The first reading of the Protecting Privacy and Consumer Data Act (Bill C-36) in the House of Commons has reignited public conversations about artificial intelligence (AI) deepfakes, surveillance pricing and other ways technology platforms use private data from Canadians.

For data and privacy expert Karen Louise Smith in Brock University’s Department of Communication, Popular Culture and Film, the brief definition of biometric information in the bill’s current text doesn’t adequately address the risks associated with this type of information.

Biometric data includes any physical or behavioural information that can be used to identify someone, including a fingerprint, their facial structure or a voiceprint. Even a person’s gait or brainwaves can be extracted and used for identification.

With these and many other forms of biometric data being captured by technology firms daily, Smith says many people are unaware of how this identifying data can be used and why it is so important to protect it.

Associate Professor of Communication, Popular Culture and Film Karen Louise Smith

“While Bill C-36 lists biometric data as sensitive, I was surprised that it didn’t receive much attention in the draft bill,” Smith says. “The current language also lacks specificity around the forms of data from which biometrics can be derived.”

Clear definitions and regulatory guidance are essential to protect Canadians using private services because those services are expected to abide by local laws.

“Various software vendors and companies that process our data will state in privacy policies that data may be considered biometric in some jurisdictions or reference the fact that they comply with data protection legislation in a given region,” she explains. “Therefore, a clear definition is beneficial to the public interest.”

Smith’s work related to privacy and biometrics has focused on the urgent need to treat children’s data as sensitive, which she was pleased to see reflected in the bill. However, she also believes much remains at stake for Canadians of all ages.

“It’s my opinion that we need to be incredibly careful with videos, voice data and also behavioural data,” she says. “It’s reasonable to presume that biometrics could be derived from those formats in many cases. Many businesses position that data as the fuel for smart, AI-powered algorithms.”

Smith says the importance of regulation around biometric data extraction is closely connected to the government’s newly announced AI strategy, which articulates the need for modernizing privacy laws to reflect the risks associated with AI training and usage.

“With Canada’s National AI Strategy: AI for All, the government hopes to set a path towards safe, trustworthy AI that doesn’t perpetuate biases,” she says. “Multiple issues and incidents have shown that AI can be biased in various ways, such as certain kinds of facial recognition technologies that display racial or ability-based biases.”

For Smith, the desire for trustworthy AI is closely tied to how biometric data is extracted and used, especially as more routine tasks at work and in schools involve the collection of video and audio files as well as behavioural data. Many online users, she says, are likely unaware intensive monitoring of clicks, keystrokes and other digital interactions can be used to identify them.

She says these files can become vulnerable unless legislation requires a high standard of protection due to the data’s sensitive nature.

“Imagine a university student from one of my classes submits their resumé and a five-minute video introduction as part of an application to a company for a summer job,” she says. “If the company’s job application portal gets hacked, my student’s application — including their name, address and a video of them speaking — is potentially part of the data breach. I’m curious to know how regulators will respond to the risks of biometrics being derived from video data that gets stolen by hackers?”