Big data and the technology behind its collection are transforming the economy and society on a revolutionary scale. Technologies and companies that rely on huge volumes of data are behind this transformation; they collect it ubiquitously from cities, homes and devices.
What policies are in place to oversee this collection of data and ensure the protection of privacy and human rights? In this video, CIGI Senior Fellow Teresa Scassa says that, currently, there are very few policies in place to do so, and the ones that exist are either out of date or not comprehensive enough. In order to address these gaps, Canada must develop a national data strategy that protects individuals from exploitation at the hands of unregulated corporations.
As she outlines in this video, there are five key considerations to a national data strategy: ownership, privacy protection, security, sovereignty and justice. The absence of a strategy that addresses these concerns will result in policies being written on an ad hoc basis, resulting in data collection that will serve private parties, not the public interest.
I think that there is a need to think about data strategically. So, when we talk about a national data strategy, the idea is to think about the many different ways in which data is important to the economy, to the society, to individuals, to privacy and where we want to go with that — what we need to do from a public policy point of view and to think about it holistically.
The first pillar of a national data strategy should address ownership of data. Copyright law says there is no protection for facts — facts are in the public domain and they are to remain in the public domain. There have been arguments made suggesting that maybe data are different from facts. That data are, in some cases, authored or created. And so if you think about, to take an example from the public transit context, now public transit vehicles increasingly are equipped with GPS. And there are algorithms that taking that information and other available data, perhaps about traffic or about weather conditions, produce a prediction as to when the bus will arrive at the next bus stop. And some would say, well that’s not a fact, it’s not copied from the world, it’s just a prediction. And so, it’s something that’s authored or created and, therefore, it’s something in which intellectual property rights can be asserted. So, you know, do we want this to just happen from a series of court decisions involving very large corporate actors or do we want to think about what we need and what we want?
A national data strategy for Canada must address the issues around personal information. And this is because so much of the data that is being collected and so much of the high-value data is actually personal information. The European Data Protection Directive, the original one, was tremendously important and, in fact, was the driving force behind the enactment of PIPEDA in Canada, our own private sector data protection legislation. The GDPR is a rethinking of the original Data Protection Directive, a rethinking, a reworking of it to take into account the changing value of personal information within our data society and data economy. The data portability right, for example, is an interesting right. It basically puts power back in the hands of the consumer, saying that you have a right to take your data from that company and give it to another company. That’s really a radical new approach to data protection and it’s one that PIPEDA is simply not designed for and not ready for.
Data security as a plank in a national data strategy addresses the importance of ensuring that data is held and stored in ways that are secure and protected. We are inundated with stories about data breaches, whether they’re from government, from hospitals or health-care providers, from the private sector. What often comes out in these data breach stories is a shocking lack of attention to the protection of data. So, it suggests that perhaps there need to be stronger measures in place to ensure that there are clear standards for data security and that there are consequences if those standards aren’t met.
Data sovereignty is also important, particularly for a country like Canada. Data sovereignty is about our ability to control our data and determining what types of data should be localized — should be stored or kept only in Canada. There are real concerns that international trade priorities of some of our trading partners are to ensure that they’re not shut out of access to markets. So, in other words, any law or policy of a government that says data has to be localized within our national borders and not travel outside the country can be seen as a denial, as a trade barrier. These are important issues that have to be thought about before data localization gets negotiated away at the trading table.
Data justice is essential to ensuring that, in a society in which more and more decisions are being driven by data and by algorithms, that we have some means of understanding, unpacking the data and the algorithms behind those decisions and of seeking redress when we feel that those decisions have been made in an improper or discriminatory fashion. So, for example, if data and algorithms are being used in such a way that they determine who gets a chance to rent an apartment or who gets credit to be able to buy a house or to buy a car, how do we even begin to understand how these decisions are happening, how do we challenge them, what laws or mechanisms or policies are in place to allow us to push back against some of this data-driven decision making.
In the absence of a data strategy, there is a real risk that data will become concentrated in the hands of private sector companies and not just a broad range of private sector companies, but that there will be a concentration of data in the hands of relatively few private sector companies. Something like that could have very significant impacts for governance and for democracy.