- The importance of data-driven technologies in our information economy makes it increasingly urgent for Canada to develop a comprehensive national data strategy.
- Current laws on key issues such as intellectual property (IP), competition, privacy, consumer protection and human rights are not adapted to a context in which data is a resource, and in which important issues cut across existing legal and jurisdictional silos.
- A national data strategy is required to develop innovative policies in the public interest and to avoid the barriers and uncertainties that come from an incremental, wait-and-see approach that evolves in the context of fragmented litigation between well-financed private parties, whose interests reflect only a small subset of the diverse ecosystem that is emerging and evolving around data.
ig data analytics, artificial intelligence (AI) and machine learning are transforming economies and innovation on a revolutionary scale; they are also radically altering the ways in which we understand and regulate society, and allocate goods, services and benefits. These data-driven technologies rely upon huge volumes and varieties of data that are gathered ubiquitously from multiple sources and processed at high velocity. In the smart cities environment, for example, data is gathered from sensors installed and operated by governments (for example, to measure traffic flows, air quality or the consumption of services), as well as by private sector companies under contract with the government. In some cases, data is generated entirely by the operations of private sector actors (for example, traffic data collected by Waze or Uber). Citizens may be voluntary or involuntary sensors: they generate data through the consumption of services, as well as through their use of popular apps for fitness, route planning, driving or navigation, to give just a few examples. Individuals may also gather and contribute data to urban citizen science or public participatory projects. Outside of the smart cities context, data collection tracks almost every aspect of our digital lives, including web-surfing activities, interactions on social media, shopping habits, viewing preferences and so much more. The Internet of Things (IoT) is an “always-on” networked environment in which data is harvested about our activities, thoughts, wants and needs, seamlessly across public and formerly private spaces (such as the home). An insatiable corporate and government appetite for data combined with ubiquitous and unbounded collection drives innovation, yet also creates the potential for risk and harm, ranging from security breaches to discrimination, persecution, and loss of autonomy and dignity.
Citizens may be voluntary or involuntary sensors: they generate data through the consumption of services, as well as through their use of popular apps for fitness, route planning, driving or navigation, to give just a few examples.
The sheer volume of data at issue, its economic importance and societal impacts, reveal the need for a national data strategy. Such a strategy is made all the more imperative by the lack of a cohesive or even a contemporary approach to data in Canadian law. The current regime has yet to fully adapt to data as a resource. And laws designed to protect individuals from exploitation are framed around what were once distinct and siloed issues. For example, we have separate agencies to address what are characterized as human rights, consumer protection, privacy or credit reporting issues, arising in either the public or the private sector. Today, the blurring of public and private — in particular around data — as well as the deeply interwoven challenges raised by big data, AI and machine learning, make it problematic to silo issues in this way. Fragmented approaches complicate and slow responses to problems that are emerging and evolving in real time.
A national data strategy must address the core issues, outlined below, while taking into account the challenges of federalism and international trade. These complexities are not new. For example, in 2001, Canada introduced the Personal Information Protection and Electronic Documents Act (PIPEDA).1 The statute was made necessary by strong data protection measures enacted by the European Union, but it tiptoed around federal/provincial jurisdiction over data protection, giving rise to a complicated patchwork of application. While intermittent rumblings about the constitutionality of PIPEDA have largely abated, and while the law’s constitutionality might be easier to support in our current data context, the statute serves as a reminder of how international trade concerns can drive domestic policy and how the division of powers can prove challenging in addressing issues that arise from cross-border data flows. For a national data strategy to succeed, there is a need for consensus and cooperation at the federal-provincial level.
Ownership of Data
Who owns the data that fuels our data-driven society and what are the limits of any ownership rights? These issues are arising more frequently in case law and in policy discussions, and are complicated by the fact that so much of the data that is used in big data and machine learning has its origins as personal data.
The scope of ownership rights in data is uncertain, although this does not stop companies and governments from asserting them. In Canada, IP law recognizes rights in data in two main contexts — where data is confidential information and protectable as such, and where data is part of a compilation that is eligible for copyright protection.
The laws of confidential information support and protect corporate investments that have led to the generation of data. Nevertheless, in some circumstances, these judge-made laws increasingly butt up against the public interest in disclosure of some information. The importance of data in understanding increasingly complex issues with deep societal effects has led to the recognition of broader rights of access to confidential information in the public interest in some limited circumstances2 and to calls for the recognition of such rights in a growing range of contexts.3
Facts on their own cannot be protected under copyright law, although some case law has begun to sketch out what might ultimately be a legal distinction between facts and data.4 Whether this is an appropriate distinction may be a matter for public policy: the rationale for facts remaining in the public domain is to keep innovation from being stifled by private ownership of the building blocks of knowledge. Copyright law will protect compilations of fact — in theory, this includes databases, so long as they meet the threshold for originality, which requires that a compilation be the result of an “original selection or arrangement” of facts.5 Concerns that this provided too uncertain a level of protection for databases led to the European Union creating a sui generis database right in 1996.6 More recently, there has been talk in Europe about the need to create a data ownership right (European Commission 2017). This embryonic concept presents many challenges, but the fact that it is being discussed indicates that this is an area that may require policy attention. Any new ownership right would have to be carefully delineated, in particular so as not to unduly stifle innovation, or to impede rights to access and use of data in the public interest.
Any “ownership” rights in the form of IP interests must be accompanied by rights of access to serve a multi-faceted public interest. In copyright law, users have fair dealing rights. Debates and discussion about fair dealing are increasingly part of international trade negotiations. How any changes to copyright law — including term extension, technological protection measures and rights of fair dealing/fair use — will impact upon copyright claims relating to data and compilations of data must receive serious scrutiny. Given the centrality and economic significance of data in our economy, these impacts should not be accidental or unintended.
The nature and importance of rights of access in our data economy can be seen in recent skirmishes over the practice of scraping publicly accessible data from web platforms.7 Litigation in such cases includes — but goes beyond — copyright issues. For example, courts are being asked to rule on whether the automated scraping of data violates property, IP or contractual rights, whether it is criminal in nature, or whether it is an acceptable exercise of users’ rights. These complex cases raise important issues about rights of access to data, rights to own/control data and the public interest in relation to publicly accessible data. And, while the litigation tends to involve commercial actors, data scrapers include journalists, civil society groups and even governments. While ownership rights are important, access is also critical.
Personal information fuels a growing number of algorithms that impact lives in foreseeable and as yet unforeseeable ways.
Ownership rights provided by law are largely instrumental. They can shape relationships between parties with respect to specific resources. How ownership rights should be exercised or addressed by governments is a separate but no less important issue. Governments are creators, custodians and users of data and governments have important choices to make in this regard.
The role of governments in relation to data is already evident in the open data movement in which Canadian governments at all levels are becoming invested. A wealth of government data is now shared under open licences through data portals designed to facilitate access and reuse. An important objective of open data strategies is to stimulate innovation by providing useful data resources in a reusable format and unburdened by legal restrictions. How well such movements achieve these goals remains an open question (Johnson et al. 2017). Yet the open data movement recognizes government’s role as a data source and deserves attention within a national data strategy.
Open data is but one manifestation of government data strategies. The federal government is now extending the open data concept to government-funded research through its open science initiative. Governments can also use their regulatory jurisdiction to make other data public,8 and it is important to consider when it might be strategically important to do so. There is room for government to play a role in developing unique and valuable data resources that could drive innovation. At the same time, there are also risks that governments will make nearsighted choices around data ownership, in particular in the context of public-private relationships. How data resources are managed in the rapidly evolving smart cities context will be an important measure of governments’ ability to think strategically about data and to develop data policy that serves the public interest (see, for example, Scassa 2017).
Data Protection and Privacy Considerations
Another plank in a national data strategy is data protection. Although PIPEDA applies to the private sector collection, use and disclosure of personal information, it is poorly adapted to a context in which data is a key economic asset. Although there is reason enough to do so independently, Canada may (once again) be forced to revisit private sector data protection following developments in the European Union. The newly passed General Data Protection Regulation (GDPR)9 sets a much higher threshold for data protection than currently exists in Canada. Because data flows so freely from one jurisdiction to another, the European Union has made the availability of comparable data protection legislation in states to which personal data is transferred for processing a prerequisite for such transfers.
There are reasons besides international trade for Canada to step up its level of private sector data protection. Personal information fuels a growing number of algorithms that impact lives in foreseeable and as yet unforeseeable ways. Data breaches are becoming more and more devastating and costly. The IoT is expanding the reach of data collection into some of our most private and personal realms. Robust data protection is rapidly becoming a precondition for maintaining basic human dignity and autonomy, as well as transparency and social justice.
Aspects of the GDPR also reflect the growing interrelationships between personal data protection and other once-siloed areas of law and regulation. The new data portability right, for example, is tied to consumer protection and consumer choice, as well as to competition law concerns. PIPEDA is barely adequate to address privacy considerations — and it is not adequate to address the much more complex personal data ecosystem that is emerging.
Just as the boundaries between the private sector and the public sector are becoming more difficult to navigate in contexts such as smart cities, the boundaries between the public sector and the private sector have become increasingly blurred. Governments contract with private sector companies for data and algorithms, and private sector companies seek access to valuable data collected by governments. At the same time, law enforcement and national security agencies are pressuring governments for new ways to tap into the vast stores of personal information collected by private sector companies. A national data strategy must take into account these relationships, their impacts, and the needed boundaries and necessary transparency to preserve our social and democratic values.
Data security is a crucial issue for a national data strategy. Data security protects privacy, and it also protects against harmful criminal activity directed against individuals (for example, identity theft), corporations (for example, industrial espionage, disruption of services) and governments (for example, service disruptions, national security). Data security issues are currently addressed through data protection laws, on the one hand, and, on the other, through criminal-law sanctions. A growing number of high-profile data security breaches in the private and public sector have contributed to the growth industry in class action law suits for data breaches. And, while the losses mount, it is apparent that a great deal more needs to be done to improve data security practices and recourses.
A national data strategy must pay attention to data sovereignty issues. A key element of data sovereignty relates to the ability to control what data leaves the country (thus escaping the protections put in place under domestic laws). The global nature of digital commerce, evolving practices around data storage in the cloud and offshore data processing all mean that a vast amount of data about Canadians is stored or communicated outside our borders. Such data is accessible to government actors in the countries where it is stored, raising privacy and security questions for Canadians. Yet in a high-stakes global trade environment, restrictions on flows of data (for example, requirements that particularly sensitive data be stored and/or processed only in Canada) may be seen as barriers to trade. This is evident in article 14.13 of the Trans-Pacific Partnership agreement, which prohibits data localization requirements unless they fall within a limited exception.10 A national data strategy must take into account legitimate needs to protect certain types and categories of data, as well as the need for the development of appropriate infrastructure to do so.
Another aspect of data sovereignty arises in the context of Canada’s relationship with its Indigenous peoples. Indigenous leaders in Canada have been calling for Indigenous data sovereignty, generally along the lines of the ownership, control, access and possession (or OCAP) principles (Assembly of First Nations 2007). Indigenous data sovereignty is not only a crucial step toward self-government, but it may also hold lessons for Canadian governments about the importance of setting a national digital data strategy.
A national data strategy should also be concerned about issues of data justice, broadly defined. Data justice involves fairness, transparency and equity. It affects all areas of society and social interaction. To the extent that government and private sector decision making will increasingly be driven by algorithms, algorithmic transparency has become a crucial social justice issue, yet it is one that our laws are not well-adapted to address. Governments will also need to pay greater attention to what data is used to shape decision making and will need to ensure that social inequities are not replicated in data-driven processes. The rethinking of siloed legal responses to certain social justice issues should also be part of this agenda.
This brief overview is meant to illustrate the need for a national data strategy and to outline some of its necessary features. In the absence of new law and policy, existing laws will be interpreted to apply in this new context, and policies will continue to emerge on an ad hoc basis. But an incremental, wait-and-see approach does nothing to establish innovative new directions or strategies. It can create uncertainty that is harmful to innovation and progress; it can create barriers to access to and reuse of data that might serve the public interest; and it leaves the rights of stakeholders, as well as the public interest, to be determined in the context of fragmented litigation between well-financed private parties, whose interests reflect only a small subset of the diverse ecosystem that is emerging and evolving around data.