Philippe Dufresne is the Privacy Commissioner of Canada. See the full speaker profile here.
From your point of view, what are the priority challenges for data protection & compliance in the years to come?
Earlier this year, I released a strategic plan that will guide the work of the Office of the Privacy Commissioner (OPC) over the course of my mandate as Canada’s Privacy Commissioner. The plan outlines three strategic priorities: protecting and promoting privacy with maximum impact; addressing and advocating for privacy in this time of technological change; and championing children’s privacy rights.
These priorities emerged from discussions with a wide range of stakeholders, including privacy leaders from around the world, during my first year in this role. The privacy issues and risks that we collectively face as a global society are vast and, at times, can seem challenging. I believe that these three priorities are where the OPC can have the greatest impact, and that these are also where the greatest risks lie if the issues are not addressed.
The need to address the privacy impacts of the fast-moving pace of technological advancement is an issue of utmost importance. This is a key focus area for our organization, especially in the world of artificial intelligence (AI) and generative AI. Whether it is AI chatbots like ChatGPT, Bing or Google’s Gemini, these new technologies have seemingly limitless possibilities, but we need to make sure that the related risks of these privacy impactful tools are addressed appropriately to encourage innovation while protecting the fundamental right to privacy.
How important is international cooperation to address these challenges and ensure data protection and privacy?
Artificial intelligence is a good example of the importance of international collaboration.
Automated extraction of data from the web is a hallmark of many generative AI models and poses an important risk to privacy, not just in Canada, but to individuals around the globe. Scraped personal information has been used for targeted cyberattacks, identity fraud, creating facial recognition databases, unauthorized police intelligence gathering, unwanted direct marketing and spam.
Amid growing concerns about mass data scraping of online personal information, last year, with 11 other global data protection authorities, the OPC called on the world’s largest social media companies to take steps to better protect personal information. This joint statement brought attention to how mass data-scraping incidents that harvest personal information can constitute reportable data breaches in many jurisdictions. It also demonstrated the importance and impact of collective action.
Building on that, I issued a joint statement on AI with my fellow G7 data protection and privacy authorities last June – the first joint global statement that current privacy laws apply to AI – and last October, the Global Privacy Assembly adopted a resolution on responsible generative AI.
That statement and resolution called on developers and providers of generative AI to embed privacy in the design, conception, operation, and management of new products and services. The possibilities and challenges of generative AI demand a global response to ensure that privacy is considered at the front end, and to address the impacts that these tools could have on individuals, especially on vulnerable groups and children.
Fostering a culture of privacy that advances privacy by design, and adopts privacy by default, will further support and enable responsible innovation. This can best be accomplished through continued collaboration amongst privacy regulators and even across regulatory fields.
Do you observe fundamental changes and evolutions in the domain of personal data protection and its perception?
In this digital age, many aspects of our lives, from socializing online to shopping, up to and including our democratic rights and the rule of law, have privacy implications. Technology is also at the heart of government service delivery.
The online world brings with it a host of opportunities for connection and creativity, but it also carries potential for significant harm, especially for young people, which is why protecting children’s privacy is another of my top priorities. There are unique sensitivities around ensuring the privacy of youth so that their rights are protected, allowing them to benefit from technology without compromising their privacy and well-being.
This informs why, as one of its priorities, my Office will expand our partnerships to amplify the uptake of our resources, guidance, and advice as it pertains to youth specifically. We will also apply a children’s privacy lens to our enforcement activities and leverage our findings to inform and incentivize organizations to develop products and services with better privacy protections for children.
Individuals everywhere want and need to trust that their privacy rights are being protected so that they can feel confident about participating freely in the digital economy.
Organizations must also adapt to the scale and pace of technological advancements within a regulatory environment that spans many jurisdictions with different laws and standards. This presents additional complexities and challenges for compliance, and further speaks to the importance of international collaboration in this rapidly evolving space.
Why are conferences such as the Privacy Symposium important and how can they support data protection and compliance?
International cooperation is increasingly important as data knows no borders. Privacy is essential to our democracy, and technology is changing our world in significant ways. Conferences such as the Privacy Symposium are important for international data protection authorities to deepen understanding on issues of mutual importance to us as regulators, as well as being able to hear the perspective of other key stakeholders, from citizens and academics to public and private sector organizations.
This is especially true as we are facing many similar issues – global issues that require broad perspectives and a wide array of expertise and viewpoints In this sense, common understanding and common rules will help to avoid a patchwork of regulations that make compliance difficult. It will also give citizens peace of mind that their personal information will enjoy similar protections when they – or their data – cross borders.
The Privacy Symposium fosters these kinds of exchanges, providing the space for connections and learning opportunities to face and meet the important challenges of an evolving landscape.
Would you have any advice or recommendation to share with data protection professionals and/or data subjects?
I would encourage stakeholders to consult regularly with regulators. We are here to help. We are here to educate, guide, and provide advice that will prevent problems down the road.
Technology brings great potential and opportunities, but it also has challenges and risks. We all play a key role, and we need to work together in facing the challenges and opportunities, and that is why the conversations that we have about privacy and the protection of data are so important.
Privacy and innovation are not a zero-sum game and, as in so many things, we must reject extremes in either direction. We can and must have both.
For that, there needs to be continued conversation between all involved and impacted sectors. Data protection professionals are a key part of that, as are data subjects. Encouraging dialogue between those parties will only serve to accelerate individuals’ trust in their institutions and the digital economy.
By fostering a culture of privacy, encouraging the use of privacy-by-design principles, and establishing privacy standards, we can promote innovation and also leverage innovation to protect the fundamental right to privacy.
