Tech-ing Stock of 2023: Synopses of Key Developments in Technology Law
2023 was generative AI’s breakout year. On the one hand, there was the explosive growth of generative AI platforms, their rapid evolution and acceptance in the operations of businesses (law firms being “honourable” exceptions?) and everyday lives of individuals, as well as strategic partnerships among BigTech companies to stay ahead in the race. On the other hand is the inevitable establishment of regulatory oversight of artificial intelligence (“AI”), a reality that has taken root in Europe, with other parts of the world, including Canada, following suit. Companies that have launched generative AI platforms continue to be deluged with lawsuits, investigations and complaints globally, chiefly for breach of data privacy rights and creative rights.
Stakeholders at the intersection of law and technological innovation have to grapple with this duality, much like the narrator-protagonist in Viet Thanh Nguyen’s debut novel The Sympathizer – a half-French, half-Vietnamese communist sleeper agent who works as a captain in the South Vietnamese army while secretly spying for the North Vietnamese communist regime. His allegiance is to the communist forces, but he greatly sympathizes with his pro-West adversaries. “I am simply able to see any issue from both sides,” he says.
Many other technology law developments hogged the headlines in 2023. This article takes stock of the key developments from Canadian Parliament, courts and regulatory bodies.
Key Legislation
Bill C-27 – Artificial Intelligence and Data Act
The Artificial Intelligence and Data Act proposed in Bill C-27 is Canada’s first legislative framework to regulate AI. In response to stakeholder feedback on the various shortcomings of the framework, the Minister of Innovation, Science and Industry, on November 28, 2023, presented the government’s proposed amendments to the House of Commons Standing Committee on Industry, Science and Technology that is studying Bill C-27. The proposed amendments include a new definition of “artificial intelligence systems” that is aligned with the definition of the Organization of Economic Co-operation and Development, a new definition of “machine learning model” and the classes of “high-impact systems.” Bill C-27 passed second reading in the House of Commons in April 2023 and has been the subject of intense critique by academics, lawyers and entrepreneurs alike.
Bill C-27 – Consumer Privacy Protection Act (“CPPA”)
The Consumer Privacy Protection Act in Bill C-27 will replace Part 1 of the Personal Information Protection and Electronic Documents Act (“PIPEDA”) to govern protection of personal information in the private sector, while accounting for the need of organizations to collect, use and disclose such information in the course of their business. The government proposed three amendments to the CPPA: to recognize a fundamental right to privacy for Canadians; to recognize and reinforce the protection afforded to children; and to grant more flexibility for the Privacy Commissioner of Canada to reach “compliance agreements” with non-compliant organizations.
Online News Act
One of the most contentious pieces of law in recent times, the Online News Act (“ONA”) which received royal assent on June 22, 2023, requires large digital platforms (read: BigTech) to enter into agreements with news businesses to compensate them for sharing their journalistic content. After a public consultation process, the federal government published regulations under the ONA on December 15. The regulations, among other things, require platforms to conduct an open call process to solicit news businesses and prescribe what constitutes a fair agreement or equitable distribution within a group of news businesses. The Canadian Radio-television and Telecommunications Commission (“CRTC”) is expected to make regulations concerning the administration of the ONA. The ONA came into effect on December 19.
Meta pulled out of disseminating news on its platforms in Canada earlier in 2023. In an anti-climactic turn in late November, Google struck a deal with the government that will see Google contribute $100 million annually, indexed to inflation, for news businesses, including independent news businesses and those from Indigenous and official-language minority communities.
Online Streaming Act
The Online Streaming Act (“OSA”) received royal assent on April 27, 2023. It amends the Broadcasting Act to make it applicable to online streaming and on-demand services. It adds a distinct class of broadcasting undertakings called “online undertakings” that fall within the regulatory purview of the CRTC. On June 8, 2023, the government announced proposed direction guiding the CRTC in its implementation of the OSA. The direction asks the CRTC to support Canadian creators and creative industries, advance Indigenous storytelling, increase representation of Black, racialized and other communities deserving equity, ensure regulations are fair and flexible, redefine Canadian programs to reflect today’s industry and how Canadian stories are told, and exclude social media creators’ content from regulation. On November 9, 2023, the government issued its final policy direction to the CRTC to guide the regulator on the government’s preferred interpretation of the OSA.
The CRTC, in an attempt to assuage concerns that the OSA regulates user-generated content on social media, clarified that users who upload video or audio content on social media platforms like YouTube, Facebook and Spotify will not be regulated.
Second Phase of Quebec’s Law 25
On September 22, 2023, the second set of amendments in Quebec’s An Act to modernize legislative provisions as regards the protection of personal information, introduced as Bill 64 and sanctioned as Law 25 to Quebec’s Act respecting the protection of personal information in the private sector, came into force. The new obligations include additional transparency requirements, a new regime for the secondary use of personal information, strict obligations on personal information retention and destruction, and new obligations when an automated decision is made using an individual’s personal information. Among the penalties for non-compliance are: administrative monetary penalties for up to the greater of $10 million or two per cent of worldwide turnover from the previous year; penal offences with fines of up to $25 million or four per cent of worldwide turnover from the previous year (whichever is greater); and a private right of action.
Bill C-26 – Critical Cyber Systems Protection Act
The wheels of Bill C-26, which proposes the Critical Cyber Systems Protection Act (“CCSPA”), are moving much slower than expected since its introduction in June 2022. Second reading was completed in the House of Commons in March 2023. But hearings by the Standing Committee on Public Safety and National Security were scheduled too late into the year to see any substantial progress.
The CCSPA proposes to establish a regulatory framework to strengthen baseline cybersecurity for services and systems that are vital to national security and public safety, and also to give the federal government a new tool to respond to emerging cyberthreats. Bill C-26 also seeks a revamp of the Telecommunications Act. The Minister of Innovation, Science and Industry is granted extensive authority under this legislation, including to prohibit telecom companies from using products or services provided by a specific company and remove specific products from its network or facilities. Non-compliance could result in penalties of up to $15 million for a corporation and $1 million for an individual.
Key Court Decisions
Google LLC v. Canada (Privacy Commissioner), 2023 FCA 200
In September 2023, the Federal Court of Appeal, in a reference brought by the Privacy Commissioner of Canada, held that Part 1 of PIPEDA applies to Google’s operation of its search engine since it involves the collection, use or disclosure of personal information for commercial activities within the meaning of paragraph 4(1)(a). Google’s operation of the search engine is, therefore, not exempt for journalistic purposes. The Federal Court agreed with the reference judge’s finding that Google’s search engine responses to a query are ranked in the order that Google considers most relevant to the user, as determined by its algorithms. Hence, Google is agnostic to the nature of the content.
A.B. c. Google, 2023 QCCS 1167
In March 2023, the Superior Court of Quebec ordered Google to pay $500,000 in damages to a Quebec businessman and issued an injunction prohibiting Google from listing any web pages from four specified domains containing the words “A.B.” in its search results displayed to users in Quebec. The lawsuit stemmed from false allegations against the plaintiff who was wrongly alleged to have committed a crime. The allegations were initially posted on a website operated by a third party and subsequently disseminated by Google’s search engine through a hyperlink to the defamatory content.
Canada (Privacy Commissioner) v. Facebook, Inc., 2023 FC 533
In April 2023, the Federal Court dismissed the Ontario Privacy Commissioner’s (“OPC”) application against Meta Platforms Inc. (formerly Facebook Inc.) alleging breaches of PIPEDA. The OPC claimed that Meta’s practice of sharing users’ personal information with a third-party application violated PIPEDA. The OPC had investigated a complaint in light of news reports that the third-party application obtained data through the Facebook Platform and disclosed it to Cambridge Analytica. The Federal Court, however, cited a lack of evidence as grounds for dismissing the application. The court also found that the safeguarding measures of PIPEDA did not relate to protecting information outside an organization’s control.
Appeals Rejected: Setoguchi v. Uber; Owsianik v. Equifax; Winder v. Marriot; Obodo v. Trans Union
In July 2023, the Supreme Court of Canada declined to hear appeals in four significant data breach class actions, namely Setoguchi v. Uber BV, 2023 ABCA 45, from the Alberta Court of Appeal; and Owsianik v. Equifax Canada Co., 2022 ONCA 813, Winder v. Marriott International Inc., 2022 ONCA 815, and Obodo v. Trans Union of Canada, Inc., 2022 ONCA 814, from the Ontario Court of Appeal. The Court of Appeal decisions in these cases now stand as final rulings. The Alberta Court of Appeal rejected the certification of a proposed data breach class action in Setoguchi v. Uber, stating that the appellant’s argument for “baseline” damages of $100 per person without actual harm or negative impact on class members was not legally recognized. In Owsianik v. Equifax, Winder v. Marriot, and Obodo v. Trans Union, the Ontario Court of Appeal determined that a defendant experiencing a third-party hack after collecting personal information cannot be held liable for the tort of intrusion upon seclusion. See our earlier article for the context to the latter three cases.
Key Regulatory Developments
Guidance from Privacy Regulators on Generative AI
On December 7, 2023, the Privacy Commissioner of Canada, in collaboration with all Canadian provincial and territorial privacy regulators, issued the Principles for responsible, trustworthy and privacy-protective generative AI technologies (“Guidance”). The Guidance is applicable to organizations and individuals that determine how a generative AI system operates, how it is initially trained and tested, and how it is used, as well as organizations that use generative AI systems for public or private purposes. The privacy principles outlined in the Guidance are: legal authority and consent; appropriate purposes for collection, use or disclosure; necessity and proportionality in the use of personal information in generative AI systems; openness and transparency; accountability of organizations; process to access or correct personal information contained in an AI model; limiting collection, use and disclosure; accuracy of personal information in AI systems; and appropriate safeguards to protect personal information in AI systems.
Biometrics Consultation
In October 2023, the Privacy Commissioner of Canada launched a public consultation on draft guidance for the use of biometric technologies. The initiative responds to the growing interest of public institutions in utilizing biometrics for faster services and enhanced security. While acknowledging the potential benefits, the commissioner expressed serious privacy concerns in biometric data usage. The consultation targets feedback from organizations and public institutions on the draft guidance, covering areas such as purpose identification, consent, data limits, safeguards, accuracy and accountability. Stakeholders are invited to provide input by February 24, 2024.
PIPEDA Findings # 2023-001 – Home Depot’s Compliance With PIPEDA
On January 26, 2023, the Privacy Commissioner of Canada concluded investigations into Home Depot of Canada Inc.’s compliance with PIPEDA. The findings asserted that the company had disclosed in-store customers’ data to Meta Platforms Inc. without adequate consent. Despite the information not being highly sensitive, the commissioner determined that customers would not reasonably expect such disclosure and recommended that Home Depot obtains express opt-in consent. In response, Home Depot ceased the unauthorized disclosure and implemented the commissioner’s recommendations.
PIPEDA Findings # 2023-002 – Agronomy’s Privacy Practices
On July 31, 2023, the Privacy Commissioner of Canada released findings from its investigation into Agronomy Company of Canada Ltd.’s alleged mishandling of personal information leading to a security breach. The investigation revealed deficiencies in Agronomy’s safeguards, such as the absence of multifactor authentication, network segregation, data encryption, and detection and response tools. Agronomy subsequently enhanced its network security, committed to implementing an incident management plan and addressed privacy policy shortcomings. The commissioner, however, clarified that Agronomy obtained valid consent through a credit application, dismissing the complaint that Agronomy did not obtain consent.
Ontario Securities Commission Report on AI
On October 10, 2023, the Ontario Securities Commission published a report exploring the use of AI in Ontario’s capital markets, encouraging market participants to share feedback through its OSC IdeaHub, a platform to share ideas on how AI is impacting the investment industry, and fostering innovation and economic growth. See our earlier article that examines the report in detail.
Federal Government Plan to Introduce Open Banking Legislation
On November 21, 2023, the federal government announced plans to establish an open banking framework through legislative reforms that regulates authorized third-party access to consumers’ financial data in order for such consumers to receive specific financial services. The initiative, termed “Consumer-Driven Banking,” was introduced alongside the 2023 Fall Economic Statement and Policy Statement on Consumer-Driven Banking. The framework is built on five key elements: governance, scope, accreditation, common rules and technical standards. Anticipating legislative changes, the Department of Finance aims to advance the Consumer-Driven Banking framework by consulting with stakeholders across the country, with the goal of adopting legislation and fully implementing the governance framework by 2025. The launch of Payments Canada’s Real-Time Rail payment system, designed to process payments within seconds, has been delayed. Once launched, the system is expected to transform the payment landscape and facilitate the implementation of open banking.
The Aird & Berlis Technology Group will continue to monitor developments in Canadian technology law through 2024 and beyond. Please contact a member of the group for more information.