Ignacio Cofone is professor of law and regulation of artificial intelligence at the University of Oxford and an affiliated member of the Quebec AI Institute (Mila). He advised the Office of the Privacy Commissioner of Canada on a previous overhaul of the country’s private-sector privacy law.
Purchase flight tickets and you may pay more than the passenger beside you did for the same flight booked at the same moment. The airline never asked what you earn. It read what people like you paid before and your price followed. This is surveillance pricing, and it runs on inferences: the predictions a company draws about you from data you may have never handed over. Canada’s new privacy bill, C-36, introduced on Monday, is the first to put plainly into law that those inferences are your personal information.
Most privacy laws around the world do not say so. Europe’s General Data Protection Regulation, the global benchmark, never names inference in its definition of personal data, so litigants and scholars spent years arguing over how far its protections extend to what a company predicts. California’s law names it but only when used to build a profile about someone. C-36 goes further and covers any information inferred about you, profile or not. On paper, Canada has written one of the best definitions of personal data anywhere.
But writing inference into the definition also exposes a problem the bill does not solve. The rights C-36 gives you over your personal information were built for data you hand over. Those rights get strained once the information is something a company infers.
The problem is what kind of rights the bill gives you. Access, correction and deletion of information are things you can do one at a time, by asking. You make a request, a company answers, you check a record. Inferences work the other way. They run automatically and without pause, on everyone at once, producing new predictions faster than any person could think to ask about them. Rights that people exercise one case at a time do not scale to a process that runs on a whole population. The bill hands retail tools against a wholesale practice.
Bill C-36 protects inferences about you in particular, but tools such as surveillance pricing do not work on you alone. They work on your type. A model reads thousands of other people, decides which group you fall into and prices you on what that group will pay. The data it used was theirs, so there was nothing for you to refuse and nothing to delete. Your rights of access and correction reach the file with your name on it. They do not reach a pricing model trained on everyone else. The predictions that cost you the most are built from data you have no claim over.
The same gap opens with sensitive information. A company that infers your health from your shopping, or your sexuality from who you follow on social media, collected nothing sensitive. It produced the sensitive facts out of ordinary data. The heightened protections govern how a company handles sensitive data it collected, so a company can still derive information about your health or sexuality from ordinary data and break no special rule in doing so.
Artificial Intelligence Minister Evan Solomon introduces a new privacy bill that would recognize privacy as a fundamental right of all Canadians and set higher standards for organizations when they manage children's data.
The Canadian Press
Two of the bill’s limits do bear down on this, but they fall short. Collection is capped at what a company needs, which leaves less to draw on. But this governs the data that a company takes in, not what a company derives from data it already holds. Automated decisions that carry a legal or significant effect come with a right to an explanation and to put your case in writing for a person in the company to review, which covers some important consequences. But the first comes too early to catch the process before the decision, the second too late.
None of this means C-36 got privacy wrong. It got the important part right, which most laws do not, by saying that what a company infers about you is actually about you. But the work left is to match that recognition with a limit on the act of inferring, a duty a company carries whether or not anyone agrees to it, so the bill’s rules achieve its aims.
The bill is only at first reading and the upcoming committee study can add those limits. The definition is ahead of the field and the obligations have to catch up.