Machine Learning Requires Training on Massive Data

Generative artificial intelligence enables a user to input his or her requirements; AI, in turn, will output content, such as articles, data, and images. For generative AI to be effective, supervised and unsupervised learning is required. This machine learning may sometimes intrude into a person’s privacy, which leads to claims for damages and injunctions.

Claim: Intrusion on Privacy

Numerous ongoing litigations exist against generative artificial intelligence providers, especially in the United States. Dinerstein v. Google was a case decided in July 2023 by the US 7th Circuit Court of Appeals out of Chicago. In this case, Google and the University of Chicago agreed for the former to train its generative artificial intelligence by using the patients’ data from the University’s Medical Center. The goal is to predict patients’ future medical needs, improving health care and reducing costs. Such machine learning requires massive medical data. The identifying information was anonymized before the data were handed over to Google. In addition, in their Data Use Agreement, Google agreed not to connect these data in any way with its existing data harnessed from the patients.

Mr. Matt Dinerstein stayed at the University of Chicago Medical Center during the same period when the patient’s data were collected for this research. He alleges that his identity was identified, and thus, the privacy of his medical record was intruded upon.

7th Circuit Court of Appeals Decision: Actual Damages Lacking

The US 7th Circuit Court of Appeal considered the emergence of generative artificial intelligence and its potential “intrusion upon seclusion,” which is a developed concept of wrong in US law. During the plaintiff’s two stays at the hospital, in addition to the medical data harnessed by the hospital, he also carried a mobile device with Google apps. The plaintiff claims that even if the data supplied to Google has been anonymized, the combined data that Google possesses would allow Google’s AI to identify him easily and, therefore, to know details about his medical conditions. Because of this intrusion on his medical privacy, the plaintiff asked the court to award him damages and to impose an injunction to prevent future harm.

The 7th Circuit Court of Appeals found that there is no evidence that the plaintiff’s identity and his medical data were intruded upon: the process to remove personal information, combined with the Data Use Agreement, which prohibited Google from connecting the medical data with other person information that Google harnessed, was deemed to be sufficient. In addition, because the plaintiff could not itemize the economic damages he claimed, pursuant to US federal law, his claim was dismissed. His claim for an injunction was dismissed because the potential intrusion on patients’ privacy was not considered imminent,

Intrusion on Privacy: New Wrong in Canada Since 2012

The Ontario Court of Appeal recognized the new civil wrong of “intrusion upon seclusion” in Jones v. Tsige in 2012 as a new civil wrong. The plaintiff and defendant worked at different branches of the Bank of Montreal; the defendant was in a common law relationship with the plaintiff’s ex-husband. Over a period of four years, the defendant accessed the plaintiff’s personal information stored in the bank’s database; that information was never made public. The plaintiff claimed damages for the intrusion of her private information.

The court set out the test of this wrong to be the following:

1. The intrusion must be intentional;

2. An invasion of the plaintiff’s private affairs must have occurred; and

3. In the eyes of a reasonable person, such intrusion is “highly offensive, causing distress, humiliation or anguish. Proof of harm to a recognized economic interest is not an element of this wrong”.

The above test shows that Canadian case law takes a different approach, and if this test were applied to the facts in the Dinerstein case, his claim would face the difficulty that there is no indication that Google intentionally intruded upon his medical privacy to the contrary, the University and Google specifically agreed to ensure anonymity to prevent intrusion.

One factual question is, however, using generative AI, especially in unsupervised machine training, can there be a sufficient safeguard against intrusion upon the privacy of a consumer, a patient, a transit user or simply anyone? The US 7th Circuit Court recognized that “Google possesses a wealth of data about most, if not all, Americans”; the same is true for Canadians. If the safeguard is insufficient or ineffective, an intrusion can easily happen. The Ontario Court of Appeal’s reasons required a test by a reasonable person’s view to examine whether such intrusion is offensive, causing distress… and indeed, intruding into one’s medical record or other aspects of his or her private life can often be offensive, humiliating and stressful.

BC Legislation: A Different Approach to Protect Privacy

In an August 2023 decision, ICBC v. Ari, the BC Court of Appeal considered a similar fact pattern as in the Ontario case of Jones v. Tsige. In the Ari case, an Insurance Corporation of BC employee used work computers to access others’ driver’s license information, including their home addresses; she then sold that information to third parties, which resulted in the plaintiff being targeted.

The BC Privacy Act provided a different test than that in Dinerstein or Jones v. Tsige: the BC Court of Appeal confirmed that the following must be met:

A. When considering whether invasion of one’s privacy has occurred, a factual “consideration of the context, including the nature, incidence, and occasion of the act, the relationship of the parties, and degree of privacy to which a person is entitled.”  and a judge has wide discretion in considering the facts.

B. “The requirement that the breach of privacy be wilful and without claim of right limits the scope of potential liability.” In the Ari case, selling Ari’s personal information for “criminal purposes” was willful – as in Jones v. Tsige. An interesting question arises when generative AI breaches one’s privacy: can humans behind Google be held liable for such a breach? In the Ari case, the BC Courts found that the insurance employee’s accessing Ari’s data was sufficient reason to hold the employer, ICBC, vicariously liable because “ICBC materially created the risk and provided the opportunity for this employee to commit the wrong and the employee’s conduct was sufficiently related to her authorized duties to justify the imposition of vicarious liability. Policy reasons support the imposition of liability.”  This logic indicates that AI creators bear the potential risk of insufficient safeguards against intrusion by AI machine learning.

Similar to the ONCA case, the BC Court of Appeal confirmed that the Privacy Act does not require proof of actual damages. In addition, Ari’s class action for breach of privacy was also confirmed.

In comparing the two 2023 decisions by the US 7th Circuit and the BC Court of Appeal, both bearing on the invasion of privacy, the latter goes straight into the heart of this wrong: the facts related to the intrusion.

What if the BC test is applied to the Dinerstein case, where an inpatient plaintiff claimed an invasion of his medical record privacy? Using the discovery process, actual invasion into his data may be discovered, especially due to the nature of generative AI. The danger of unsupervised AI goes beyond the invasion of privacy, as it may threaten every aspect of a person’s online information, such as one’s genetic ancestry, dietary habits, and fitness routine. In that sense, intrusion into privacy, whether wilful or reckless, can potentially be found. The none requirement of proof of actual damages in an invasion of privacy claim best addresses this wrong, as it was difficult to quantify the economic losses of Jones and Ari, as in the case of Dinerstein. Justice Sotomayor’s dissenting (and minority) opinion in Thole v. U.S. Bank stated the Anglo-American common law approach to allow the lawsuit to proceed even when a (contractual) right is infringed upon, although damages are difficult to quantify.

Contact Vancouver Commercial Litigation Lawyer Roland Luo For Advice on Damages and Injunction Matters

Roland Luo provides clients extensive experience in complex, multi-dimensional commercial litigation cases. Located in Vancouver, Roland Luo proudly serves diverse communities and clients across British Columbia, Canada, and the U.S. To schedule a confidential consultation with a skilled commercial litigation lawyer, contact the firm online or call 604-800-4628.