Teresa Scassa - Blog

Note: My paper The Surveillant University: Remote Proctoring, AI and Human Rights is forthcoming in the Canadian Journal of Comparative and Contemporary Law. It explores a necessity and proportionality approach to the adoption by universities of remote proctoring solutions. Although the case discussed in the post below addresses a different set of issues, it does reflect some of the backlash and resistance to remote proctoring.

In 2020, the remote AI-enabled exam proctoring company Proctorio filed suit for copyright infringement and breach of confidence lawsuit against Ian Linkletter, a BC-based educational technologist. It also obtained an interim injunction prohibiting Linkletter from downloading or sharing information about Proctorio’s services from its Help Center or online Academy. Linkletter had posted links on Twitter to certain ‘unlisted’ videos on the company’s YouTube channel. His tweets were highly critical of the company and its AI-enabled exam surveillance software. He responded to the suit and the interim injunction with an application to have the underlying action thrown out under BC’s Protection of Public Participation Act (PPPA). This anti-SLAPP (strategic litigation against public participation) statute allows a court to dismiss proceedings that arise from an expression on a matter of public interest made by the applicant. On March 11, 2022, Justice Milman of the BC Supreme Court handed down his decision rejecting the PPPA application.

Linkletter first became concerned with Proctorio (a service to which the University of British Columbia subscribed at the time) after a University of British Columbia (UBC) student had her chat logs with Proctorio published online by the company after she complained about the service she received during an exam. In order to learn more about Proctorio, Linkletter developed a ‘sandbox’ course for which he was the instructor. This enabled him to access Proctorio’s online Help Center and its ‘Academy’ via UBC. These sites provide information and training to instructors. The Help Center had a number of videos available through YouTube. The URLs for these videos were unlisted, which meant that they were not searchable through YouTube’s site, although anyone with the link could access the video. Mr. Linkletter posted some of these links to Twitter, expressing his concerns with the contents of the videos. The company disabled the links, and created new ones. Linkletter also posted a screenshot of the Academy website with a message indicating that the original links were not available.

Justice Milman did not hesitate to find that the applicant had expressed himself on a matter of public interest. He noted that the software adopted by UBC “has generated controversy, there and elsewhere, due to concerns about its perceived invasiveness and what is thought by some to be its disparate and discriminatory impacts on some students.” (at para 3). The onus shifted to the respondent Proctorio to demonstrate the substantial merit of its proceedings, the lack of a valid defence by the applicant, and the seriousness of the harm it would suffer relative to the public interest in the expression. The threshold to be met by Proctorio was to demonstrate “that there are grounds to believe that its underlying claim is legally tenable and supported by evidence that is reasonably capable of belief such that the claim can be said to have a real prospect of success” (at para 56).

Proctorio’s lawsuit is essentially based on three intellectual property claims. The first of these was a breach of confidence claim relating to the unlisted YouTube video links. To succeed with this claim, the information at issue must be confidential; the circumstances under which it was communicated must give rise to an obligation of confidence; and the defendant must have made unauthorized use of the information to the detriment of the party communicating it. Justice Milman found that the respondent met the threshold of ‘substantial merit’ on this cause of action.

What Linkletter posted publicly on Twitter were links to videos. Proctorio claimed that it was these videos (along with a screen shot of a message on its Academy website) that were the confidential information it sought to protect. Although there are a number of factors that a court will take into account in assessing the confidentiality of information, the information must have a confidential nature and the party seeking to protect it must have taken appropriate steps to protect its confidentiality.

Unlisted YouTube video links are not publicly searchable, yet anyone with the link can access the content – and YouTube’s terms of service permit the sharing of unlisted links. However, Justice Milman found that Linkletter accessed Proctorio’s videos (and their links) via Proctorio’s website, which had its own terms of service to which Linkletter had clicked to agree. Those terms prohibit the copying or duplication of the materials found in their Help Centre – although they do not identify any of the content as confidential information. Canadian courts have found users of websites to be bound by terms of service regardless of whether they have read them; it is not a stretch to find that Linkletter had a contractual obligation not to share the contents. However, when it comes to taking the steps necessary to protect the confidentiality of information, one can question whether terms of service buried in links on a website – and that do not specifically identify the material as confidential – constitute a confidentiality or non-disclosure agreement. There was evidence that much of the material could be found elsewhere on the internet. It was also available to tens of thousands of instructors who were given access to the site at the discretion of university clients, not Proctorio. Justice Milman noted that “none of the videos stated on their face that they were commercially sensitive or should be kept from public view” (at para 64). He also found that “the choice to make them available on a public platform like YouTube when more secure options could have been used, dilutes the strength of Proctorio’s case” (at 64). In these circumstances, the court’s ruling that the confidential information claim had sufficient merit seems generous. In order to make out a claim of breach of confidence, it is also necessary for the plaintiff to show that the defendant made use of the information to the company’s detriment. Although the information was used to criticize the company, it is hard to see how Proctorio suffered any real damage particular to this breach of confidence. Much of the content was available through other sources, and the court described the company’s assertions that the videos could permit students to game their algorithms or could reveal their algorithmic secrets to competitors as ‘speculative’. Nonetheless, Justice Milman found enough here to satisfy the Proctorio’s onus to repel the PPPA application.

The copyright infringement argument depended upon a finding that the sharing of a hyperlink amounted to the sharing of the content that could be accessed by following the link. In spite of the fact that there is Canadian case law that suggests that sharing hyperlinks is not copyright infringement, Justice Milman was prepared to distinguish these cases. He found it significant that the materials were not publicly available except to those who had access to the links; sharing the links amounted to more than just pointing people to information otherwise available on the internet. Having found likely infringement, Justice Milman next considered available defences. He found that Linkletter did not meet the test for fair dealing as set out by the Supreme Court of Canada in CCH Canadian. It was conceded by Proctorio that Linkletter passed the first part of the fair dealing test – that the dealing was for a purpose listed in ss. 29, 29.1 or 29.2 of the Copyright Act. Presumably it was for the purposes of criticism or comment, although this is not made explicit in the decision. In assessing the fair dealing criteria, however, Justice Milman found that Linkletter’s circulation of the links on social media mitigated against fair dealing, as did the fact that anyone who followed the link had access to the full work.

On ‘alternatives to the dealing’, Justice Milman noted that rather than share the videos publicly, Linkletter could have reported on what he saw in the videos (although he earlier had found the videos (or the links to the videos – it is not entirely clear) to be confidential information). He could also have referred to other publicly available sources on the contents of the videos to make his point. On the issue of the nature of the work, Justice Milman found that the works were confidential (thus working against a finding of fair dealing) “even if most of the information in the videos was already available elsewhere on the internet”. Oddly, then, the fair dealing analysis not only underscores the fact that the material was largely publicly available, it suggests that an alternative to providing links to the videos was to discuss their contents freely. This suggests that the issue was not really the confidentiality of the content, but the fact that Linkletter had breached contractual terms of service in order to provide access to it.

On the final fair dealing criterion, the effect of the dealing on the work, Justice Milman found that by making the videos available through their links, “Mr. Linkletter created a risk that Proctorio’s product would be rendered less effective for its intended purposes (because students could more easily anticipate how instructors can configure the settings) and its proprietary information more readily available to competitors.” (at para 112). He conceded that this risk was ‘speculative’ given the amount of information about Proctorio’s services already in the public domain. Justice Milman found that, on balance, the fair dealing defence was not available to Linkletter. He also found that the defence of ‘user-generated content’ was not applicable.

Justice Milman declined to find that there had been circumvention of technical protection measures by Linkletter. He found that Linkletter had gained access to the materials by legitimate means. His subsequent copyright infringing acts were carried out without avoiding, bypassing, removing, deactivating or impairing any effective technology, device or component as required by s. 41.1 of the Copyright Act.

The final element of the test under the PPPA is that the interest of the plaintiff in carrying on with the action must outweigh its deleterious effects on expression and public participation. Justice Milman found that this test was met, notwithstanding the fact that he also found that the “corresponding harm that Proctorio has been able to demonstrate is limited” (at para 124). He found that the risks identified by Proctorio of students circumventing its technology or competitors learning how its software worked were “unlikely to materialize”. Nonetheless, he found that Linkletter’s actions “compromised the integrity of its Help Center and Academy screens, which were put in place in order to segregate the information made available to instructors and administrators from that intended for students and members of the public” (at para 126). He credited the interim injunction for limiting the adverse impacts in this regard. However, he was critical of the broad scope of that injunction and narrowed it to ensure that Linkletter was not enjoined from sharing or linking to content available from public sources. Justice Milman also noted that Linkletter remained free to express his views, as have been others who have also criticized Proctorio online.

The breach of copyright and breach of confidence claims in this case are weak, although their consideration is admittedly superficial given that this is not a decision on the merits. The court found just enough in the copyright and breach of confidence claims to keep them on the right side of the PPPA. Clearly Proctorio objects to the provision of direct public access to its instructional videos beyond the tens of thousands of instructors who have access to them each year – and who are apparently otherwise free to discuss their content in public fora. In this case, Proctorio quickly mitigated any harm by changing the links in question. It could also deny Linkletter access to its services on the basis that he breached the terms of use, and can better protect its content by no longer providing it on as unlisted content on YouTube. The narrowed injunction leaves Linkletter free to criticize Proctorio and to link to other publicly available information on the internet. In the circumstances, even if the underlying lawsuit is not a SLAPP suit, as Justice Milman concludes, it is hard to fathom why it should continue to consume scare judicial resources.

On February 28, 2022, the Ontario government introduced Bill 88, titled: An Act to enact the Digital Platform Workers’ Rights Act, 2022 and to amend various Acts. The Bill is now at the second reading stage.

Most of the attention received by the bill has been directed towards provisions that establish new rights for digital platform workers. The focus of this post is on a set of amendments relating to electronic monitoring of employees.

Bill 88 will amend the Employment Standards Act, 2000 to require employers with more than 25 employees to put in place written policies regarding employee monitoring. The policies must specify whether the employer monitors employees electronically, how and in what circumstances it does so, and for what purposes. Policies must include the date that they were prepared along with any dates of amendment. Regulations may also specify additional information to be contained in the policies. Employers will also have to provide – within set time limits – copies of the policy to each employee, as well as copies of any policies that have been revised or updated. There are policy record-keeping requirements as well.

The term “electronic monitoring” is not defined in the Bill, and there may be issues regarding its scope. Certainly, it would seem likely that audio and video surveillance, as well as key-stroke monitoring and other forms of digital surveillance would be captured by the concept. Less obvious to some employers might be things such as access cards that allow employees to enter and access certain areas of the workplace. Such cards track employee movements, and thus may also count as electronic monitoring. Beyond this, the bill provides significant scope for changes to obligations via regulation – the government may exempt employees from the requirement to have policies for certain forms of electronic monitoring in specified circumstances. Regulations may also prohibit some forms of electronic monitoring.

Given the extent to which employees are increasingly subject to electronic monitoring in the workplace – including in work-from-home contexts – these new provisions are welcome. They will provide employees with a right to know how and when they are being digitally monitored and for what purposes. However, the rights do not go much beyond this. Employees can only complain if they do not receive a copy of their employer’s policy within the specified timelines; the bill states that “a person may not file a complaint alleging a contravention of any other provision of this section or have such a complaint investigated” (s. 41.1.1(6)). Further, the bill places no limits on what employers may do with the information gathered. Section 41.1.1(7) provides: “nothing in this section affects or limits an employer’s ability to use information obtained through electronic monitoring of its employees”.

In 2021, the Ontario government floated the idea of enacting its own private sector data protection law. Such a law would have most likely included provisions protecting employee workplace privacy. Indeed, the province’s White Paper proposed the following:

An organization may collect, use or disclose personal information about an employee if the information is collected, used or disclosed solely for the purposes of,

(a) establishing, managing or terminating an employment or volunteer-work relationship between the organization and the individual; or

(b) managing a post-employment or post-volunteer-work relationship between the organization and the individual.

Although such a provision gives significant room for employers to collect data about their employees, including through electronic means, there is at least a purpose limitation that is absent from the Bill 88 amendments. Including employee personal information under a general data protection law would also have brought with it other protections contained within such legislation, including the right to complain of any perceived breach. All employees – not just those in work forces of 25 or more employees would have some rights with respect to data collected through electronic surveillance; such information would have to be collected, used or disclosed solely for the specified workplace-related purposes. Such an obligation would also be measurable against the general reasonableness requirement in privacy legislation.

The amendments to the Employment Standards Act, 2000 to address electronic surveillance of employees are better than nothing at all. Yet they do not go nearly as far as privacy legislation would in protecting employees’ privacy rights and in providing them with some recourse if they feel that employment surveillance goes beyond what is reasonably required in the employment context. With a provincial election looming it is highly unlikely that we will see a private sector data protection law introduced in the near future. One might also wonder whether the current government has lost its appetite entirely for such a move. In its submissions on the province’s White Paper, for example, the Ontario Chamber of Commerce chastised the province for considering the introduction of privacy legislation that would impose an additional burden on businesses at a time when they were seeking to recover from the effects of the pandemic. They advocated instead for reform to the federal government’s private sector data protection law which would build on the existing law and provide some level of national harmonization. Yet there are places where the federal law does not and cannot reach – and employment outside of federal sectors is one of them. Privacy protections for workers in Ontario must be grounded in provincial law; the proposed changes to the Employment Standards Act, 2000 fall far short of what a basic privacy law would provide.

I was invited to appear before the Standing Committee on Access to Information, Privacy and Ethics (ETHIC) on February 10, 2022. The Committee was conducting hearings into the use of de-identified, aggregate mobility data by the Public Health Agency of Canada. My opening statement to the committee is below. The recording of this meeting (as well as all of the other meetings on this topic) can be found here: https://www.ourcommons.ca/Committees/en/ETHI/Meetings

Thank you for the invitation to address this Committee on this important issue.

The matter under study by this Committee involves a decision by the Public Health Agency of Canada (PHAC) to use de-identified aggregate mobility data sourced from the private sector to inform public health decision-making during a pandemic.

This use of mobility data – and the reaction to it – highlight some of the particular challenges of our digital and data society:

· It confirms that people are genuinely concerned about how their data are used. It also shows that they struggle to keep abreast of the volume of collection, the multiple actors engaged in collection and processing, and the ways in which their data are shared with and used by others. In this context, consent alone is insufficient to protect individuals.

· The situation also makes clear that data are collected and curated for purposes that go well beyond maintaining customer relationships. Data are the fuel of analytics, profiling, and AI. Some of these uses are desirable and socially beneficial; others are harmful or deeply exploitative. The challenge is to facilitate the positive uses and to stop the harmful and exploitative ones.

· The situation also illustrates how easily data now flow from the private sector to the public sector in Canada. Our current legal framework governs public and private sector uses of personal data separately. Our laws need to be better adapted to address the flow of data across sectors.

Governments have always collected data and used it to inform decision-making. Today they have access to some of the same tools for big data analytics and AI as the private sector, and they have access to vast quantities of data to feed those analytics.

We want governments to make informed decisions based on the best available data, but we want to prevent excessive intrusions upon privacy.

Both PIPEDA and the Privacy Act must be modernized so that they can provide appropriate rules and principles to govern the use of data in a transformed and transforming digital environment. The work of this Committee on the mobility data issue could inform this modernization process.

As you have heard already from other witnesses, PIPEDA and the Privacy Act currently apply only to data about identifiable individuals. This creates an uncomfortable grey zone for de-identified data. The Privacy Commissioner must have some capacity to oversee the use of de-identified data, at the very least to ensure that re-identification does not take place. For example, the province of Ontario addressed this issue in 2019 amendments to its public sector data protection law. Amendments defined de-identified information for the purposes of use by government, required the development of data standards for de-identified data, and provided specific penalties for the re-identification of de-identified personal data.

The Discussion Paper on the Modernization of the Privacy Act speaks of the need for a new framework to facilitate the use of de-identified personal information by government, but we await a Bill to know what form that might take.

The former Bill C-11 – the bill to amend the Personal Information Protection and Electronic Documents Act that died on the Order Paper last fall, specifically defined de-identified personal information. It also created exceptions to the requirements of knowledge and consent to enable organizations to de-identify personal information in their possession; and to use or disclose it in some circumstances – also without knowledge and consent. It would have required de-identification measures proportional to the sensitivity of the information, and would have prohibited the re-identification of de-identified personal information – with stiff penalties.

The former Bill C-11 would also have allowed private sector organizations to share de-identified data without knowledge or consent, with certain entities (particularly government actors), for socially beneficial purposes. This provision would have applied to the specific situation before this committee right now – it would have permitted this kind of data sharing – and without the knowledge or consent of the individuals whose data were de-identified and shared.

This same provision or a revised version of it will likely be in the next bill to reform PIPEDA that is introduced into Parliament. When this happens, important questions to consider will be the scope of this provision (how should socially beneficial purposes be defined?); what degree of transparency should be required on the part of organizations who share our de-identified information?; and how will the sharing of information for socially beneficial purposes by private sector organizations with the government dovetail with any new obligations for the public sector -- including whether there should be any prior review or approval of plans to acquire and/or use the data, and what degree of transparency is required. I hope that the work of this Committee on the mobility data issue will help to inform these important discussions.

Ontario has just released its Beta principles for the ethical use of AI and data enhanced technologies in Ontario. These replace the earlier Alpha principles, and are revised based upon commentary and feedback on the Alpha version. Note that these principles are designed for use in relation to AI technologies adopted for the Ontario public sector.

Below you will find a comparison table I created to provide a quick glance at what has been changed since the previous version. I have flagged significant additions with italics in the column for the Beta version. I have also flagged some words or concepts that have disappeared in the Beta version by using strikethrough in the column with the Alpha version. I have focused on the principles, and have not flagged changes to the “Why it Matters” section of each principle.

One important change to note is that the Beta version now refers not just to technologies used to make decisions, but also technologies used to assist in decision-making.

On December 7, 2021, the privacy commissioners of Quebec, British Columbia and Alberta issued orders against the US-based company Clearview AI, following its refusal to voluntarily comply with the findings in the joint investigation report they issued along with the federal privacy commissioner on February 3, 2021.

Clearview AI gained worldwide attention in early 2020 when a New York Times article revealed that its services had been offered to law enforcement agencies for use in a largely non-transparent manner in many countries around the world. Clearview AI’s technology also has the potential for many different applications including in the private sector. It built its massive database of over 10 billion images by scraping photographs from publicly accessible websites across the Internet, and deriving biometric identifiers from the images. Users of its services upload a photograph of a person. The service then analyzes that image and compares it with the stored biometric identifiers. Where there is a match, the user is provided with all matching images and their metadata, including links to the sources of each image.

Clearview AI has been the target of investigation by data protection authorities around the world. France’s Commission Nationale de l'Informatique et des Libertés has found that Clearview AI breached the General Data Protection Regulation (GDPR). Australia and the UK conducted a joint investigation which similarly found the company to be in violation of their respective data protection laws. The UK commissioner has since issued a provisional view, stating its intent to levy a substantial fine. Legal proceedings are currently underway in Illinois, a state which has adopted biometric privacy legislation. Canada’s joint investigation report issued by the federal, Quebec, B.C. and Alberta commissioners found that Clearview AI had breached the federal Personal Information Protection and Electronic Documents Act, as well as the private sector data protection laws of each of the named provinces.

The Canadian joint investigation set out a series of recommendations for Clearview AI. Specifically, it recommended that Clearview AI cease offering its facial recognition services in Canada, “cease the collection, use and disclosure of images and biometric facial arrays collected from individuals in Canada”, and delete any such data in its possession. Clearview AI responded by saying that it had temporarily ceased providing its services in Canada, and that it was willing to continue to do so for a further 18 months. It also indicated that if it offered services in Canada again, it would require its clients to adopt a policy regarding facial recognition technology, and it would offer an audit trail of searches.

On the second and third recommendations, Clearview AI responded that it was simply not possible to determine which photos in its database were of individuals in Canada. It also reiterated its view that images found on the Internet are publicly available and free for use in this manner. It concluded that it had “already gone beyond its obligations”, and that while it was “willing to make some accommodations and met some of the requests of the Privacy Commissioners, it cannot commit itself to anything that is impossible and or [sic] required by law.” (Letter reproduced at para 3 of Order P21-08).

In this post I consider three main issues that flow from the orders issued by the provincial commissioners. The first relates to the cross-border reach of Canadian law. The second relates to enforcement (or lack thereof) in the Canadian context, particularly as compared with what is available in other jurisdictions such as the UK and the EU. The third issue relates to the interest shown by the commissioners in a compromise volunteered by Clearview AI in the ongoing Illinois litigation – and what this might mean for Canadians’ privacy.

1. Jurisdiction

Clearview AI maintains that Canadian laws do not apply to it. It argues that it is a US-based company with no physical presence in Canada. Although it initially provided its services to Canadian law enforcement agencies (see this CBC article for details of the use of Clearview by Toronto Police Services), it had since ceased to do so – thus, it no longer had clients in Canada. It scraped its data from platform companies such as Facebook and Instagram, and while many Canadians have accounts with such companies, Clearview’s scraping activities involved access to data hosted on platforms outside of Canada. It therefore argued that it not only did not operate in Canada, it had no ‘real and substantial’ connection to Canada.

The BC Commissioner did not directly address this issue. In his Order, he finds a hook for jurisdiction by referring to the personal data as having been “collected from individuals in British Columbia without their consent”, although it is clear there is no direct collection. He also notes Clearview’s active contemplation of resuming its services in Canada. Alberta’s Commissioner makes a brief reference to jurisdiction, simply stating that “Provincial privacy legislation applies to any private sector organization that collects, uses and discloses information of individuals within that province” (at para 12). The Quebec Commissioner, by contrast, gives a thorough discussion of the jurisdictional issues. In the first place, she notes that some of the images came from public Quebec sources (e.g., newspaper websites). She also observes that nothing indicates that images scraped from Quebec sources have been removed from the database; they therefore continue to be used and disclosed by the company.

Commissioner Poitras cited the Federal Court decision in Lawson for the principle that PIPEDA could apply to a US-based company that collected personal information from Canadian sources – so long as there is a real and substantial connection to Canada. She found a connection to Quebec in the free accounts offered to, and used by, Quebec law enforcement officials. She noted that the RCMP, which operates in Quebec, had also been a paying client of Clearview’s. When Clearview AI was used by clients in Quebec, those clients uploaded photographs to the service in the search for a match. This also constituted a collection of personal information by Clearview AI in Quebec.

Commissioner Poitras found that the location of Clearview’s business and its servers is not a determinative jurisdictional factor for a company that offers its services online around the world, and that collects personal data from the Internet globally. She found that Clearview AI’s database was at the core of its services, and a part of that database was comprised of data from Quebec and about Quebeckers. Clearview had offered its service in Quebec, and its activities had a real impact on the privacy of Quebeckers. Commissioner Poitras noted that millions of images of Quebeckers were appropriated by Clearview without the consent of the individuals in the images; these images were used to build a global biometric facial recognition database. She found that it was particularly important not to create a situation where individuals are denied recourse under quasi-constitutional laws such as data protection laws. These elements in combination, in her view, would suffice to create a real and substantial connections.

Commissioner Poitras did not accept that Clearview’s suspension of Canadian activities changed the situation. She noted that information that had been collected in Quebec remained in the database, which continued to be used by the company. She stated that a company could not appropriate the personal information of a substantial number of Quebeckers, commercialise this information, and then avoid the application of the law by saying they no longer offered services in Quebec.

The jurisdictional questions are both important and thorny. This case is different from cases such as Lawson and Globe24hrs, where the connections with Canada were more straightforward. In Lawson, there was clear evidence that the company offered its services to clients in Canada. It also directly obtained some of its data about Canadians from Canadian sources. In Globe24hrs, there was likewise evidence that Canadians were being charged by the Romanian company to have their personal data removed from the database. In addition, the data came from Canadian court decisions that were scraped from websites located in Canada. In Clearview AI, while some of the scraped data may have been hosted on servers located in Canada, most were scraped from offshore social media platform servers. If Clearview AI stopped offering its services in Canada and stopped scraping data from servers located in Canada, what recourse would Canadians have? The Quebec Commissioner attempts to address this question, but her reasons are based on factual connections that might not be present in the future, or in cases involving other data-scraping respondents. There needs to be a theory of real and substantial connection that specifically addresses the scraping of data from third-party websites, contrary to those websites’ terms of use, and contrary to the legal expectations of the sites’ users that can anchor the jurisdiction of Canadian law, even when the scraper has no other connection to Canada.

Canada is not alone with these jurisdictional issue – Australia’s orders to Clearview AI are currently under appeal, and the jurisdiction of the Australian Commissioner to make such orders will be one of the issues on appeal. A jurisdictional case – one that is convincing not just to privacy commissioners but to the foreign courts that may have to one day determine whether to enforce Canadian decisions – needs to be made.

2. Enforcement

At the time the facts of the Clearview AI investigation arose, all four commissioners had limited enforcement powers. The three provincial commissioners could issue orders requiring an organization to change its practices. The federal commissioner has no order-making powers, but can apply to Federal Court to ask that court to issue orders. The relative impotence of the commissioners is illustrated by Clearview’s hubristic response, cited above, that indicates that it had already “gone beyond its obligations”. Clearly, it considers anything that the commissioners had to say on the matter did not amount to an obligation.

The Canadian situation can be contrasted with that in the EU, where commissioners’ orders requiring organizations to change their non-compliant practices are now reinforced by the power to levy significant administrative monetary penalties (AMPs). The same situation exists in the UK. There, the data commissioner has just issued a preliminary enforcement notice and a proposed fine of £17M against Clearview AI. As noted earlier, the enforcement situation is beginning to change in Canada – Quebec’s newly amended legislation permits the levying of substantial AMPs. When some version of Bill C-11 is reintroduced in Parliament in 2022, it will likely also contain the power to levy AMPs. BC and Alberta may eventually follow suit. When this happens, the challenge will be first, to harmonize enforcement approaches across those jurisdictions; and second, to ensure that these penalties can meaningfully be enforced against offshore companies such as Clearview AI.

On the enforcement issue, it is perhaps also worth noting that the orders issued by the three Commissioners in this case are all slightly different. The Quebec Commissioner orders Clearview AI to cease collecting images of Quebeckers without consent, and to cease using these images to create biometric identifiers. It also orders the destruction, within 90 days of receipt of the order, all of the images collected without the consent of Quebeckers, as well as the destruction of the biometric identifiers. Alberta’s Commissioner orders that Clearview cease offering its services to clients in Alberta, cease the collection and use of images and biometrics collected from individuals in Alberta, and delete the same from its databases. BC’s order prohibits the offering of Clearview AI’s services using data collected from British Columbians without their consent to clients in British Columbia. He also orders that Clearview AI use “best efforts” to cease its collection, use and disclosure of images and biometric identifiers of British Columbians without its consent, as well as to use the same “best efforts” to delete images and biometric identifiers collected without consent.

It is to these “best efforts” that I next turn.

3. The Illinois Compromise

All three Commissioners make reference to a compromise offered by Clearview AI in the course of ongoing litigation in Illinois under Illinois’ Biometric Information Privacy Act. By referring to “best efforts” in his Order, the BC Commissioner seems to be suggesting that something along these lines would be an acceptable compromise in his jurisdiction.

In its response to the Canadian commissioners, Clearview AI raised the issue that it cannot easily know which photographs in its database are of residents of particular provinces, particularly since these are scraped from the Internet as a whole – and often from social media platforms hosted outside Canada.

Yet Clearview AI has indicated that it has changed some of its business practices to avoid infringing Illinois law. This includes “cancelling all accounts belonging to any entity based in Illinois” (para 12, BC Order). It also includes blocking from any searches all images in the Clearview database that are geolocated in Illinois. In the future, it also offers to create a “geofence” around Illinois. This means that it “will not collect facial vectors from any scraped images that contain metadata associating them with Illinois” (para 12 BC Order). It will also “not collect facial vectors from images stored on servers that are displaying Illinois IP addresses or websites with URLs containing keywords such as “Chicago” or “Illinois”.” Clearview apparently offers to create an “opt-out” mechanism whereby people can ask to have their photos excluded from the database. Finally, it will require its clients to not upload photos of Illinois residents. If such a photo is uploaded, and it contains Illinois-related metadata, no search will be performed.

The central problem with accepting the ‘Illinois compromise’ is that it allows a service built on illegally scraped data to continue operating with only a reduced privacy impact. Ironically, it also requires individuals who wish to benefit from this compromise, to provide more personal data in their online postings. Many people actually suppress geolocation information from their photographs to protect their privacy. Ironically, the ‘Illinois compromise’ can only exclude photos that contain geolocation data. Even with geolocation turned on, it would not exclude the vacation pics of any BC residents taken outside of BC (for example). Further, limiting scraping of images from Illinois-based sites will not prevent the photos of Illinois-based individuals from being included within the database a) if they are already in there, and b) if the images are posted on social media platforms hosted elsewhere.

Clearview AI is a business built upon data collection practices that are illegal in a large number of countries outside the US. The BC Commissioner is clearly of the opinion that a compromise solution is the best that can be hoped for, and he may be right in the circumstances. Yet it is a bitter pill to think that such flouting of privacy laws will ultimately be rewarded, as Clearview gets to keep and commercialize its facial recognition database. Accepting such a compromise could limit the harms of the improper exploitation of personal data, but it does not stop the exploitation of that data in all circumstances. And even this unhappy compromise may be out of reach for Canadians given the rather toothless nature of our current laws – and the jurisdictional challenges discussed earlier.

If anything, this situation cries out for global and harmonized solutions. Notably it requires the US to do much more to bring its wild-west approach to personal data exploitation in line with the approaches of its allies and trading partners. It also will require better cooperation on enforcement across borders. It may also call for social media giants to take more responsibility when it comes to companies that flout their terms and conditions to scrape their sites for personal data. The Clearview AI situation highlights these issues – as well as the dramatic impacts data misuse may have on privacy as personal data continues to be exploited for use in powerful AI technologies.

It has been quite a while since I posted to my blog. The reason has simply been a crushing workload that has kept me from writing anything that did not have an urgent deadline! In the meantime, so much has been going on in terms of digital and data law and policy in Canada and around the world. I will try to get back on track!

Artificial intelligence (AI) has been garnering a great deal of attention globally –for its potential to drive innovation, its capacity to solve urgent challenges, and its myriad applications across a broad range of sectors. In an article that is forthcoming in the Canadian Journal of Law and Technology, Bradley Henderson, Colleen Flood and I examine issues of algorithmic and data bias leading to discrimination in the healthcare context. AI technologies have tremendous potential across the healthcare system – AI innovation can improve workflows, enhance diagnostics, accelerate research and refine treatment. Yet at the same time, AI technologies bring with them many concerns, among them, bias and discrimination.

Bias can take many forms. In our paper, we focus on those manifestations of bias that can lead to discrimination of the kind recognized in human rights legislation and the Charter. Discrimination can arise either from flawed assumptions being coded into algorithms, from adaptive AI that makes its own correlations, or from unrepresentative data (or from a combination of these).

There are some significant challenges when it comes to the data used to train AI algorithms. Available data may reflect existing disparities and discrimination within the healthcare system. For example, some communities may be underrepresented in the data because of lack of adequate access to healthcare, or from a lack of trust in the healthcare system that tends to keep them away until health issues become acute. Lack of prescription drug coverage or access to paid sick leave may also impact when and how people access health care services. Racial or gender bias in terms of how symptoms or concerns are recorded or how illness is diagnosed can also affect the quality and representativeness of existing stores of data. AI applications developed and trained on data from US-based hospitals may reflect the socio-economic biases that impact access to health care in the US. It may also be questionable the extent to which they are generalizable to the Canadian population or sub-populations. In some cases, data about race or ethnicity may be important markers for understanding diseases and how they manifest themselves but these data may be lacking.

There are already efforts afoot to ensure better access to high quality health data for research and innovation in Canada, and our paper discusses some of these. Addressing data quality and data gaps is certainly one route to tackling bias and discrimination in AI. Our paper also looks at some of the legal and regulatory mechanisms available. On the legal front, we note that there are some recourses available where things go wrong, including human rights complaints, lawsuits for negligence, or even Charter challenges. However, litigating the harms caused by algorithms and data is likely to be complex, expensive, and fraught with difficulty. It is better by far to prevent harms than to push a system to improve itself after costly litigation. We consider the evolving regulatory landscape in Canada to see what approaches are emerging to avoid or mitigate harms. These include regulatory approaches for AI-enabled medical devices, and advanced therapeutic products. However, these systems focus on harms to human health, and would not apply to AI tools developed to improve access to healthcare, manage workflows, conduct risk assessments, and so on. There are regulatory gaps, and we discuss some of these. The paper also makes recommendations regarding improving access to better data for research and innovation, with the accompanying necessary enhancements to privacy laws and data governance regimes to ensure the protection of the public.

One of the proposals made in the paper is that bias and discrimination in healthcare-related AI applications should be treated as a safety issue, bringing a broader range of applications under Health Canada regulatory regimes. We also discuss lifecycle regulatory approaches (as opposed to one-off approvals), and providing warnings about data gaps and limitations. We also consider enhanced practitioner licensing and competency frameworks, requirements at the procurement stage, certification standards and audits. We call for law reform to human rights legislation which is currently not well-adapted to the AI context.

In many ways, this paper is just a preliminary piece. It lays out the landscape and identifies areas where there are legal and regulatory gaps and a need for both law reform and regulatory innovation. The paper is part of the newly launched Machine MD project at uOttawa, which is funded by the Canadian Institutes for Health Research, and that will run for the next four years.

The full pre-print text of the article can be found here.

The Federal Court has issued its decision in a reference case brought by the Privacy Commissioner of Canada regarding the interpretation of his jurisdiction under the Personal Information Protection and Electronic Documents Act (PIPEDA). The reference relates to a complaint against Google about its search engine, and implicating the so-called ‘right to be forgotten’. Essentially, the complainant in that case seeks an order requiring Google to de-index certain web pages that show up in searches for his name and that contain outdated and inaccurate sensitive information. Google’s response to the complaint was to challenge the jurisdiction of the Commissioner to investigate. It argued that its search engine functions were not a ‘commercial activity’ within the meaning of PIPEDA and that PIPEDA therefore did not apply. It also argued that its search engine was a journalistic or literary function which is excluded from the application of PIPEDA under s. 4(2)(c). The Canadian Broadcasting Corporation (CBC) and the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic (CIPPIC) both intervened.

Associate Chief Justice Gagné ruled that the Commissioner has jurisdiction to deal with the complaint. In this sense, this ruling simply enables the Commissioner to continue with his investigation of the complaint and to issue his Report of Findings – something that could no doubt generate fresh fodder for the courts, since a finding that Google should de-index certain search results would raise interesting freedom of expression issues. Justice Gagné’s decision, however, focuses on whether the Commissioner has jurisdiction to proceed. Her ruling addresses 1) the commercial character of Google’s search engine activity; 2) whether Google’s activities are journalistic in nature; and 3) the relevance of the quasi-constitutional status of PIPEDA. I will consider each of these in turn.

1) The Commercial Character of Google’s Search Engine

Largely for division of powers reasons, PIPEDA applies only to the collection, use or disclosure of personal information in the course of “commercial activity”. Thus, if an organization can demonstrate that it was not engaged in commercial activity, they can escape the application of the law.

Justice Gagné found that Google collected, used and disclosed information in offering its search engine functions. The issue, therefore, was whether it engaged in these practices “in the course of commercial activity”. Justice Gagné noted that Google is one of the most profitable companies in existence, and that most of its profits came from advertising revenues. Although Google receives revenues when a user clicks on an ad that appears in search results, Google argued that not all search results generate ads – this depends on whether other companies have paid to have the particular search terms trigger their ads. In the case of a search for an ordinary user’s name, it is highly unlikely that the search will trigger ads in the results. However, Justice Gagné noted that advertisers can also target ads to individual users of Google’s search engine based on data that Google has collected about that individual from their online activities. According to Justice Gagné, “even if Google provides free services to the content providers and the user of the search engine, it has a flagrant commercial interest in connecting these two players.” (at para 57) She found that search engine users trade their personal data in exchange for the search results that are displayed when they conduct a search. Their data is, in turn, used in Google’s profit-generating activities. She refused to ‘dissect’ Google’s activities into those that are free to users and those that are commercial, stating that the “activities are intertwined, they depend on one another, and they are all necessary components of that business model.” (at para 59) She also noted that “unless it is forced to do so, Google has no commercial interest in de-indexing or de-listing information from its search engine.” (at para 59)

2) Is Google’s Search Engine Function Journalistic in Nature

PIPEDA does not apply to activities that are exclusively for journalistic purposes. This is no doubt to ensure that PIPEDA does not unduly interfere with the freedom of the press. Google argued that its search engine allowed users to find relevant information, and that in providing these services it was engaged in journalistic purposes.

Justice Gagné observed that depending upon the person, a search by name can reveal a broad range of information from multiple and diverse sources. In this way, Google facilitates access to information, but, in her view, it does not perform a journalistic function. She noted: “Google has no control over the content of search results, the search results themselves express no opinion, and Google does not create the content of the search results.” (at para 82) She adopted the test set out in an earlier decision in A.T. v. Globe24hr.com, whereby an activity qualifies as journalism if “its purpose is to (1) inform the community on issues the community values, (2) it involves an element of original production, and (3) it involves a ‘self-conscious discipline calculated to provide an accurate and fair description of facts, opinion and debate at play within a situation.” (at para 83) Applying the test to Google’s activities, she noted that Google did more than just inform a community about matters of interest, and that it did not create or produce content. She observed as well that “there is no effort on the part of Google to determine the fairness or the accuracy of the search results.” (at para 85). She concluded that the search engine functions were not journalistic activity – or that if they were they were not exclusively so. As a result, the journalistic purposes did not exempt Google from the application of PIPEDA.

3) The Relevance of the Quasi-Constitutional Status of PIPEDA

The Supreme Court of Canada has ruled that both public and private sector data protection laws in Canada have quasi-constitutional status. What this means in practical terms is less clear. Certainly it means that they are recognized as laws that protect rights and/or values that are of fundamental importance to a society. For example, in Lavigne, the Supreme Court of Canada stated that the federal Privacy Act served as “a reminder of the extent to which the protection of privacy is necessary to the preservation of a free and democratic society” (at para 25). In United Food and Commercial Workers, the Supreme Court of Canada found that Alberta’s private sector data protection law also had quasi-constitutional status and stated: “The ability of individuals to control their personal information is intimately connected to their individual autonomy, dignity and privacy. These are fundamental values that lie at the heart of a democracy.” (at para 19)

What this means in practical terms is increasingly important as questions are raised about the approach to take to private sector data protection laws in their upcoming reforms. For example, the Privacy Commissioner of Canada has criticized Bill C-11 (a bill to reform PIPEDA) for not adopting a human rights-based approach to privacy – one that is explicitly grounded in human rights values. By contrast, Ontario in its White Paper proposing a possible private sector data protection law for Ontario, indicates that it will adopt a human rights-based approach. One issue at the federal level might be the extent to which the quasi-constitutional nature of a federal data protection law does the work of a human rights-based approach when it comes to shaping interpretation of the statute. The decision in this reference case suggests that the answer is ‘no’. In fact, the Attorney-General of Canada specifically intervened on this point, argue that “[t]he quasi-constitutional nature of PIPEDA does not transform or alter the proper approach to statutory interpretation”. (at para 30). Justice Gagné agreed. The proper approach is set out in this quote from Driedger in Lavigne (at para 25): “the words of an Act are to be read in their entire context and in their grammatical and ordinary sense harmoniously with the scheme of the Act, the object of the Act, and the intention of Parliament.”

In this case, the relevant words of the Act – “commercial activity” and “journalistic purposes” were interpreted by the Court in accordance with ordinary interpretive principles. I do not suggest that these interpretations are wrong or problematic. I do find it interesting, though, that this decision makes it clear that an implicit human rights-based approach is far inferior to making such an approach explicit through actual wording in the legislation. This is a point that may be relevant as we move forward with the PIPEDA reform process.

Next Steps

Google may, of course, appeal this decision to the Federal Court of Appeal. If it does not, the next step will be for the Commissioner to investigate the complaint and to issue its Report of Findings. The Commissioner has no order-making powers under PIPEDA. If an order is required to compel Google to de-index any sites, this will proceed via a hearing de novo in Federal Court. We are still, therefore, a long way from a right to be forgotten in Canada.

In June 2021, Ontario issued a White Paper that sets out some proposals, including suggested wording, for a new private sector data protection law for the province. This is part of its overall digital and data strategy. Input on the White Paper is sought by August 3, 2021.

I have published table that compares Ontario’s with the federal government’s Bill C-11 (which will not make it through Parliament in the present sitting, and which may get some necessary attention over the summer). It makes sense to compare the proposal to C-11 because, if it passes, any Ontario law would have to be found to be substantially similar to it. The Ontario proposal has clearly been drafted with Bill C-11 in mind. That said, the idea is not to simply copy Bill C-11. The White Paper shows areas where Bill C-11 may be largely copied, but other places where Ontario plans to modify it, add something new, or go in a different direction. Of course, feedback is sought on the contents of the White Paper, and a bill, if and when it is introduced in the Legislature, may look different from what is currently proposed – depending on what feedback the government receives.

I have prepared a Table that compares the Ontario proposal with Bill C-11, with some added commentary. The Table can be found here, with the caveat that the commentary is preliminary – and was generated quite quickly.

Please be sure to respond to the consultation by the August 3 deadline!

The following is my submission to the Ontario government's Consultation on Developing Ontario's Artificial Intelligence (AI) Framework. The Consultation closed on June 4, 2021.

Thank you for the opportunity to provide input on the development of trustworthy AI in Ontario. Due to time pressures my comments will be relatively brief. Hopefully there will be other opportunities to engage with this process.

Developing a framework for the governance of AI in Ontario is important, and it is good to see that this work is underway in Ontario. I note that the current consultation focuses on AI for use in the public sector. Similar work needs to be done for the governance of AI that will be developed and deployed in the private sector context. I hope that this work is also being contemplated.

As I am sure you know, the federal government has already developed a Directive on Automated Decision-Making (DADM) which applies to a broad range of uses of AI in the federal public sector context. It comes with an algorithmic impact assessment tool. Although I appreciate the sensitivities around sovereignty within a province’s own spheres of competence, there is much to be said for more unified national approaches to many regulatory issues – particularly in the digital context. One option for Ontario is to use the DADM as a starting point for its approach to public sector AI governance, and to assess and adapt it for use in Ontario. This would allow Ontario to take advantage of an approach that is already well developed, and into which a considerable amount of thoughtful work has been invested. It is both unnecessary and counterproductive to reinvent the wheel. Serious consideration should be given – as a matter of public policy – to adopting, where possible, harmonized approaches to the governance of digital technologies.

At the same time, I note that the consultation document suggests that Ontario might go beyond a simple internal directive and actually provide an accountability framework that would give individuals direct recourse in cases where government does not meet whatever requirements are established. A public accountability framework is lacking in the federal DADM, and would be most welcome in Ontario.

The proposed public sector framework for Ontario is organized around three broad principles: No AI in secret; AI use Ontarians can trust; and AI that serves all Ontarians. These are good, if broad, principles. The real impact of this governance initiative will, of course, lie in its detail. However, it is encouraging to see a commitment to transparency, openness and public participation. It is also important that the government recognize the potential for AI to replicate or exacerbate existing inequities and to commit to addressing equity and inclusion.

My comments will address each of the principles in turn.

1. No AI in Secret

The consultation document states that “for people to trust that the use of AI is safe and appropriate they must first be aware that the AI exists. As a result, the government needs to be transparent about how, when, and why these tools are used so that people have a right to address potential biases created by the AI algorithms.” I agree. A public register of AI tools in use by government, along with access to details about these tools would be most welcome.

I do question, however, what is meant by “government” in this statement. In other words, I would be very interested to know more about the scope of what is being proposed. It was only a short while ago that we learned, for example, that police services in Ontario had made use of Clearview AI’s controversial facial recognition database. In some cases, it seems that senior ranks of the police may not even have been aware of this use. Ontario’s Privacy Commissioner at the time expressed concerns over this practice. This case raises important questions regarding the scope of the proposed commitment to transparency and AI. The first is whether police services will be included under government AI governance commitments – and if they are not, why not, and what measures will be put in place to govern AI used in the law enforcement context. It is also important to know what other agencies or departments will be excluded. A further question is whether AI-related commitments at the provincial level will be extended to municipalities, or whether they are intended only for use in the provincial public sector. Another question is whether the principles will only apply to AI developed within government or commissioned by government. In other words, will any law or guidance developed also apply to the myriad services that might be otherwise be available to government? For example, will new rules apply to the decision by a department to use the services of a human resources firm that makes use of AI in its recruitment processes? Will they apply to workplace monitoring software and productivity analytics services that might be introduced in the public service? On this latter point, I note it is unclear whether the commitment to AI governance relates only to AI that affects the general population as opposed to AI used to manage government employees. These issues of application and scope of any proposed governance framework are important.

2. Use Ontarian’s can Trust

The second guiding principle is “Use Ontarians can Trust”. The commitment is framed in these terms: “People building, procuring, and using AI have a responsibility to the people of Ontario that AI never puts people at risk and that proper guardrails are in place before the technology is used by the government.”

One of the challenges here is that there are so many types of AI and so many contexts in which AI can be used. Risk is inevitable -- and some of the risks may be of complex harms. In some cases, these harms may be difficult to foresee. The traffic predicting algorithm used as an illustration in this part of the consultation document has fairly clear-cut risk considerations. The main issue will be whether such an algorithm reduces the risk of serious accidents, for example. The risks from an algorithm that determines who is or is not eligible to receive social assistance benefits, on the other hand, will be much more complex. One significant risk will be that people who need the benefit will not receive it. Other risks might include the exacerbation of existing inequalities, or even greater alienation in the face of a seemingly impersonal system. These risks are serious but some are intangible – they might be ignored, dismissed or underestimated. Virginia Eubanks and others have observed that experimentation with the use of AI in government tends to take place in the context of programs and services for the least empowered members of society. This is troubling. The concept of risk must be robust and multifaceted. Decisions about where to deploy AI must be equitable and unbiased – not just the AI.

One of the initial recommendations in this section is to propose “ways to update Ontario’s rules, laws and guidance to strengthen the governance of AI, including whether to adopt a risk-based approach to determine when which rules apply.” I agree that work needs to be done to update Ontario’s legal frameworks in order to better address the challenges of AI. Data protection and human rights are two obvious areas where legislative reform may be necessary. It will also be important for those reforms to be accompanied by the necessary resources to handle the complex cases likely to be generated by AI. If legal protections and processes are enhanced without additional resources, the changes will be meaningless. It may also be necessary to consider establishing a regulatory authority for AI that could provide the governance, oversight and accountability specifically required by AI systems, and that could develop the necessary expertise. Challenging algorithmic decision-making will not be easy for ordinary Ontarians. They will need expert assistance and guidance for any challenge that goes beyond asking for an explanation or a reconsideration of the decision. A properly-resourced oversight body can provide this assistance and can develop necessary expertise to assist those who develop and implement AI.

3. AI that Serves all Ontarians

The overall goal for this commitment is to ensure that “Government use of AI reflects and protects the rights and values of Ontarians.” The values that are identified are equity and inclusion, as well as accountability.

As noted above, there is a tendency to deploy AI systems in ways that impact the most disadvantaged. AI systems are in use in the carceral context, they are used for the administration of social benefits programs, and so on. The very choices as to where to start experimenting with AI are ones that have significant impact. In these contexts, the risks of harm may be quite significant, but the populations impacted may feel most disempowered when it comes to challenging decisions or seeking recourse. This part of the consultation document suggests as a potential action the need to “Assess whether the government should prohibit the use of AI in certain use cases where vulnerable populations are at an extremely high risk.” While there likely are contexts in which a risk-based approach would warrant an early ban on AI until the risks can properly addressed, beyond bans, there should also be deliberation about how to use AI in contexts in which individuals are vulnerable. This might mean not rushing to experiment with AI in these areas until we have built a more robust accountability and oversight framework. It may also mean going slowly in certain areas – using only AI-assisted decision making, for example, and carefully studying and evaluating particular use cases.

In closing I would like to note as well the very thoughtful and thorough work being done by the Law Commission of Ontario on AI and Governance, which has a particular focus on the public sector. I hope that any policy development being done in this area will make good use of the Law Commission’s work.

Ontario launched its Digital and Data Strategy on April 30, 2021, in a the document, titled Building a Digital Ontario. The Strategy – based on a consultation process announced late in 2019 – is built around four main themes. These are “equipped to succeed”, “safe and secure”, “connected” and “supported”.

It is important to note that the digital and data strategy is for the Ontario government. That is, it is predominantly about how government services are delivered to the public and about how government data can be made more readily and usefully available to fuel the data economy. Related objectives are to ensure that Ontarians have sufficient connectivity and digital literacy to benefit from digital government services and that there is a sufficiently skilled workforce to support the digital agenda. That said, there are places where the focus of the strategy is blurred. For example, the discussion of privacy and security shifts between public and private sector privacy issues; similarly, it is unclear whether the discussion of AI governance is about public or private sector uses and of AI, or both. What is most particularly off-base is that the cybersecurity elements of the strategy focus on individuals do not address the need for the government to tackle its own cybersecurity issues – particularly in relation to critical digital and data infrastructures in the province. There is a reference to an existing portal with cybersecurity resources for public sector organizations, so presumably that has been checked off the list, though it hardly seems sufficient.

Do we need better digital services from government? Should there be better public sector data sharing infrastructures to support research and innovation while at the same time stringently protecting privacy? Do we need to take cybersecurity more seriously? The answer is clearly yes. Yet in spite of the laudable objectives of the strategy, it remains unsatisfying. I have three main concerns. First, there seems to be more marketing than strategy with much of what is in this document. Too many of the themes/initiatives have a repackaged feel to them – these are things already underway that are being reverse-engineered into a strategy. Second, the document seems to ignore key actors and sectors – it has the feel of a plan hatched in one part of government with minimal communication with other departments, agencies and partners. Third, much of the strategy is simply vague. It is a bit like saying that the strategy is to do important things. Hard to argue with such a goal, but it is not a strategy – more of an aspiration.

My first concern relates to the fact that so much of what is described in the strategy is work already completed or underway. Each section of the strategy document describes progress already made on existing initiatives, such as the existing, Open Data Catalogue, the Cybersecurity Ontario Learning Portal and the Cybersecurity Centre of Excellence. In some cases, the document announces new initiatives that are imminent – for example the launch of a Digital and Data Fellows Innovation Program in summer of 2021, beta principles for responsible AI in spring of 2021, and a new Digital ID for 2021. To be fair, there are a few newish initiatives – for example, the mysterious Data Authority and the development of digital and data standards. But overall, the document is more of an inventory of existing projects framed as a strategy. It feels like marketing.

My second concern is that the document seems to be a catalogue of Ontario Digital Services projects rather than a strategy for the province as a whole. We hear that we need to build a skilled work force, but apart a reference to already launched enhancement of STEM learning in elementary schools, there is nothing about funding for education or research in STEM fields, whether in high school, college or university. There is a program to “bring the best of Ontario’s tech sector into government, to help design Ontario's digital future”, but there’s nothing about funding for internships for students in government or industry. The pandemic has raised awareness of massive challenges in the province around health data; that these are not addressed as part of an overall data strategy suggests that the strategy is developed within a still-siloed government framework. The main ‘promises’ in this document are those within the purview of Digital Services.

The most disconnected part of the strategy is that dealing with privacy. Privacy is one of the pillars of the strategy, and as part of that pillar the document announces a new “Know Your Rights” portal “to help Ontarians learn how to better protect their personal data and stay safe online”. Ontario already has an Office of the Information and Privacy Commissioner that provides a wealth of information of this kind. Unless and until Ontario has its own private sector data protection law (a matter on which the “strategy”, incidentally, is completely silent), information on private sector data protection is also found on the website of the Office of the Privacy Commissioner of Canada. It is frankly hard to see how creating a new portal is going to advance the interests of Ontarians – rather than waste their money. It would have made more sense to enhance the budget and mandate of Ontario’s Information and Privacy Commissioner than to create a portal ultimately destined to provide links to information already available on the OIPC website. This promise highlights that this is not really an Ontario strategy; rather it is a compilation of ODS projects.

My third concern is with the vagueness of the strategy overall. One of the few new pieces – the Data Authority – is described in the most general of terms. We are told it will be “responsible for building modern data infrastructure to support economic and social growth at scale, while ensuring that data is private, secure, anonymous and cannot identify people individually.” But what is meant by “data infrastructure” in this instance? What is the role of the “authority”? Is it a regulator? A data repository? A computing facility? A combination of the above? One wonders if it is actually going to be a build-out or rebranding of the Ontario Health Data Platform which was pulled together to facilitate data sharing during the COVID-19 pandemic.

Notwithstanding these criticisms, it is important to note that many of the initiatives, whether already underway or not, are designed to address important challenges in the digital and data economy. The problem lies with calling this a strategy. It is much more like a to-do list. It starts with a few things conveniently crossed off. It includes a number of things that need finishing, and a few that need starting. In contrast, a strategy involves thinking about where we need to be within a targeted period of time (5 years? 10 years?) and then lays out what we need to do, and to put in place, in order to get there. In the covering memo to this document, Minister of Finance and Treasury Board President Bethlenfalvy sets a high bar for the strategy, stating: “I like to say that we are moving Ontario from the digital stone age to a global trailblazer”. Dampening the hyperbole on either side of that metaphor, we are not in the digital stone age, but those expecting to blaze trails should not be surprised to discover discarded Timmy’s cups along the way.