On October 31, 2023, The Office of the Information and Privacy Commissioner of Ontario (IPC) announced two resolutions: the (i) Resolution on Artificial Intelligence and Employment (AI Employment Resolution); and (ii) Resolution on Generative Artificial Intelligence Systems (Generative AI Resolution), which it co-sponsored with fellow data protection and privacy authorities at the 45th Global Privacy Assembly.

The AI Employment Resolution addresses, among other things, the importance of implementing data protection and privacy principles in the development and use of artificial intelligence (AI) tools for employment matters, including having an adequate legal basis for AI-related processing of personal data and ensuring that there is transparency and fairness built into the chosen processing approach. The resolution’s sponsoring members also committed to working with organizations to incorporate the considerations outlined in the AI Employment Resolution.

Similarly, the Generative AI Resolution addresses the need for generative AI to be developed and used responsibly with data protection and privacy principles in mind. This led the 45th Global Privacy Assembly to endorse the following data protection and privacy principles as core elements in the development, operation, and deployment of generative AI systems:

  1. Lawful Basis for Processing. Generative AI systems must have a legal basis and be in accordance with applicable legislation.
  2. Purpose Specification and Use Limitation. AI processing of personal data should be carried out for specific, explicit and legitimate purposes that are not beyond an individual’s reasonable expectations.
  3. Data Minimization. The collection, sharing, aggregation, retention and further processing of personal data should be limited to what is necessary to fulfill the legitimate purpose.
  4. Accuracy. Incorporate data governance procedures and technical safeguards to guard against using inaccurate information that could lead to discriminatory, unlawful, or otherwise detrimental consequences.
  5. Transparency. Implement transparency measures to ensure openness around generative AI tools, including providing information on AI training and privacy risks.
  6. Security. Ensure adequate safeguards are in place, including AI-specific security controls.
  7. Privacy by Design and Default. Implement measures that align with the privacy by design and by default principle.
  8. Rights of Data Subjects. Ensure that individuals have the right to be informed about the collection and use of their personal data in relation to AI systems and implement organizational measures that allow individuals to exercise their legal rights.
  9. Accountability. The responsibility of all members of the generative AI model supply chain should be clearly identified and respected, including with regards to national and international compliance obligations.

Summary By: Victoria Di Felice


23 11 15

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.