While companies wait for Parliament, many are choosing the most advanced, and strict, international regulations to abide by
Tech companies which had eagerly been watching them wind through Parliament were then faced with the reality that for these bills to become law, they would have to be reintroduced and go through readings and debate once more or be reinstated at their previous stage through unanimous consent of the House or a motion to that effect.
“It’s another kick down, right?” said Will Christodoulou, co-founder of Toronto-based fintech startup Cyder.
“It’s going to have to get reread in Parliament and going to have to go through all those processes again … but it’s like, when is that going to be?”
While companies wait for Parliament to reconvene and then decide which bills to revive, many say they are choosing the most advanced and strict international regulations to abide by.
In most cases, those regulations come from Europe.
“A lot of things they do, we typically would just copy,” Christodoulou said.
Patricia Thaine, the co-founder and chief executive of data protocol firm Private AI, agreed.
GDPR is an expansive piece of legislation that requires anyone handling the data of EU citizens or residents to only keep personally identifying information for as long as necessary and ensure any processing prioritizes security, integrity, and confidentiality.
Violating the law comes with high penalties that max out at the higher of (euro)20 million or four per cent of global revenue. Users also have the right to seek compensation for damages.
The bill would have created three new acts rooted in consumer privacy, data protection and AI guardrails. Increased fines for certain serious contraventions of the law would be the higher of five per cent of gross global revenue or $25 million.
Thaine said she saw value in Bill C-27 because PIPEDA fines are “pretty low, so there isn’t that much incentive for companies to actually comply with data protection regulations.”
“It’s a pretty outdated legislation that we’re dealing with here and I worry as a Canadian about what data-handling practices are out there for the data that we provide to companies,” she said.
She also saw it as important for the country to offer direction around AI.
“Not having an AI legislation itself just really lets companies decide for themselves what it is that they need to do, which … can lead to certain questionable decisions,” she said.
PIPEDA is “not as modern as we would like it to be” but “it’s still something that works,” he said.
The federal government also has a voluntary AI code of conduct any organization can sign. Signatories promise to outfit their AI systems with risk mitigation measures, use adversarial testing to uncover vulnerabilities in such systems and keep track of any harms the technology causes.
Then, there are the provinces filling in the gaps. Guilmain pointed to Law 25 in Quebec, which requires organizations to have privacy officers, report privacy breaches and increase transparency and consent required to collect personal information.
The law can be used as a reference for organizations who were watching Bill C-27 along with Bill C-26 and Bill C-72.
Bill C-26, which made it all the way to the Senate before it was amended and sent back to the House of Commons, would have boosted cybersecurity requirements for federally regulated industries.
Bill C-72, which made it to its second reading at the House of Commons, would have made it easier for information to be securely shared between health care providers, patients and tech firms offering medical services.
Robert Fraser had his eye on the interoperability bill because his Vancouver-based firm, Molecular You, offers personalized health assessments that often rely on medical data.
Interoperability has long been “a challenge” in Canada, especially when the country is compared with the United Kingdom and United States, where Fraser has observed more progress.
“Time doesn’t seem to matter so much in Canada. We take a leisurely pace,” he said.
“I’m sure politicians are working very hard and lawmakers the same, but it’s frustrating, I think, to an industry that really wants to get things done. We don’t have all the time in the world.”