Jamie Duncan is a PhD student at the Centre for Criminology and Sociolegal Studies at the University of Toronto.
Wendy H. Wong is a professor of political science and the Principal’s Research Chair at the University of British Columbia, Okanagan. She is a faculty affiliate at the University of Toronto’s Schwartz Reisman Institute for Technology and Society.
Long-overdue changes to Canada’s privacy regime are upon us. Bill C-27 will make its way through Parliament this year. The proposed legislation includes the Consumer Privacy Protection Act (CPPA) and the Artificial Intelligence and Data Act (AIDA). With it comes a rare opportunity to update Canadian democracy for the digital era. Unfortunately, Bill C-27 does not account for the community impact of data-driven technology. In fact, the bill risks being outdated before it even passes.
The CPPA would replace Canada’s decades-old Personal Information Protection and Electronic Documents Act (PIPEDA), which was written in a world without smartphones, social media or facial recognition. Like the European Union’s General Data Protection Regulation, the new law would grant Canadian residents the right to access, erase, correct and transfer data about them held by private companies. Strengthening individual rights is a welcome change, but it ignores the collective implications of data collection. What’s currently missing from Bill C-27 is recognition for data intermediaries – non-governmental organizations that allow individuals to pool data for collective purposes.
Digital technologies don’t just affect us as individuals, they affect communities. Data collected about one person only become valuable when they are assembled with data about lots of other people. From racist facial-recognition systems and sexist hiring algorithms to the ever-expanding power of Big Tech to manage how we live our lives, the impact of data collection extends far beyond individual privacy.
Tech companies use data about us to predict and influence our behaviour. This is highly profitable and often quite invasive in ways that aren’t immediately apparent. It is simply unreasonable to expect most individuals to fully anticipate the consequences when providing “informed consent” for data collection.
Despite these collective effects, Bill C-27 focuses on individual harms and remedies. The CPPA spotlights de-identification as a means of protecting individuals from harm. The AIDA explicitly seeks to prevent “serious harm to individuals” from the use of artificial intelligence. This fails to recognize that we don’t need to be identified personally to be harmed by data-driven technologies. Harms can be both individual and collective in nature. A business doesn’t need to know who you are to engage in price discrimination, it just needs to know that customers who share certain qualities are likely to pay a higher price. The bill’s strong focus on identifiability and individual harm will incentivize data collectors to simply shift harmful activities from individuals to groups.
Election manipulation and misinformation campaigns have clearly demonstrated how data collection and analysis pose risks to our communities and democratic institutions. To fortify democracy against these threats, we must enable people to band together. Bill C-27 as it is written presents barriers to collective action. Data intermediaries provide us with an opportunity to rebalance the scales of power in the digital world.
Integrating collective and community interests into data governance does not mean reinventing the wheel. There are plenty of legal and organizational examples from all over the political spectrum to examine. In Toronto, Alphabet subsidiary Sidewalk Labs advanced the idea of a democratic “civic data trust” for its now-defunct smart city project. The data trust would have been tasked with managing access to “urban data” collected in internet-connected public spaces.
Elsewhere, advocates envision the creation of “data co-operatives” and “data unions” designed to improve people’s capacity to weigh in on how data is collected and analyzed. In non-digital contexts, co-operatives and unions are democratic organizations that bundle resources and advocate for the interests of their members. The Driver’s Seat Cooperative collects and aggregates data from drivers on platforms such as Uber to help maximize their earnings.
Cryptocurrency enthusiasts have created data intermediaries using “decentralized autonomous organizations,” which use blockchain “smart contracts” to govern online communities through referendums. Communities like this have typically come together based on common, narrowly defined interests such as negotiating payment in exchange for data about their shareholders.
These proposals vary widely in terms of their goals, their politics and how they would work. They all expand their members’ roles as stakeholders in how data about them are governed. Each of us, individually, is no match for the algorithmic power of data-hungry collectors. But together we can exert more influence over how and whether data are collected and what happens to those data afterward.
Data intermediaries can improve our negotiating position relative to Big Tech companies. Right now, online platforms present us with a largely take-it-or-leave-it offer. Data rights have led to more customizable privacy options but still leave us as individuals resisting the powers that be. Just as maple-syrup producers secure a higher price for their product by negotiating as a group, it would be advantageous for individuals to bargain with platforms on a collective basis.
Beyond just getting a better deal, intermediaries could ease the burden of informed consent by decoding the terms of service for us. They could also ensure that data collectors are sticking to their word. Pooling resources can benefit individuals by taking advantage of specialized expertise and economies of scale. Labour unions and consumer-protection associations play important roles in setting ground rules and monitoring for compliance. It is common for both individuals and organizations to turn to specialists such as doctors, lawyers or accountants who understand the regulations and implications of the situations they advise on. Why should data be any different?
Other jurisdictions have passed data-protection laws that are already dated and difficult to enforce. Mimicking these approaches just puts an unrealistic onus on individuals. Instead of relying on slow government regulations to keep up, data intermediaries offer a far more dynamic solution. Letting Canadians work together to defend their interests against Big Tech would enhance our freedom to navigate the online world with more trust in the digital economy.