aware of the privacy-related issues concerning Canadians and the steps they need to take to comply with regulatory requirements. Over 90% of businesses found that the process of bringing their personal information–handling practices into compliance was not challenging. This could be attributed to the OPC’s efforts over the past years to increase businesses’ awareness and understanding of privacy laws.
Organizations are also better equipped to handle a data breach, with over 80% of businesses indicating they are prepared to respond to a data breach. Although 93% of businesses haven’t experienced a privacy breach, the response indicates organizations are taking a proactive stance and are confident with their practices to protect customer information.
Analyzing this year’s results would allow organizations to better understand the privacy landscape and the steps they need to take for compliance. Improving consumer privacy starts with businesses enhancing their privacy practices and ensuring due diligence. This would align with some of OPC’s privacy priorities in maximizing their impact in promoting privacy and addressing the privacy impact of emerging technology, which would strengthen organizations’ privacy posture and better protect Canadians’ personal information.
Analyst: Ahmad Jowhar, Research Analyst – Security & Privacy
More Reading:
Airbnb Tightens Security Camera and Decibel Monitoring Policy, Gains Applause From Canadian Privacy Regulators
| Canada | USA | Europe | APAC | Rest of World |
| ✔ |
Type: Announcement
Announcement Date: March 2024
Summary: In a move applauded by Canadian privacy regulators, Airbnb has significantly restricted the use of indoor security cameras and implemented new regulations on decibel monitors in its rental properties. In effect as of April 30, the updated security policy prohibits indoor cameras entirely, regardless of location or disclosure. Additionally, hosts are now required to disclose the presence of decibel monitors. This new approach aims to simplify the platform's policy and prioritize the privacy of its users.
Previously, Airbnb allowed disclosed indoor cameras in common areas like hallways, but this update eliminates that exception. While some hosts may have used these cameras for security purposes, regulators emphasized the importance of privacy within rental accommodations. The decision reflects a growing recognition of the potential for hidden cameras to infringe on guest privacy, even when disclosed. The requirement to disclose decibel monitoring, on the other hand, aims to increase transparency regarding potential noise monitoring.
Analyst Perspective: I see this development as a positive step. While security cameras offer benefits, their presence in living spaces can create a constant sense of being monitored. The new policy strikes a balance, prioritizing privacy in spaces intended for relaxation and personal use. It's important to note that outdoor cameras are still permitted under stricter guidelines, allowing hosts to maintain a level of security for their properties. Overall, this change demonstrates Airbnb's commitment to user privacy and aligns with growing regulatory focus on this important issue. The inclusion of decibel monitor disclosure is an interesting addition, and it will be interesting to see how it impacts guest expectations and host practices related to noise levels in rentals.
Analyst: Carlos Rivera, Principal Advisory Director – Security & Privacy
More Reading: