A core tenet of any strong data security program is a deep understanding of the organization's data and systems and how they are regulated. As automated decision-making (ADM) and artificial intelligence (AI) become more commonplace, organizations should be aware of how much their existing applications involve these systems and how they are regulated. Currently, ADM and AI systems are primarily regulated under data protection legislation to the extent that they process identifiable information. Given increased attention on the potential harms and unintended consequences associated with ADM and AI, some jurisdictions are in the process of regulating or have signalled an intention to regulate ADM and AI directly.

Below we summarize five key developments in efforts to regulate ADM and AI:

  1. On September 21, 2021, the Quebec National Assembly adopted Bill 64 to reform public- and private-sector privacy laws. Individuals must now be informed if a decision about them is based exclusively on automated processing. They can also request personal information used to make the decision and correct personal information in the ADM system.
  2. As part of its Digital and Data Strategy, the Government of Ontario issued a white paper outlining proposals for standalone private-sector privacy legislation. The proposals, if introduced as law, would create new obligations on the use of AI like those introduced in Quebec and prohibit the use of children's data for AI.
  3. Bill C-11, the federal government's proposed legislation to reform private-sector privacy legislation, died on the Order Paper with the 2021 federal election. The bill would have required organizations that use ADM systems to inform individuals of how these systems work. If privacy reform legislation is tabled again, it will likely contain similar requirements.
  4. The European Union has proposed legislation to regulate AI with substantial compliance obligations. The framework would prohibit certain applications of ADM and AI and would apply to Canadian businesses that operate ADM or AI systems in the EU, on EU subjects or where the system output is based in the EU. Infringement penalties could be up to six per cent of worldwide annual revenue.
  5. So far in 2021, general AI bills or resolutions in the U.S. have been introduced in at least 17 states and adopted in Alabama, Colorado, Illinois and Mississippi. These regulatory efforts include establishing review committees to advise on ADM and AI, restricting use of these systems in the public sector and insurance industry, and targeting applications such as using AI in recruitment videos. No national framework has been proposed.

For permission to reprint articles, please contact the Blakes Marketing Department.

© 2020 Blake, Cassels & Graydon LLP.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.