Hosted by Ilse Treurnicht
Area of Focus: Trust and Privacy
Highlights of Discussion
Trust is the foundation upon which all other innovations can be built, particularly in the digital sphere. Inclusion, trust and adoption will underpin the long term success of Canada’s innovation efforts. The goal is to find ways for governments and companies to be able to take advantage of all the data that is being generated to continue to innovate, but at the same time to address the anxieties that people have about how their data is being collected, stored and used. These consultations aim to answer questions around how we can include everyone in the new economy and identifying gaps we must address to fuel innovation and build up trust. Control over one’s personal data and transparency around its use are key issues.
Key Opportunities / Considerations / Challenges
- International context
Different jurisdictions have taken different approaches to dealing with privacy and data management – e.g. GDPR in EU which places privacy rights of individuals ahead of all other considerations, may not address needs or considerations of business/companies. We can learn from what other countries have done, and adapt principles that might work in the Canadian context.
At the same time, Canadian regulations should be aligned as much as possible with emerging international standards, otherwise we will impede global operations of companies (global operations are important for Canadian firms as domestic market is small). We must be strategic, not transactional, when renewing international adequacy agreements. Harmonization of legislation, both internationally and domestically, is important (e.g. B.C. has different requirements for housing of student data than other provinces, which can pose a challenge). Key is to ensure interoperability.
There is an opportunity for Canada to be a leader in the field of data privacy and security in emerging fields like AI. In addition, we are strong in quantum computing, crypto, and cybersecurity, and these areas are relative “greenfields” where we can exert influence. But we are not investing at the same levels as our competitors and risk losing our leadership position – e.g. China is now publishing more AI papers than any other nation, and has made AI a mandatory part of the curriculum in elementary and secondary schools.
- Types of data
Data management varies based on usage and functions (e.g. B2B [business-to-business] versus B2C [business-to-client]), as well as level of sensitivity (e.g. national security versus personal information of individuals). Important to understand this and treat these classes of data appropriately (not lump all together under one umbrella).
- Data residency
Consumers and governments tend to focus on where data is physically stored (e.g. servers). There need to be clear, mutual adequacy rulings (bilateral and multilateral) about how data is treated in different jurisdictions – if these are in place, then physical location of where data is housed should not be as important. Additionally, it’s important to determine whether or not we have the right infrastructure to host data domestically.
- Role of industry
Industry needs to be aware of developments in terms of international discussions about privacy, and of opportunities to get involved in these discussions. However, getting involved in international standard setting processes can be cumbersome and many small and medium sized Canadian companies do not have the capacity. The Canadian government does provide funding to support companies that want to get involved, including on industry “mirror” committees, e.g. on IP.
Ideas / Outcomes
- Awareness / Education
The government should dedicate resources to disseminating high quality information and help Canadian companies understand what is required of them in terms of data management. As well, Canadian consumers should be educated about their privacy and digital rights – there is a lack of awareness about Canadian laws / regulations, because our market is saturated with US news / media. There is a need to educate Canadians on the rules, as well as steps they can take to protect themselves (e.g. they do not always understand what they are consenting to when asked to consent). It is critical to deliver this information in a way that is clear and accessible (plain language, not legalese).
As well, much of what we hear about digital privacy is in the context of breaches or misuse. In order to build trust, we must also promote positive stories – e.g. highlight proactive steps that companies or governments are taking to protect data privacy and security, as well as how access to data sets helped a company grow, or helped a community solve a problem, or address a societal challenge.
Young people must also be trained (including about being skeptical about information and advertising online), and consulted for their feedback. Younger generations (who grew up in a digital environment) have different expectations of privacy than older cohorts. There may be age and gender differences in how comfortable people feel about sharing data (or requiring that explicit consent be given for it to be used for any purpose other than the intended one when it was collected).
- Legislation / Enforcement
Canada should be encouraged to take a principles-based approach, and should make legislative changes cautiously with a long view. Companies should be helped to understand whether they are compliant with rules or not, and given a chance to address problems, before being fined. There are really four parts to enforcement: advocacy (education), advisory (helping people understand how to be compliant – important for businesses), investigation and enforcement. The Office of the Privacy Commissioner should not necessarily be responsible for all four elements.
Clarity of legislation is also extremely important to ensure proper compliance. Oftentimes the government’s definitions and/or rules are overly complex, to the point where people don’t understand them and simply tune them out. A key message was not to overcomplicate this and to ensure there is flexibility and agility to adapt over time.
The appropriateness and adequacy of systems that are in place to ensure data security are extremely important. The government cannot regulate trust, but they can regulate trustworthiness – can assess the strength and adequacy of security systems and data management systems, and advise consumers about risks. Standards can play an important role here.
- Continuous dialogue with stakeholders
Government could set up a permanent institute to carry out consultations with the public on a variety of policy issues (like a Vector Institute for policy), and disseminate relevant and timely information to stakeholders and citizens.
- Quantum computing
As we move to a world where systems talk directly to each other, new ways to authenticate identity directly between systems emerge. We currently rely on crypto technology to protect data and authenticate identities online, but this technology will become obsolete when quantum computers come onto the market in fifteen to twenty years. It is important to consider the long term implications of these shifts and how these may present new opportunities for Canada.
- University of Waterloo
- GoldCare (Campana)
- D2L Corporation
- Centre for International Governance Innovation
- Thalmic Labs
- Waterloo Regional Economic Development Corporation
- Innovation Guelph
- The Federated Women’s Institutes of Ontario (FWIO)
- Accelerator Centre