Teresa Scassa - Blog

Displaying items by tag: data sharing

The Ontario Energy Board (OEB) has just released a decision that should be of interest to those concerned about data governance for data sharing. The decision relates to an application by Ontario’s Smart Metering Entity (SME) for a licence to begin sharing Ontario’s smart metering data with third parties. The SME was established in Ontario as part of the governance structure for the data collected through government-mandated smart metering for all electricity consumers in the province.

Smart meters in Ontario collect fine-grained electrical consumption data. There are clear privacy interests in this consumption data as a person’s patterns of electrical consumption can reveal much about their activities, habits and preferences. In theory, fine-grained, aggregate, deidentified electrical consumption data can be useful for a broad range of purposes, including feeding the ever-hungry data economy. The SME was charged with governing this data resource in a way that would meet the needs of third parties (researchers, governments, and the private sector) to have access to the data while respecting consumer privacy. In 2019, Merlynda Vilain and I published a paper about the SME and its mandate to govern smart metering data in the public interest.

In its October 24, 2019 decision, the OEB considers an application by the SME seeking approval for its plan to provide access to smart metering data. The SME’s plan is built around three categories of data. The first, labelled “public offers”, consists of “highly aggregated products” ”such as monthly, seasonal or quarterly consumption data aggregated by postal district (i.e. the first digit of the postal code).” (OEB Order, p. 8) This data would be provided free of charge, and subject to unspecified terms and conditions.

The second category of data is “standard private offerings”. This consists of “pre-designed extracts based on popular data requests”. The examples provided include “Hourly or daily consumption data aggregated by 6, 5, 4 or 3 digit Postal Code at the municipal level, specifying the Distributor Rate Class and Commodity Rate Class”, as well as different types of visualizations. This category of data would be made available subject to a Data Use Agreement and at “market prices”.

The third category of data is “custom private offerings”, which are data sets customized to meet the demands of specific clients. These data sets would be subject to a Data Use Agreement and sold at “market price”.

Market price, is, of course, different from a fee for cost recovery. The SME in its application indicated that not only would the fees charged cover the costs of producing the data sets, any profits from the sale of smart metering data would be put towards lowering the Smart Metering Charge. In other words, the sale of data could potentially result in lower energy costs. This is an example of a plan to sell aggregate consumer data with a view to benefitting the class as a whole, although the extent of any benefits is difficult to assess without more information about market pricing and about the privacy risks and implications of the shared data. On the privacy issues, the SME maintained that shared data would be de-identified, although it acknowledged that there was some (unspecified) reidentification risk. It argued that factors mitigating against reidentification would include its work with a privacy consultant, compliance with guidance from the Office of the Information and Privacy Commissioner, the use of Data Use Agreements to limit the actions of the party acquiring the data, and the establishment of an Ethics Review Committee.

Those involved in data governance for data sharing will see how the SME’s proposal features some of the key elements and challenges in the data-sharing context. There is a perceived demand for high-value data, an attempt to meet that demand, privacy issues arising because the data is generated by individual activities and consumption, and a need to think about the terms and conditions of sharing, including cost/price. In this case, the data governance entity is a public body that must act under terms set by the regulator (the OEB), and it requires OEB approval of any data sharing plan. In this case, the OEB heard from the SME as well as a number of interveners, including the Building Owners and Managers Association, the Consumers Council of Canada, the Electricity Distributors Association, Ontario Power Generation Inc., and the Vulnerable Energy Consumers Coalition.

The decision of the OEB is interesting for a number of reasons. First, the approach taken is a precautionary one – the OEB sends the SME back to the drawing board over concerns about privacy and about the pricing scheme. In doing so, it appears to have paid some attention to the sometimes heated data governance discussions that have been taking place in Canada.

The OEB began by noting that none of the interveners objected to the first part of the SME plan – to make its “public offerings” category of data available to the public free of charge. In fact, this was the only part of the plan that received OEB approval. The OEB noted that “As these products would comprise highly aggregated data, they do not raise the same concerns about privacy as more tailored products.” It also concluded that the costs associated with preparing and sharing this data were part of the SME’s normal operations.

More problematic were the other categories of data for which sharing was planned. The OEB accepted that customers have a reasonable expectation of privacy “albeit a “significantly attenuated” one” (at p. 13) in their energy consumption data. The Board also noted that for some commercial customers, the consumption data might be confidential commercial information. The OEB observed that in spite of the fact that the plan was to de-identify the data, there remained some reidentification risk. It stated that “in light of the concerns expressed by stakeholders in this proceeding, the SME should proceed cautiously with third party access”. (at 13-14) The OEB considered that consumers needed to be well-informed about the collection and sharing of their data, and that while the SME has attempted to consult on these issues, “a more comprehensive consumer engagement process should take place.” (at 14) The OEB noted that “it is not clear form the evidence that consumers support the notion that consumption data (even if de-identified) should be offered for sale to third parties.” (at 14)

This approach reflects a shift in position on the part of the OEB. Past discussions of data sharing have regarded this data primarily as a public asset that should be put to use in the public interest. In the case of third party data sharing, this public interest was largely in the stimulation of the economy and innovation. What is different in this OEB Order is a much greater recognition of the importance of individual and collective consent. In its directions to the SME, the OEB asks for more detail from the SME’s consultation with consumers, the need to propose “a protocol for receiving and dealing with consumer complaints regarding the release of the data” (at 14), a plan for informing consumers about the release of deidentified information to third parties, and a need to obtain approval “of the basic terms of any Data Use Agreement with third parties.” (at 14).

In addition to these concerns about privacy and consultation, the OEB expressed reservations about the SME’s plans to share data at ‘market prices’. Some of the interveners noted that the SME held a monopoly position with respect to smart metering data, and there was therefore no market price for such data. The OEB called for the SME to develop a marketing plan that “should address pricing to ensure reasonably priced access by commercial and non-commercial users.” (at 14)

This decision is important and interesting for a number of reasons. First, it reflects a cautious, go-slow, precautionary approach to data sharing that might not have existed before Ontarians lost their data innocence in the debates over plans for Sidewalk Toronto. The OEB’s concerns include reidentification risk, proper consultation, accountability, and the terms and conditions for data sharing. The need to adequately and appropriately consult those individuals whose data is to be shared is an important theme in this decision. Although the SME claims to have made efforts to include consumer perspectives, the OEB is not satisfied that these efforts went far enough.

The decision also lands in the middle of the Ontario government’s data strategy consultation (which I have written about here, here and here). The consultation process – which lacks detail and is moving far too quickly – is clearly geared towards increasing data sharing and leveraging data for economic development and innovation, all while maintaining public ‘trust and confidence’. The Ontario government clearly wants to make some quick changes. Yet what this OEB decision reflects is a need to adopt a precautionary approach and to ensure adequate consultation and public awareness. As frameworks, models and templates are developed, things can being to move more quickly – but there is real value in getting things right from the outset.

Published in Privacy

Smart city data governance has become a hot topic in Toronto in light of Sidewalk Labs’ proposed smart city development for Toronto’s waterfront. In its Master Innovation Development Plan (MIDP), Sidewalk Labs has outlined a data governance regime for “urban data” that will be collected in the lands set aside for the proposed Sidewalk Toronto smart city development. The data governance scheme sets out to do a number of different things. First, it provides a framework for sharing ‘urban data’ with all those who have an interest in using this data. This could include governments, the private sector, researchers or civil society. Because the data may have privacy implications, the governance scheme must also protect privacy. Sidewalk Labs is also proposing that the governance body be charged with determining who can collect data within the project space, and with setting any necessary terms and conditions for such collection and for any subsequent use or sharing of the data. The governance body, named the Urban Data Trust (UDT), will have a mandate to act in the public interest, and it is meant to ensure that privacy is respected and that any data collection, use or disclosure – even if the data is non-personal or deidentified – is ethical and serves the public interest. They propose a 5-person governance body, with representation from different stakeholder communities, including “a data governance, privacy, or intellectual property expert; a community representative; a public-sector representative; an academic representative; and a Canadian business industry representative” (MIDP, Chapter 5, p. 421).

The merits and/or shortcomings of this proposed governance scheme will no doubt be hotly debated as the public is consulted and as Waterfront Toronto develops its response to the MIDP. One thing is certain – the plan is sure to generate a great deal of discussion. Data governance for data sharing is becoming an increasingly important topic (it is also relevant in the Artificial Intelligence (AI) context) – one where there are many possibilities and proposals and much unexplored territory. Relatively recent publications on data governance for data sharing include reports by Element AI, MaRS, and the Open Data Institute). These reflect both the interest in and the uncertainties around the subject. Yet in spite of the apparent novelty of the subject and the flurry of interest in data trusts, there are already many different existing models of data governance for data sharing. These models may offer lessons that are important in developing data governance for data sharing for both AI and for smart city developments like Sidewalk Toronto.

My co-author Merlynda Vilain and I have just published a paper that explores one such model. In the early 2000’s the Ontario government decided to roll out mandatory smart metering for electrical consumption in the province. Over a period of time, all homes and businesses would be equipped with smart meters, and these meters would collect detailed data in real time about electrical consumption. The proposal raised privacy concerns, particularly because detailed electrical consumption data could reveal intimate details about the activities of people within their own homes. The response to these concerns was to create a data governance framework that would protect customer privacy while still reaping the benefits of the detailed consumption data.

Not surprisingly, as the data economy surged alongside the implementation of smart metering, the interest in access to deidentified electrical consumption data grew across different levels of government and within the private sector. The data governance regime had therefore to adapt to a growing demand for access to the data from a broadening range of actors. Protecting privacy became a major concern, and this involved not just applying deidentification techniques, but also setting terms and conditions for reuse of the data.

The Smart Metering Entity (SME), the data governance body established for smart metering data, provides an interesting use case for data governance for data sharing. We carried out our study with this in mind; we were particularly interested in seeing what lessons could be learned from the SME for data governance in other context. We found that the SME made a particularly interesting case study because it involved public sector data, public and private sector stakeholders, and a considerable body of relatively sensitive personal information. It also provides a good example of a model that had to adapt to changes over a relatively short period of time – something that may be essential in a rapidly evolving data economy. There were changes in the value of the data collected, and new demands for access to the data by both public and private sector actors. Because of the new demand and new users, the SME was also pushed to collect additional data attributes to enrich the value of its data for potential users.

The SME model may be particularly useful to think about in the smart cities context. Smart cities also involve both public and private sector actors, they may involve the collection of large volumes of human behavioural data, and this gives rise to a strong public interest in appropriate data governance. Another commonality is that in both the smart metering and smart cities contexts individuals have little choice but to have their data collected. The underlying assumption is that the reuse and repurposing of this data across different contexts serves the public interest in a number of different ways. However, ‘public interest’ is a slippery fish and is capable of multiple interpretations. With a greatly diminished role for consent, individuals and communities require frameworks that can assist not just in achieving the identified public interests – but in helping them to identify and set them. At the same time protecting individual and community privacy, and ensuring that data is not used in ways that are harmful or exploitative.

Overall, our study gave us much to think about, and its conclusion develops a series of ‘lessons’ for data governance for data sharing. A few things are worthy of particular note in relation to Sidewalk Labs’ proposed Urban Data Trust. First, designing appropriate governance for smart metering data was a significant undertaking that took a considerable amount of time, particularly as demands for data evolved. This was the case even though the SME was dealing only with one type of data (smart metering data), and that it was not responsible for overseeing new requests to collect new types of data. This is a sobering reminder that designing good data governance – particularly in complex contexts – may take considerable time and resources. The proposed UDT is very complex. It will deal with many different types of data, data collectors, and data users. It is also meant to approve and set terms and conditions for new collection and uses. The feasibility of creating robust governance for such a complex context is therefore an issue – especially within relatively short timelines for the project. Defining the public interest – which both the SME and the UDT are meant to serve – is also a challenge. In the case of the SME, the democratically elected provincial government determines the public interest at a policy level, and it is implemented through the SME. Even so, there are legitimate concerns about representation and about how the public interest is defined. With the UDT, it is not clear who determines the public interest or how. There will be questions about who oversees appointments to the UDT, and how different stakeholders and their interests are weighted in its composition and in its decision-making.

Our full paper can be found in open access format on the website of the Centre for International Governance Innovation (CIGI): here.

 

Published in Privacy

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law