Hosted by Carole Piovesen
Areas of Focus: Trust and Privacy
Highlights of Discussion
Data is a valuable resource. Canadians already show that they have high trust in technology and are open to sharing their data under the right circumstances. However, fears about misuse of private data are very real and the current approach to consent through complex data privacy agreements is not working. We must create a standard of care for how data is treated, but must mitigate concerns that larger companies dominate the conversation, locking out smaller companies who also share a vested interest. We must also build public awareness of the risks and rewards of data and digital transformation.
Data management is complex and involves a lot of complementary regulations and legislation. However, digital technologies evolve and shift rapidly, meaning that concrete rules will be obsolete very quickly. An approach is needed that is goal oriented and solution neutral while fostering competitiveness. It must also be simple to navigate, with guidance and predictability for businesses. And finally it must have a moderate approach to enforcement that targets bad actors, but doesn’t resort to draconian measures that limits innovation and competitiveness.
Key Opportunities / Considerations / Challenges
- Data Sharing
Sharing of aggregated public data such as health and education data is a great opportunity for Canada, however, coordination at provincial level is difficult. While most provinces have some coordination, approaches are all at different stages making it difficult to stitch together a number of frameworks. Government can play a leadership role in bringing provinces together for these conversations. Need to find ways to be interoperable but also safeguard protection.
- Public Awareness and Consent
Public doesn’t understand the benefits that come from digitization. Fear and mistrust bred from data breaches. However, doesn’t necessarily show in behaviour (eg. surveys indicate the public doesn’t trust AI, but trusts Google which uses AI). Many people are willing to give data in order to receive better services. However, they require better understanding of how data is used. Need skills to ensure they can make informed decisions on privacy and trust.
Current consent based model with long complicated privacy policies that users do not read is undermining trust and fostering passivity. People’s mistrust comes from third party application beyond what they believe they are giving permission for. Informed consent should be clear on what data is being used for and how this will benefit the user.
- Canada’s Privacy Legislation and Regulations
PIPEDA needs to be updated for modern times, however, changes must be based on facts and not feelings such as fear. More clarity is needed through guidelines or voluntary standards. Canada should also avoid replicating GDPR. A variety of mechanisms should be explored as there is no one size fits all approach.
Current enforcement ecosystem does not have enough teeth where it matters. Enforcement doesn’t have to negatively impact SMEs, but to build trust, there must be consequences for negative behaviour. A Privacy Commissioner with the capacity to order and make fines tailored to size of organization could allow for repercussions for businesses and recourse for consumers. Enforcement must be thought of globally as data transverses borders easily. Stringent policies risk discouraging data driven economic development within Canada and driving data companies to other, more open countries. It could also lead to companies hiding threats for fear of repercussions. A measured approach is needed.
It is also important to enforce the rights of businesses in particular from bad actors online who can be protected through legislation. Fraud and phishing scams can be a barrier for smaller companies who don’t have the capacity to unmask and have fraudulent sites shut down.
- Market Based Approaches
Class-action lawsuits due to data breaches have helped push for greater data security as it is placing a price tag on failure. Market forces through data portability could also play a role in allowing consumer choice; if they don’t like how their data is used, can move to another company. Companies are rewarded for creating innovative solutions. It also allows for smaller companies to fill gaps and niches where larger companies are not succeeding.
Data management is a complex issue which involves consumer rights issues, credit reporting, human rights issues, IP issues, etc. However, many of these systems are siloed and not connected. This creates issues for users as they are not sure where they should go to have their issue addressed. A more holistic approach is needed.
- Cyber Security
A key issue with cybersecurity is capacity, both to implement cybersecurity measures and to ensure companies have the knowledge to ask the right questions. Small companies, and those in “non-tech” sectors (eg. natural resources) might not realize they need to consider cybersecurity until it is too late. Cybersecurity is also a large industry in and of itself. Canada has an opportunity to better understand threats and use its reputation as a stable and trusted nation to welcome sector investment.
Canadians require greater access to internet as access breeds trust – people mistrust what they are unfamiliar with. Also, while Canada is a leader in wireless connectivity, despite a challenging environment, a new 5G revolution is coming. This will require investment to build and a regulatory environment that incentivizes investment in infrastructure by the private sector.
Ideas / Outcomes
- Open Data/Open Science
- In instances where science is publically funded, it should be open to other researchers by default. An inventory of publically funded research could be made available for researchers to help coordinate and connect researchers with mutual interests.
- National Student Number
- Student numbers follow students across all levels of education, which provides researchers with invaluable data. However, these numbers do not follow you across provincial boundaries and provides incomplete and biased data. Developing a single number across the country, coordinated at the national level, could provide a wealth of educational data. This is an area where Canadians already have high levels of trust and could easily see positive policy benefits.
- Standard of Care
- Build consensus around Canada’s data value. This could include “no-go zones” where it is agreed that certain information uses or data collecting practices are unethical and never an option.
- Data Receipts
- Companies could be required to keep a data receipt for each of their users. Each time a user consents to sharing data, they are given a unique identifier. Using this identifier, consumers could request a receipt for how their data has been used. Could also include a right to be deleted option.
- Flagship Pilot Initiative
- Building on an area where Canada has strength (eg: health data), a national data sharing platform could be built to aggregate and leverage data. The program would include educational and outreach initiatives to showcase the universal benefit. The program could also be promoted to attract international partners. Lessons from the pilot could then be transferred to other systems (eg. natural resources).
- Canadian Wireless Telecommunications Association (CWTA)
- Genome Canada
- Google Canada
- IP Institute of Canada
- Canadian Automobile Association (CAA)
- Canadian Chamber of Commerce
- Colleges and Institutes Canada
- Information and Communications Technology Council (ICTC)
- Information Technology Association of Canada (ITAC)
- Mining Association of Canada
- SecureKey Technologies
- University of Ottawa
- Ericsson Canada