Canada: A Canadian perspective on privacy implications of autonomous vehicles
Autonomous vehicles ('AVs') have been described as being capable of gathering and communicating huge swaths of information about the vehicle, its occupants, and non-users (e.g. pedestrians). However, vehicles that leverage mass amounts of data to automate driving processes might be better viewed as robots because they can make decisions without an individual's explicit input.1 As consumer interest and demand for these vehicles grows across Canada, companies operating in this space need to understand their obligations for protecting privacy interests related to the data they handle. Further, as Canada's approach to regulating privacy evolves to include automated decision-making ('ADM') systems and artificial intelligence ('AI'), it may be prudent to take recent trends from other jurisdictions into account. Ellie Marshall, Associate at Blake, Cassels & Graydon LLP, discusses these regulatory issues and the privacy implications of autonomous vehicles from a Canadian perspective.
Technology, AVs, and emerging challenges
Vehicle technology is rapidly evolving. Estimates suggest that there are already well over 200 million internet-connected cars in operation today. Truly autonomous self-driving may be some years away. Most new cars, however, are equipped with advanced capabilities that employ multiple sensors to assist drivers in several ways. For instance, many cars on the road today can navigate blind spots with cameras, provide optimised routes with AI, or even identify distracted driving with facial recognition software. As these technologies continue to develop, many jurisdictions have identified significant opportunities for innovation, investment, and growth.
Crucially, all these advancements depend on regulatory frameworks that permit car manufacturers to collect and share huge amounts of information about the vehicle, its surroundings, its drivers, and its occupants. However, the new types of information these vehicles might be capable of collecting raise complex and intersecting issues for data governance and data ethics frameworks. For example, an AV equipped with sensors to monitor the driver and occupants may collect very sensitive biometric data that is unique to each individual, such as fingerprints, iris scans, and facial arrays. Other sensors might scan the external terrain and capture images of the road infrastructure, surrounding vehicles and pedestrians, requiring retention and processing of information about non-users and third-parties. Another function might enable vehicles to share information with one another, the manufacturer, or traffic safety regulators to optimise traffic flows, creating new data interoperability questions and with it, new potential cybersecurity attack surfaces.
With these capabilities, personal vehicles, once a symbol of freedom and escapism, have the potential to become highly monitored spaces that offer companies monetisable insights into transportation patterns and trends, and law enforcement the opportunity to collect new types of information about individuals. It is not surprising then that, according to a 2019 survey conducted by Transport Canada, there is a relatively high level of concern among Canadians about how AVs will impact their privacy.2
Although the regulation of AVs is in its infancy in Canada, policy statements from government stakeholders across the country make clear that privacy and cybersecurity will be at the forefront of their regulatory efforts. As Canadian privacy law reform efforts remain in flux3, manufacturers and other companies operating in the space can prepare to enter the Canadian market by building privacy considerations directly into their vehicles. This Insight highlights key privacy concerns with these systems, explores the application of existing Canadian privacy laws to AVs, and identifies regulatory trends likely to impact AVs.
What Canadian laws apply to data generated by AVs?
Due to Canada's federal government system, the regulation of both motor vehicles and privacy is somewhat fragmented. Simplistically, whether vehicles can be imported to Canada is regulated at the federal level, and whether a vehicle can be operated on a public road is generally regulated at the provincial level. Currently, only a handful of provincial governments have policies or regulations in place to establish pilot programs to permit AV testing.
Unlike jurisdictions like Japan or Germany, there are no specific statutes or regulations at the federal or provincial level that expressly regulate AV generated or shared data, such as trip data, safety event data, or driver availability data. Instead, where the information generated by a vehicle and collected by a manufacturer (or other entity) is not strictly about the car itself and can be associated with an individual, the data will likely constitute 'personal information' and be subject to a patchwork of Canadian private sector privacy laws.4
For constitutional reasons outside the scope of this Insight, privacy in the private sector in Canada is regulated at both the federal and provincial level. At the federal level, the Personal Information Protection and Electronic Documents Act, SC 2000, c 55 ('PIPEDA') applies to all private sector organisations collecting, using, or disclosing personal information in the course of commercial activities. In addition, three Canadian provinces, Alberta, British Columbia, and Quebec, have enacted provincial-level private sector privacy legislation, that applies to the collection, use, and disclosure of personal information by private sector organisations within those provinces. These include Alberta's Personal Information Protection Act, SA 2003 c P-6.56 ('the Alberta PIPA'), British Columbia's Personal Information Protection Act, SBC 2003 c 637 ('the BC PIPA'), Quebec's Act Respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.18 ('the Quebec Act'), and to the extent a database of biometric identifiers is established, Quebec's Act to Establish a Legal Framework for Information Technology, c. C-1.10 ('the Quebec Information Technology Act').
What privacy issues do AVs raise?
At its core, private sector privacy laws in Canada are intended to balance the potential harms to an individual's autonomy and dignity from the collection, use, and disclosure of personal information in the course of a commercial organisation's legitimate business activities. In submissions to the Standing Senate Committee on Transport and Communications10, the Privacy Commissioner of Canada, Daniel Therrien, identified that AVs are fundamentally capable of limiting or restricting individual autonomy. To demonstrate the potential impact to privacy interests, consider the known issues raised by three types of data collected by AVs:
- Location Data: Information generated by AVs or navigational purposes or vehicle safety-related record keeping obligations could be capable of generating precise, comprehensive records of users', movements, habits, behaviours, and associations. This type of precise location data can be very challenging to fully anonymise and the potential impacts of sharing this information are well documented. Manufacturers should be aware that the Supreme Court of Canada ('SCC') has confirmed that individuals have legally protected privacy interests in personal information that might seem innocuous on its own, but when combined with other information can reveal intimate details about the individual.11
- Biometric Data: Systems which require tracking a driver or occupants to ensure AVs are operated safely, or to provide benefits, such as remembering preferred settings, are likely to require collecting immutable individual identifiers, such as iris scans or facial arrays. Like location data, this information is highly sensitive because it is necessarily unique to each individual, stable over time, and distinctive. A recent Joint Investigation by Canadian Privacy Commissioners into a company's non-consensual use of facial recognition technology emphasised that biometrics are intrinsically private in nature; its use is likely to continue to be scrutinised.12
- Driving Data: AVs may be required by traffic safety regulations to share information about the vehicle's relationship to road infrastructure to regulators or with other private entities to enable certain features, which could reveal the driver and occupant's behaviour and preferences. This data might also capture information about third parties like pedestrians. Further, data created by AVs to support the driver's operation of the vehicle could have endless uses in other contexts, such as to set insurance premiums, enforce driving rules, assist employers with monitoring fleets, and even to promote other products to individuals and groups of users. While these data collection capabilities may generate significant benefits for users and manufacturers alike, these benefits must ultimately be balanced with the potential privacy harms to individuals and groups of individuals. In the case of pedestrians, manufacturers should note that the SCC has also confirmed that individuals have a right to privacy, even in very public places.13
How can AV companies prepare to meet current Canadian privacy law obligations?
Like other international data protection laws, Canadian private sector privacy laws are based on fair information principles.14 Canadian privacy laws also provide an overall limitation that personal information only be collected, used, and disclosed for "purposes that a reasonable person would consider are appropriate in the circumstances". This overriding 'reasonableness standard' applies to all collection, use, and disclosure of personal information, even if the individual has consented to it. Therefore, AV companies should carefully design vehicle data collection capabilities at the outset, to ensure no more personal information than is necessary is collected, used, and disclosed.
As noted by Privacy Commissioner Therrien in his submissions to the Senate, the principle of individual consent remains the central tool under Canadian private sector privacy law to protect individual autonomy. However, due to the complex design of AVs, individuals may be unable to make informed choices about how their personal information is handled. Meaningful consent processes should take into account the consumer's perspective to ensure that they are user-friendly, and that the information provided is generally understandable from the point of view of the organisation's target audience(s).15
Individuals should be offered real choices for managing how personal information is handled, such as the ability to toggle off certain sensors or request deletion of certain user histories, and be presented with clear options to say 'yes' or 'no' when providing consent. Additionally, it may not be possible for a company to obtain necessary consent from all involved parties, such as pedestrians whose images are captured by cameras. Manufacturers should consider automatically deleting or de-identifying this information soon after it is captured to reduce potential risks to these third parties. The Commissioner also recommends AV companies use a variety of communications strategies - including 'just-in-time' notices, interactive tools, and customised mobile interfaces - to explain their privacy practices.
Further, under Canadian privacy laws, organisations must be accountable for the personal information in their possession or custody, including information transferred to third parties. The Privacy Commissioner interprets this obligation broadly to include building privacy protections into the very design of a product or service:
“Privacy cannot be an after-the-fact consideration in the Connected Car; it would likely be very difficult (and costly) to re-design a system if a fundamental flaw is identified shortly before production, let alone once cars are already on the road.”16
Finally, with the rise of cybersecurity threats across the world, Canadian consumers expect that their personal information will be safeguarded against unauthorised access, theft, and loss. AV companies that are subject to private sector privacy legislation in Canada must comply with mandatory breach reporting obligations, which require notification to privacy regulators, as well as individuals where there is a real risk of significant harm to individuals. In addition to costs incurred from cybersecurity incidents themselves, preparing these notifications can be very expensive for organisations who are not covered by adequate insurance or prepared with a comprehensive cyber incident response plan.
What changes to Canadian privacy laws should AV companies anticipate?
AV companies should be aware that privacy law is currently undergoing a period of significant reform in Canada. Motivated by developments in other jurisdictions, consumer frustration, and political interests, many jurisdictions across Canada are in the process of amending their private sector privacy law frameworks. Importantly, early indications suggest that these reform efforts will likely bring ADM and AI systems within the scope of private sector privacy laws.
For instance, Quebec recently adopted Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, which makes significant amendments to the Quebec Act. Among other changes, the amendments include new rules that require organisations to inform individuals if a decision about the individual is based exclusively on automated processing. Additionally, organisations must comply with an individual's request for the personal information that was used to make the decision and the reasons for the decision. Individuals also have a right to have the personal information used by the ADM system corrected. These new obligations will come into force in September 2023.
A new federal proposal to reform PIPEDA is also expected imminently. Although the highly anticipated Bill C-11, for the Digital Charter Implementation Act, 2020 died on the order paper when the federal election was called in September 2020, it is expected that similar amendments will be introduced to bring federal private sector privacy regulations in line with the Quebec Act and with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). It is expected that the new proposals will address transparency requirements that apply to ADM systems, requiring businesses to explain how such systems are utilised. Further, Bill C-11 proposed rules governing how and when de-identified information derived from personal information may be created, used, and shared. AV companies operating in Canada should begin to prepare for the types of enhanced obligations and penalties previously proposed under Bill C-11.
Privacy Commissioners in Canada do not currently have strong enforcement powers. In Europe, fines for non-compliance with the GDPR are potentially significant, up to €20 million or 4% of a company's total global turnover. In Quebec, the amendments from Bill 64 provide for penalties similar to those provided for under the GDPR. Canada's other Privacy Commissioners are all pushing for stronger enforcement powers, including the ability to directly levy administrative monetary penalties, issue binding orders, and initiate investigations.
Given that vehicles can cross provincial boundaries and international borders, AV companies that operate in the Canadian market will need to consider how to meet obligations under multiple privacy laws. Starting early in the design process, keeping a close eye on regulatory developments, and directly involving stakeholders to address concerns about privacy and data protection are critical steps organisations can take to reduce the burden of this type of compliance project.
Ellie Marshall Associate
Blake, Cassels & Graydon LLP, Toronto
1. See: https://assembly.coe.int/LifeRay/JUR/Pdf/DocsAndDecs/2020/AS-JUR-2020-20-EN.pdf
2. See: https://epe.lac-bac.gc.ca/100/200/301/pwgsc-tpsgc/por-ef/transport_canada/2019/073-18-e/AV_POR073-18_FinalReport_EN.html
3. See: https://www.blakes.com/insights/bulletins/2022/canadian-privacy-law-2021-year-in-review
4. Personal information is defined very broadly under these laws as "information about an identifiable individual".
5. See: https://laws-lois.justice.gc.ca/ENG/ACTS/P-8.6/index.html
6. See: https://www.alberta.ca/personal-information-protection-act.aspx
7. See: https://www.bclaws.gov.bc.ca/civix/document/id/complete/statreg/03063_01
8. See: http://www.legisquebec.gouv.qc.ca/en/document/cs/P-39.1
9. See: http://www.legisquebec.gouv.qc.ca/en/document/cs/C-1.1
10. See: https://www.priv.gc.ca/en/opc-actions-and-decisions/advice-to-parliament/2017/parl_sub_171122/
11. R v Spencer, 2014 SCC 43.
12. See: https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2020/pipeda-2020-004/
13. R v Jarvis, 2019 SCC 10.
14. See: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/p_principle/
15. See: https://www.priv.gc.ca/en/opc-actions-and-decisions/advice-to-parliament/2017/parl_sub_171122/