9 posts tagged with "Data Privacy"

Canada's Bill C-27 is moving through Parliament with two pieces that will affect any company operating AI in Canada: the Consumer Privacy Protection Act (CPPA) replacing PIPEDA, and the Artificial Intelligence and Data Act (AIDA) — Canada's first AI-specific legislation.

The CPPA modernizes Canadian privacy law along GDPR lines. AIDA creates obligations specifically for "high-impact" AI systems, with significant parallels to the EU AI Act's structure. For companies already navigating GDPR and the EU AI Act, the Canadian framework is familiar but has distinct elements.

ISO/IEC 27701:2019 extends ISO 27001 with a Privacy Information Management System (PIMS). It adds privacy-specific clauses and controls on top of the ISO 27001 management system, mapping to GDPR, CCPA, and other major privacy regulations.

For organizations already certified to ISO 27001, adding ISO 27701 extends the existing management system rather than building a new one. The incremental effort is roughly 30–50% of the original ISO 27001 implementation, depending on how mature your privacy practices already are.

For AI systems that process personal data, ISO 27701 is the most rigorous international framework for demonstrating privacy compliance. The EU Commission has indicated that ISO 27701 certification can support GDPR adequacy assessments and serve as evidence of compliance under GDPR Article 5.

The California Privacy Rights Act (CPRA) went into full effect January 1, 2023, amending and strengthening CCPA. Among the most significant additions for AI teams: explicit rights around automated decision-making and profiling — the closest the US has come, at the state level, to GDPR Article 22.

If your AI agents process personal information of California residents, CCPA/CPRA applies regardless of where your company is incorporated. California has approximately 39 million residents and is the fifth-largest economy in the world. Treat it as its own regulatory jurisdiction.

The global privacy regulation landscape has expanded well beyond GDPR and CCPA. India, Australia, and the UAE have all enacted or significantly amended data protection laws in the past three years — each with distinct approaches, enforcement mechanisms, and AI-specific provisions.

For AI agents operating in these markets, understanding the differences matters: a manifest configured for GDPR compliance is not automatically compliant with India's DPDP Act.

The Children's Online Privacy Protection Act has been consistently enforced by the FTC for 25 years. COPPA violations regularly result in the largest per-violation penalties in US privacy law: up to $51,744 per violation as of 2023. For AI systems that collect data from or target content to children under 13, there is no equivalent risk-adjusted situation anywhere else in US privacy regulation.

The FTC has made clear that the "general audience" defense — "we didn't know children were using our platform" — requires demonstrating concrete age-verification measures, not just a terms-of-service statement.

Two US financial privacy regulations updated significantly in 2023: the FTC's Safeguards Rule under GLBA (effective June 2023) and New York DFS's 23 NYCRR 500 cybersecurity regulation (effective November 2023). Both have teeth that the originals lacked — and both attach personal liability to individuals for compliance failures.

If you're a US financial institution, non-bank financial company, or mortgage servicer, and you're deploying AI agents that touch customer financial data, both regulations apply.

Brazil's LGPD (Lei Geral de Proteção de Dados) came into force in September 2020. After a grace period, ANPD (Autoridade Nacional de Proteção de Dados) began issuing enforcement actions in 2023. The fines are real, the investigations are real, and the pattern of enforcement is becoming clear.

If your AI agents process personal data of Brazilian residents — including purchasing behavior, CPF numbers, location data, or any other information that identifies an individual — LGPD applies regardless of where your company is headquartered.

China's data regulatory framework has consolidated significantly since 2021: the Personal Information Protection Law (PIPL), the Data Security Law (DSL), the Cybersecurity Law (CSL), and the CAC's regulations on generative AI, algorithmic recommendations, and deep synthesis. Operating AI in China means navigating all of them simultaneously.

The key difference from GDPR: PIPL's cross-border transfer restrictions have teeth that GDPR's currently doesn't. Moving Chinese personal data out of China requires one of three legal mechanisms — and one of them requires prior government approval.

GDPR Article 22 is the one provision most AI teams misread. It says EU data subjects have the right not to be subject to "a decision based solely on automated processing" that produces legal or similarly significant effects on them.

The common misreading: "our AI only makes recommendations, so Article 22 doesn't apply."

The problem: regulators and courts have steadily expanded what counts as a "significant effect." A loan denial, an insurance quote, a job screening shortlist, a fraud flag that freezes an account — all of these have been held to trigger Article 22 rights. If your AI agent's output feeds directly into a decision that affects a person's access to money, services, or employment, you are likely in scope.