In the age of rampant AI development, data protection laws are no longer a tick-box exercise but a cornerstone of responsible technology usage. The GDPR is undoubtedly the leader in this movement. Until recently, the legislative landscape in Canada, however, had been relatively uneventful for years. Quebec is now shaking things up! Its recently enacted Law25 has become a significant part of the global paradigm shift towards enhanced data protection. See here for a comparison of Law25 and PIPEDA. While it is undoubtedly an important development for consumer privacy, what does it mean for technologies like ChatGPT and the broader AI industry?
Law25
For context, Law25 aims to bolster the protection of personal data in Quebec by imposing stringent requirements on how data is collected, used, stored, and transferred. One notable feature is the Privacy Impact Assessments (PIA), a mandatory evaluation tool that organizations must use when handling personal data in certain ways and contexts. Another is the stringent rules concerning cross-border data transfer, which require that data leaving Quebec must be protected to a standard equivalent to that within the province.
What Does It Mean for ChatGPT?
ChatGPT, like many AI technologies, relies heavily on data for functioning and improvement. Since this training data has been scraped from the internet, it inevitably often includes personal information from Quebec citizens that could identify individuals, thereby falling under the purview of Law25. This novel use of personal data for training or fine-tuning an AI model is arguably in violation of Law25, insofar as the data of Quebec residents is concerned, since the information obligation the law imposes on companies before collecting and using personal information have not been fulfilled, let alone meeting consent requirements. To be clear, just because data is publicly available on the internet does not mean it is not personal information protected under Law25.
Furthermore, training or fine-tuning AI models can lead to data memorization by the model, meaning the personal information contained in the data may be unpredictably spewed out in production. Law25 is unclear about whether the right to be forgotten applies to AI models, but a case can be made to that effect. Here is what the law says:
- 28.1: The person to whom personal information relates may require any person carrying on an enterprise to cease disseminating that information or to de-index any hyperlink attached to his name that provides access to the information by a technological means, if the dissemination of the information contravenes the law or a court order.
We can interpret this to mean that if an AI model discloses personal information contained in the training or fine-tuning data without the consent of the individual and thus in contravention of the law, it disseminates that information and the right to be forgotten applies. In light of the technical impossibility of deleting specific data from a model, such a request could only be met by implementing filters that prevent the specific data to be reproduced in the model’s output, or to re-fine-tune the model on data that does not contain personal information.
Another impact of Law25 for generative AI tools comes into play when users start engaging with it. Here again companies have to meet detailed information obligations, e.g., they must inform users of the purpose of processing the personal information users may input into the tool, the users’ rights associated with the processing, such as access requests, and the fact that the data may be communicated outside of Quebec. Detailed guidance on how to meet these information obligations is still in the works by the regulator, but it seems to require a mix of a solid Privacy Statement and information provided upon signing up for the services, i.e., before any data is collected.
Furthermore, given that ChatGPT engages in real-time dialogue with users, there will often be instances where data travels across borders. Law25 mandates that businesses conduct a thorough assessment of the destination jurisdiction’s data protection measures. So, if the data center of the ChatGPT service resides outside Quebec, it must meet the rigorous standards laid out by Law25.
The AI Industry at Large
The ramifications of Law25 are not just confined to conversational AI platforms. AI systems used in healthcare, finance, and other sectors often process sensitive personal data, such as health records or financial data. These sectors, too, must heed the new cross-border data transfer regulations and employ PIAs to gauge the impact of their data handling practices (download a PIA template here). We recently scrutinized Salesforce for its Law25 compliance, for example.
Moreover, businesses that rely on third-party AI services for functionalities like recommendation engines or predictive analytics should be especially vigilant. Law25 insists on contractual obligations that bind data recipients to offer data protection levels equivalent to those in Quebec. Thus, businesses must scrutinize their contracts with third-party providers to ensure compliance.
Challenges and Opportunities
The complex framework of Law25 presents challenges, most notably in cross-border data transfers and the continuous reassessment of data protection laws. However, challenges often bring opportunities. Complying with Law25’s rigorous standards could make a company an attractive choice for privacy-conscious consumers, thereby serving as a valuable selling proposition.
How Private AI Can Help
Training or fine-tuning AI models on data including personal information is often unnecessary. One example would be using traffic data to train a model that predicts the best route to take and an ETA. In this case, the utility of the data is not diminished if it lacks detailed addresses. What’s important is that on Highway 401 a vehicle tends to travel at a certain speed at a certain time of day, for example. In cases where personal information is crucial for the model to learn how such information is used in natural language, synthetic data will often serve this purpose just fine. In light of the challenges around informing individuals of the use of their data for AI model training purposes and obtaining consent, where required, the risks will often outweigh the benefits.
While navigating the intricacies of Law25, companies may find the task of redacting personal information daunting. This is where privacy-enhancing AI solutions, such as Private AI’s redaction software, can prove invaluable. With unparalleled accuracy, the software can automatically identify and redact personally identifiable information, protected health information, and payment card information—greatly facilitating Law25 compliance.
The same considerations apply, to great extent, to the processing of an individual’s prompt provided to ChatGPT. Private AI’s PrivateGPT can demonstrate that perfectly useful responses can be generated without including personal information. Using this technology helps meet the data minimization principle, facilitates PIAs because less personal data is involved in the processing, and cross-border data transfers as no personal data needs to be transferred.
Final Thoughts
Law25 has set a new benchmark for data protection in Canada, compelling the tech industry to adapt and evolve. While compliance might seem like an uphill battle, especially for emerging technologies like AI, it’s a necessary one. As we continue to stride into a future increasingly commanded by data, these stringent regulations may just be the steppingstones to a more privacy-centric digital world where responsible data use becomes so common in software development that it’s like breathing.
So, if your AI venture is looking to venture into Quebec, remember, Law25 is not a roadblock—it’s a signpost directing you toward responsible data use.