The problem is that security is often an afterthought. In the EU, when you plan a new project / new product, you have to involve the companies Data Protection Officer at the planning stage, and what they say goes (they also have employment protection, they cannot be fired or penalised for raising security or data protection concerns during the time of their tenure or for 4 years thereafter - i.e. if they make unpopular decisions, thus keeping the company on the straight and narrow, but annoying senior management, they can’t be picked on or fired for doing their job).
In the past I’ve seen enough projects, where the aim is to get it off the ground and running, with little or no thought to data protection or even basic security - testing for SQL-Injection (security 101 since the turn of the century) is beyond most project teams I’ve dealt with - in one case, I pointed out their eShop had a SQL-Injection vulnerability during testing, they weren’t interested, even after I sent a list of customer data to them; in the end, I just did a “DROP DATABASE;” on them, now that got their attention!
AI has a lot of areas where it is hard to test, therefore it needs to be doubly certain that it is doing what it should and not straying from its mandate - just look at how lousy facial recognition has been, especially on non-Caucasian males. Big IT is its own worst enemy, when it comes to actually following the laws around the world and in many cases, it is cheaper to keep breaking the law than to comply - Facebook was caught doing something illegal in Russia a couple of years back, what exactly escapes me, but the maximum fine was around $15,000 US, so it was cheaper to keep paying the fine every few months than to actually set programmers to deal with it and the corresponding drop in ad-revenue.
The same thing seems to be the case in Canada currently, my reading of the article is that the only recourse open to them was to tell the real estate company not to do it again. It is like the old joke about English Bobbies (police officers), only armed with truncheons, when a robber runs away, they shout “Stop! Or I’ll shout stop again!”