Privacy & Cybersecurity in Canada and the US
This is a monthly bulletin published by the National Privacy and Cybersecurity team at Fasken. The information contained herein includes noteworthy news, topics, discussions and cases in the privacy & cybersecurity landscape. If you have any questions about any of the topics herein, please reach out to our friendly Fasken Privacy and Cybersecurity team.
This Month’s Noteworthy News
Amendments Introduced to Federal Bill C-27
On November 28, 2023 the Minister of Innovation, Science, and Industry outlined proposed amendments to the Artificial Intelligence and Data Act (AIDA) in correspondence to the Standing Committee on Industry and Technology currently studying Bill C-27. The proposed amendments are substantial and integrate developments previously outlined by the Minister in October. Fasken is preparing a complete bulletin outlining the proposed changes.
“Worrying” Resurgence of Ransomware
As reported in last month’s Noteworthy News, 2023 has seen a reemergence of ransomware and extortion claims, according to Allianz Commercial in a newly released report. Hackers and malicious actors are increasingly targeting physical and IT supply chains, with a notable rise in data exfiltration incidents. According to the report, “analysis of a number of large insurance industry cyber losses shows that the proportion of cases in which data is exfiltrated is increasing every year – from 40% of cases in 2019 to around 77% of cases in 2022, with 2023 on course to surpass last year’s total.”
CISA’s Roadmap for AI
In early November 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) published the “Roadmap for Artificial Intelligence” which serves as a guide for CISA’s AI related efforts “ensuring both internal conference as well as alignment with the whole-of-government AI strategy” and incorporates actions from President Biden’s October 2023 Executive Order on AI.
Senators Introduce Proposed US AI Legislation
On November 13, 2023, a bipartisan group of Senators in the United States, led by Sens. Amy Klobuchar (D-MN) and John Thune (R-SD), introduced the Artificial Intelligence (AI) Research, Innovation, and Accountability Act of 2023. Its purpose is to provide a framework for artificial intelligence innovation and accountability around the use of generative AI.
Ontario Aims to Bring in AI Legislation
On November 14, 2023 the Government of Ontario introduced Bill 149, the Working for Workers Four Act. Amongst other things, if passed, the legislation would introduce amendments to the Employment Standards Act, requiring employers to provide notice of any use of AI in screening of applicants in the recruitment and hiring process. Employers will be required to disclose in job listings if AI is being, or will be used, in the hiring process.
California Issues “Benefits of Generative AI Report"
California released a report entitled “Benefits and Risks of Generative Artificial Intelligence”, which includes a use case analysis for GenAI in the Californian State Government. The Report arises from Governor Newsom’s earlier Executive Order on the topic, and reflects the start of a “multi-year iterative process” to generate and provide guidelines for the use of GenAI tools. The Report provides some early indicators of where the regulatory landscape may move in the future.
Bletchley Declaration
Countries attending the AI Safety Summit held in early November 2023, including Canada, the Unites States, the EU, and China, released the Bletchley Declaration. Amongst other things, the declaration affirms that safety must be considered across the AI lifecycle, and identifies an agenda for addressing frontier AI risk focused on: identifying risks of shared concern and building risk-based policies across participating countries to ensure appropriate safety measures.
Federal Privacy Commissioner Initiates Investigation
The Privacy Commissioner of Canada announced that it has decided to launch investigations into a cyberattack that has resulted in a breach affecting the personal information of federal government personnel who used government-contracted relocation services over the past 24 years.
The investigations will examine the adequacy of the safeguards that the two companies and the federal government had in place to protect the personal information of personnel who used relocation services. Organizations should ensure that all information that they hold is adequately protected, including the personal information of employees.
California Proposes Regulations for Automated Decision Making
On November 27, 2023 the California Privacy Protection Agency released proposed automated decision making technology regulations. The proposed regulations would “implement consumers’ right to opt out of, and access information about, businesses’ use of automated decision making technologies”. The Agency’s Board met on December 8, 2023 to review, and formal rulemaking is expected to follow in the first quarter of 2024. The proposed requirements would impact businesses using these technologies for decisions involving employment, compensation, profiling and tracking, facial-recognition technologies, and behavioral advertising.
Quebec Adopts Regulation Regarding Content of Privacy Policies
The Quebec government has adopted a regulation outlining the specifications for a privacy policy that public bodies must publish when collecting personal information through technological means. This regulation will take effect on January 1, 2024. As Quebec's private-sector companies are also required to publish a privacy policy when collecting personal information via technological means, they might find it beneficial to derive insights from this regulation.
In Case you Missed it!
The Fasken Privacy and Cybersecurity group published the following articles recently, that might be of interest.