Teresa Scassa - Blog

Displaying items by tag: data sharing

The following is a short excerpt from a new paper which looks at the public sector use of private sector personal data (Teresa Scassa, “Public Sector Use of Private Sector Personal Data: Towards Best Practices”, forthcoming in (2024) 47:2 Dalhousie Law Journal ) The full pre-print version of the paper is available here: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4538632

Governments seeking to make data-driven decisions require the data to do so. Although they may already hold large stores of administrative data, their ability to collect new or different data is limited both by law and by practicality. In our networked, Internet of Things society, the private sector has become a source of abundant data about almost anything – but particularly about people and their activities. Private sector companies collect a wide variety of personal data, often in high volumes, rich in detail, and continuously over time. Location and mobility data, for example, are collected by many different actors, from cellular service providers to app developers. Financial sector organizations amass rich data about the spending and borrowing habits of consumers. Even genetic data is collected by private sector companies. The range of available data is constantly broadening as more and more is harvested, and as companies seek secondary markets for the data they collect.

Public sector use of private sector data is fraught with important legal and public policy considerations. Chief among these is privacy since access to such data raises concerns about undue government intrusion into private lives and habits. Data protection issues implicate both public and private sector actors in this context, and include notice and consent, as well as data security. And, where private sector data is used to shape government policies and actions, important questions about ethics, data quality, the potential for discrimination, and broader human rights questions also arise. Alongside these issues are interwoven concerns about transparency, as well as necessity and proportionality when it comes to the conscription by the public sector of data collected by private companies.

This paper explores issues raised by public sector access to and use of personal data held by the private sector. It considers how such data sharing is legally enabled and within what parameters. Given that laws governing data sharing may not always keep pace with data needs and public concerns, this paper also takes a normative approach which examines whether and in what circumstances such data sharing should take place. To provide a factual context for discussion of the issues, the analysis in this paper is framed around two recent examples from Canada that involved actual or attempted access by government agencies to private sector personal data for public purposes. The cases chosen are different in nature and scope. The first is the attempted acquisition and use by Canada’s national statistics organization, Statistics Canada (StatCan), of data held by credit monitoring companies and financial institutions to generate economic statistics. The second is the use, during the COVID-19 pandemic, of mobility data by the Public Health Agency of Canada (PHAC) to assess the effectiveness of public health policies in reducing the transmission of COVID-19 during lockdowns. The StatCan example involves the compelled sharing of personal data by private sector actors; while the PHAC example involves a government agency that contracted for the use of anonymized data and analytics supplied by private sector companies. Each of these instances generated significant public outcry. This negative publicity no doubt exceeded what either agency anticipated. Both believed that they had a legal basis to gather and/or use the data or analytics, and both believed that their actions served the public good. Yet the outcry is indicative of underlying concerns that had not properly been addressed.

Using these two quite different cases as illustrations, the paper examines the issues raised by the use of private sector data by government. Recognizing that such practices are likely to multiply, it also makes recommendations for best practices. Although the examples considered are Canadian and are shaped by the Canadian legal context, most of the issues they raise are of broader relevance. Part I of this paper sets out the two case studies that are used to tease out and illustrate the issues raised by public sector use of private sector data. Part II discusses the different issues and makes recommendations.

The full pre-print version of the paper is available here: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4538632

Published in Privacy

[Note: This is my third in a series of posts on the new Bill C-27 which will reform private sector data protection law in Canada and which will add a new Artificial Intelligence and Data Act. The previous two posts addressed consent and de-identification/anonymization.]

In 2018 a furore erupted over media reports that Statistics Canada (StatCan) sought to collect the financial data of a half a million Canadians from Canadian banks to generate statistical data. Reports also revealed that it had already collected a substantial volume of personal financial data from credit agencies. The revelations led to complaints to the Privacy Commissioner, who carried out an investigation and issued an interim and a final report. One outcome was that StatCan worked with the Office of the Privacy Commissioner of Canada to develop a new approach to the collection of such data. Much more recently, there were expressions of public outrage when media reported that the Public Health Agency of Canada (PHAC) had acquired de-identified mobility data about Canadians from Telus in order to inform their response to the COVID-19 pandemic. This led to hearings before the ETHI Standing Committee of the House of Commons, and resulted in a report with a series of recommendations.

Both of these instances involved attempts by government institutions or agencies to make use of existing private sector data to enhance their analyses or decision-making. Good policy is built on good data; we should support and encourage the responsible use of data by government in its decision-making. At the same time, however, there is clearly a deep vein of public distrust in government – particularly when it comes to personal data – that cannot be ignored. Addressing this distrust requires both transparency and strong protection for privacy.

Bill C-27, introduced in Parliament in June 2022, proposes a new Consumer Privacy Protection Act to replace the aging Personal Information Protection and Electronic Documents Act (PIPEDA). As part of the reform, this private sector data protection bill contains provisions that are tailored to address the need of government – as well as the commercial data industry – to access personal data in the hands of the private sector.

Two provisions in C-27 are particularly relevant here: sections 35 and 39. Section 35 deals specifically with the sharing of private sector data for the purposes of statistics and research. Section 7(3)(f) of PIPEDA contains an exception that is similar to s. 35. Section 39 is entirely new. Section 39 deals with the use of data for “socially beneficial purposes”. Both s. 35 and s. 39 were in the predecessor to C-27, Bill C-11. Only section 35 has been changed since C-11 – a small change significantly broadens its scope.

Section 35 of Bill C-27 provides:

35 An organization may disclose an individual’s personal information without their knowledge or consent if

(a) the disclosure is made for statistical purposes or for study or research purposes and those purposes cannot be achieved without disclosing the information;

(b) it is impracticable to obtain consent; and

(c) the organization informs the Commissioner of the disclosure before the information is disclosed.

This provision would enable the kind of data sharing by the private sector that was involved in the StatCan example mentioned above, and that was previously enabled by s. 7(3)(f) of PIPEDA. As currently the case under PIPEDA, s. 35 would allow for the sharing of personal information without an individual’s knowledge or consent. It is important to note that there is no requirement that the personal information be de-identified or anonymized in any way (see my earlier post on de-identification and anonymization here). The remainder of s. 35 imposes the only limitations on such sharing. One of these relates to purpose. The sharing must be for “statistical purposes” (but note that StatCan is not the only organization that engages in statistical activities, and such sharing is not limited to StatCan). It can also be for “study or research purposes”. Bill C-11, like PIPEDA, had referred to “scholarly study or research purposes”. The removal of ‘scholarly’ substantially enlarges the scope of this provision (for example, market research and voter profile research would no doubt count). There is a further qualifier – the statistical, study, or research purposes have to be ones that “cannot be achieved without disclosing the information”. However, they do not have to be ‘socially beneficial’ (although there is an overarching provision in s. 5 that requires that the purposes for collecting, using or disclosing personal information be ones that a ‘reasonable person would consider appropriate in the circumstances’). Section 35(b) (as is the case under PIPEDA’s s. 7(3)(f)) also requires that it be impracticable to obtain consent. This is not really much of a barrier. If you want to use the data of a half a million individuals, for example, it is really not practical to seek their consent. Finally, the organization must inform the Commissioner of the disclosure prior to it taking place. This provides a thin film of transparency. Another nod and a wink to transparency is found in s. 62(2)(b), which requires organizations to provide a ‘general account’ of how they apply “the exceptions to the requirement to obtain an individual’s consent under this Act”.

Quebec’s Loi 25 also addresses the use of personal information in the hands of the private sector for statistical and research purposes without individual consent. Unlike Bill C-27, it contains more substantive guardrails:

21. A person carrying on an enterprise may communicate personal information without the consent of the persons concerned to a person or body wishing to use the information for study or research purposes or for the production of statistics.

The information may be communicated if a privacy impact assessment concludes that

(1) the objective of the study or research or of the production of statistics can be achieved only if the information is communicated in a form allowing the persons concerned to be identified;

(2) it is unreasonable to require the person or body to obtain the consent of the persons concerned;

(3) the objective of the study or research or of the production of statistics outweighs, with regard to the public interest, the impact of communicating and using the information on the privacy of the persons concerned;

(4) the personal information is used in such a manner as to ensure confidentiality; and

(5) only the necessary information is communicated.

The requirement of a privacy impact assessment (PIA) in Loi 25 is important, as is the condition that this assessment consider the goals of the research or statistical activity in relation to the public interest and to the impact on individuals. Loi 25 also contains important limitations on how much information is shared. Bill C-27 addresses none of these issues. At the very least, as is the case under Quebec law, there should be a requirement to conduct a PIA with similar considerations – and to share it with the Privacy Commissioner. Since this is data sharing without knowledge or consent, there could even be a requirement that the PIAs be made publicly available, with appropriate redactions if necessary.

Some might object that there is no need to incorporate these safeguards in the new private sector data protection law since those entities (such as StatCan) who receive the data have their own secure policies and practices in place to protect data. However, under s. 35 there is no restriction on who may receive data for statistical, study or research purposes, and no reason to assume that they have appropriate safeguards in place. If they do, then the PIA can reflect this.

Section 39 addresses the sharing of de-identified personal information for socially beneficial purposes. Presumably, this would be the provision under which, in the future, mobility data might be shared with an agency such as PHAC. Under s. 39:

39 (1) An organization may disclose an individual’s personal information without their knowledge or consent if

(a) the personal information is de-identified before the disclosure is made;

(b) the disclosure is made to

(i) a government institution or part of a government institution in Canada,

(ii) a health care institution, post-secondary educational institution or public library in Canada,

(iii) any organization that is mandated, under a federal or provincial law or by contract with a government institution or part of a government institution in Canada, to carry out a socially beneficial purpose, or

(iv) any other prescribed entity; and

(c) the disclosure is made for a socially beneficial purpose.

(2) For the purpose of this section, socially beneficial purpose means a purpose related to health, the provision or improvement of public amenities or infrastructure, the protection of the environment or any other prescribed purpose.

This provision requires that shared information must be de-identified, although as noted in my earlier post, de-identification in Bill C-27 no longer means what it did in C-11. The data shared may have only direct identifiers removed leaving individuals easily identifiable. The disclosure must be for socially beneficial purposes, and it must be to a specified or prescribed entity. I commented on the identical provision in C-11 here, so I will not repeat in detail those earlier concerns from that post. They remain unaddressed in Bill C-27. The most significant gap is the lack of a requirement for a data governance agreement to be in place between the parties based upon the kinds of considerations that would be relevant in a privacy impact assessment.

Where the sharing is to be with a federal government institution, the Privacy Act should provide additional protection. However, the Privacy Act is itself an antediluvian statute that has long been in need of reform. It is worth noting that while the doors to data sharing are opened in Bill C-27, many of the necessary safeguards – at least where government is concerned – are left for another statute in the hands of another department, and that lies who-knows-where in the government’s legislative agenda (although rumours are that we might see a Bill this fall [Warning: holding your breath could be harmful to your health.]). In its report on the sharing of mobility data with PHAC, ETHI calls for much greater transparency about data use on the part of the Government of Canada, and also calls for enhanced consultation with the Privacy Commissioner prior to engaging in this form of data collection. Apart from the fact that these pieces will not be in place – if at all – until the Privacy Act is reformed, the exceptions in sections 35 and 39 of C-27 apply to organizations and institutions outside the federal government, and thus, can involve institutions and entities not subject to the Privacy Act. Guardrails should be included in C-27 (as they are, for example, in Loi 25); yet, they are absent.

As noted earlier, there are sound reasons to facilitate the use of personal data to aid in data-driven decision-making that serves the public interest. However, any such use must protect individual privacy. Beyond this, there is also a collective privacy dimension to the sharing of even anonymized human-derived data. This should also not be ignored. It requires greater transparency and public engagement, along with appropriate oversight by the Privacy Commissioner. Bill C-27 facilitates use without adequately protecting privacy – collective or individual. Given the already evident lack of trust in government, this seems either tone-deaf or deeply cynical.

 

 

 

 

 

 

 

Published in Privacy

The Ontario Energy Board (OEB) has just released a decision that should be of interest to those concerned about data governance for data sharing. The decision relates to an application by Ontario’s Smart Metering Entity (SME) for a licence to begin sharing Ontario’s smart metering data with third parties. The SME was established in Ontario as part of the governance structure for the data collected through government-mandated smart metering for all electricity consumers in the province.

Smart meters in Ontario collect fine-grained electrical consumption data. There are clear privacy interests in this consumption data as a person’s patterns of electrical consumption can reveal much about their activities, habits and preferences. In theory, fine-grained, aggregate, deidentified electrical consumption data can be useful for a broad range of purposes, including feeding the ever-hungry data economy. The SME was charged with governing this data resource in a way that would meet the needs of third parties (researchers, governments, and the private sector) to have access to the data while respecting consumer privacy. In 2019, Merlynda Vilain and I published a paper about the SME and its mandate to govern smart metering data in the public interest.

In its October 24, 2019 decision, the OEB considers an application by the SME seeking approval for its plan to provide access to smart metering data. The SME’s plan is built around three categories of data. The first, labelled “public offers”, consists of “highly aggregated products” ”such as monthly, seasonal or quarterly consumption data aggregated by postal district (i.e. the first digit of the postal code).” (OEB Order, p. 8) This data would be provided free of charge, and subject to unspecified terms and conditions.

The second category of data is “standard private offerings”. This consists of “pre-designed extracts based on popular data requests”. The examples provided include “Hourly or daily consumption data aggregated by 6, 5, 4 or 3 digit Postal Code at the municipal level, specifying the Distributor Rate Class and Commodity Rate Class”, as well as different types of visualizations. This category of data would be made available subject to a Data Use Agreement and at “market prices”.

The third category of data is “custom private offerings”, which are data sets customized to meet the demands of specific clients. These data sets would be subject to a Data Use Agreement and sold at “market price”.

Market price, is, of course, different from a fee for cost recovery. The SME in its application indicated that not only would the fees charged cover the costs of producing the data sets, any profits from the sale of smart metering data would be put towards lowering the Smart Metering Charge. In other words, the sale of data could potentially result in lower energy costs. This is an example of a plan to sell aggregate consumer data with a view to benefitting the class as a whole, although the extent of any benefits is difficult to assess without more information about market pricing and about the privacy risks and implications of the shared data. On the privacy issues, the SME maintained that shared data would be de-identified, although it acknowledged that there was some (unspecified) reidentification risk. It argued that factors mitigating against reidentification would include its work with a privacy consultant, compliance with guidance from the Office of the Information and Privacy Commissioner, the use of Data Use Agreements to limit the actions of the party acquiring the data, and the establishment of an Ethics Review Committee.

Those involved in data governance for data sharing will see how the SME’s proposal features some of the key elements and challenges in the data-sharing context. There is a perceived demand for high-value data, an attempt to meet that demand, privacy issues arising because the data is generated by individual activities and consumption, and a need to think about the terms and conditions of sharing, including cost/price. In this case, the data governance entity is a public body that must act under terms set by the regulator (the OEB), and it requires OEB approval of any data sharing plan. In this case, the OEB heard from the SME as well as a number of interveners, including the Building Owners and Managers Association, the Consumers Council of Canada, the Electricity Distributors Association, Ontario Power Generation Inc., and the Vulnerable Energy Consumers Coalition.

The decision of the OEB is interesting for a number of reasons. First, the approach taken is a precautionary one – the OEB sends the SME back to the drawing board over concerns about privacy and about the pricing scheme. In doing so, it appears to have paid some attention to the sometimes heated data governance discussions that have been taking place in Canada.

The OEB began by noting that none of the interveners objected to the first part of the SME plan – to make its “public offerings” category of data available to the public free of charge. In fact, this was the only part of the plan that received OEB approval. The OEB noted that “As these products would comprise highly aggregated data, they do not raise the same concerns about privacy as more tailored products.” It also concluded that the costs associated with preparing and sharing this data were part of the SME’s normal operations.

More problematic were the other categories of data for which sharing was planned. The OEB accepted that customers have a reasonable expectation of privacy “albeit a “significantly attenuated” one” (at p. 13) in their energy consumption data. The Board also noted that for some commercial customers, the consumption data might be confidential commercial information. The OEB observed that in spite of the fact that the plan was to de-identify the data, there remained some reidentification risk. It stated that “in light of the concerns expressed by stakeholders in this proceeding, the SME should proceed cautiously with third party access”. (at 13-14) The OEB considered that consumers needed to be well-informed about the collection and sharing of their data, and that while the SME has attempted to consult on these issues, “a more comprehensive consumer engagement process should take place.” (at 14) The OEB noted that “it is not clear form the evidence that consumers support the notion that consumption data (even if de-identified) should be offered for sale to third parties.” (at 14)

This approach reflects a shift in position on the part of the OEB. Past discussions of data sharing have regarded this data primarily as a public asset that should be put to use in the public interest. In the case of third party data sharing, this public interest was largely in the stimulation of the economy and innovation. What is different in this OEB Order is a much greater recognition of the importance of individual and collective consent. In its directions to the SME, the OEB asks for more detail from the SME’s consultation with consumers, the need to propose “a protocol for receiving and dealing with consumer complaints regarding the release of the data” (at 14), a plan for informing consumers about the release of deidentified information to third parties, and a need to obtain approval “of the basic terms of any Data Use Agreement with third parties.” (at 14).

In addition to these concerns about privacy and consultation, the OEB expressed reservations about the SME’s plans to share data at ‘market prices’. Some of the interveners noted that the SME held a monopoly position with respect to smart metering data, and there was therefore no market price for such data. The OEB called for the SME to develop a marketing plan that “should address pricing to ensure reasonably priced access by commercial and non-commercial users.” (at 14)

This decision is important and interesting for a number of reasons. First, it reflects a cautious, go-slow, precautionary approach to data sharing that might not have existed before Ontarians lost their data innocence in the debates over plans for Sidewalk Toronto. The OEB’s concerns include reidentification risk, proper consultation, accountability, and the terms and conditions for data sharing. The need to adequately and appropriately consult those individuals whose data is to be shared is an important theme in this decision. Although the SME claims to have made efforts to include consumer perspectives, the OEB is not satisfied that these efforts went far enough.

The decision also lands in the middle of the Ontario government’s data strategy consultation (which I have written about here, here and here). The consultation process – which lacks detail and is moving far too quickly – is clearly geared towards increasing data sharing and leveraging data for economic development and innovation, all while maintaining public ‘trust and confidence’. The Ontario government clearly wants to make some quick changes. Yet what this OEB decision reflects is a need to adopt a precautionary approach and to ensure adequate consultation and public awareness. As frameworks, models and templates are developed, things can being to move more quickly – but there is real value in getting things right from the outset.

Published in Privacy

Smart city data governance has become a hot topic in Toronto in light of Sidewalk Labs’ proposed smart city development for Toronto’s waterfront. In its Master Innovation Development Plan (MIDP), Sidewalk Labs has outlined a data governance regime for “urban data” that will be collected in the lands set aside for the proposed Sidewalk Toronto smart city development. The data governance scheme sets out to do a number of different things. First, it provides a framework for sharing ‘urban data’ with all those who have an interest in using this data. This could include governments, the private sector, researchers or civil society. Because the data may have privacy implications, the governance scheme must also protect privacy. Sidewalk Labs is also proposing that the governance body be charged with determining who can collect data within the project space, and with setting any necessary terms and conditions for such collection and for any subsequent use or sharing of the data. The governance body, named the Urban Data Trust (UDT), will have a mandate to act in the public interest, and it is meant to ensure that privacy is respected and that any data collection, use or disclosure – even if the data is non-personal or deidentified – is ethical and serves the public interest. They propose a 5-person governance body, with representation from different stakeholder communities, including “a data governance, privacy, or intellectual property expert; a community representative; a public-sector representative; an academic representative; and a Canadian business industry representative” (MIDP, Chapter 5, p. 421).

The merits and/or shortcomings of this proposed governance scheme will no doubt be hotly debated as the public is consulted and as Waterfront Toronto develops its response to the MIDP. One thing is certain – the plan is sure to generate a great deal of discussion. Data governance for data sharing is becoming an increasingly important topic (it is also relevant in the Artificial Intelligence (AI) context) – one where there are many possibilities and proposals and much unexplored territory. Relatively recent publications on data governance for data sharing include reports by Element AI, MaRS, and the Open Data Institute). These reflect both the interest in and the uncertainties around the subject. Yet in spite of the apparent novelty of the subject and the flurry of interest in data trusts, there are already many different existing models of data governance for data sharing. These models may offer lessons that are important in developing data governance for data sharing for both AI and for smart city developments like Sidewalk Toronto.

My co-author Merlynda Vilain and I have just published a paper that explores one such model. In the early 2000’s the Ontario government decided to roll out mandatory smart metering for electrical consumption in the province. Over a period of time, all homes and businesses would be equipped with smart meters, and these meters would collect detailed data in real time about electrical consumption. The proposal raised privacy concerns, particularly because detailed electrical consumption data could reveal intimate details about the activities of people within their own homes. The response to these concerns was to create a data governance framework that would protect customer privacy while still reaping the benefits of the detailed consumption data.

Not surprisingly, as the data economy surged alongside the implementation of smart metering, the interest in access to deidentified electrical consumption data grew across different levels of government and within the private sector. The data governance regime had therefore to adapt to a growing demand for access to the data from a broadening range of actors. Protecting privacy became a major concern, and this involved not just applying deidentification techniques, but also setting terms and conditions for reuse of the data.

The Smart Metering Entity (SME), the data governance body established for smart metering data, provides an interesting use case for data governance for data sharing. We carried out our study with this in mind; we were particularly interested in seeing what lessons could be learned from the SME for data governance in other context. We found that the SME made a particularly interesting case study because it involved public sector data, public and private sector stakeholders, and a considerable body of relatively sensitive personal information. It also provides a good example of a model that had to adapt to changes over a relatively short period of time – something that may be essential in a rapidly evolving data economy. There were changes in the value of the data collected, and new demands for access to the data by both public and private sector actors. Because of the new demand and new users, the SME was also pushed to collect additional data attributes to enrich the value of its data for potential users.

The SME model may be particularly useful to think about in the smart cities context. Smart cities also involve both public and private sector actors, they may involve the collection of large volumes of human behavioural data, and this gives rise to a strong public interest in appropriate data governance. Another commonality is that in both the smart metering and smart cities contexts individuals have little choice but to have their data collected. The underlying assumption is that the reuse and repurposing of this data across different contexts serves the public interest in a number of different ways. However, ‘public interest’ is a slippery fish and is capable of multiple interpretations. With a greatly diminished role for consent, individuals and communities require frameworks that can assist not just in achieving the identified public interests – but in helping them to identify and set them. At the same time protecting individual and community privacy, and ensuring that data is not used in ways that are harmful or exploitative.

Overall, our study gave us much to think about, and its conclusion develops a series of ‘lessons’ for data governance for data sharing. A few things are worthy of particular note in relation to Sidewalk Labs’ proposed Urban Data Trust. First, designing appropriate governance for smart metering data was a significant undertaking that took a considerable amount of time, particularly as demands for data evolved. This was the case even though the SME was dealing only with one type of data (smart metering data), and that it was not responsible for overseeing new requests to collect new types of data. This is a sobering reminder that designing good data governance – particularly in complex contexts – may take considerable time and resources. The proposed UDT is very complex. It will deal with many different types of data, data collectors, and data users. It is also meant to approve and set terms and conditions for new collection and uses. The feasibility of creating robust governance for such a complex context is therefore an issue – especially within relatively short timelines for the project. Defining the public interest – which both the SME and the UDT are meant to serve – is also a challenge. In the case of the SME, the democratically elected provincial government determines the public interest at a policy level, and it is implemented through the SME. Even so, there are legitimate concerns about representation and about how the public interest is defined. With the UDT, it is not clear who determines the public interest or how. There will be questions about who oversees appointments to the UDT, and how different stakeholders and their interests are weighted in its composition and in its decision-making.

Our full paper can be found in open access format on the website of the Centre for International Governance Innovation (CIGI): here.

 

Published in Privacy

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law