Increasingly, around the world, there is a shift in the way privacy legislative and regulatory approaches are being developed. This is in response to the recognition that much of our collective future economic growth, benefiting both individuals and society, will be driven through digital transformation. Most recently, Canada’s Digital Charter has recognized that digital transformation is having an enormous impact upon both its economy and its society. As the recent OECD report Going Digital: Shaping Policies, Improving Lives, notes, “Today, an ecosystem of interdependent digital technologies [– consisting of the Internet of Things, 5G networks, cloud computing, big data, artificial intelligence, blockchain, and computing power underpins digital transformation and will evolve to drive economic and societal changes”. What all of these digital developments highlight is the need to grow trust systems that require and enable effective governance where digital benefits are realizable and digital risks are managed. This combined, multi directional approach requires new trusted accountability systems and new supporting legislative and regulatory approaches. Instead of parallel approaches that focus on independent paths of a digital economy and data protection, new models are asking how a dedication to privacy could be melded with a commitment to a robust digital future that serves people. When this approach is taken, we achieve the view that data should serve people. When data is used in a manner that serves people and abates crucial risks to all stakeholders, those data uses are people beneficially activities.
It is clear that for businesses to succeed in optimizing data in a trusted way, they will need to enhance accountability mechanisms both as a way of minimizing digital risks while realizing digital benefits. The more data intensive a business is, the more risk it creates and by extension the more programmatic ways it needs to allow for trusted data optimization.
In the IAF’s March 2019 blog, A Pivot (Back) to Accountability, a shift in the role accountability plays in realization of trusted systems was suggested. In 2009, when the global accountability project commenced, the focus on accountability was positioned as supporting the way individual rights had been thought about. These rights, at the time, were heavily centered around individual control. Today, the complexities of data flows and data use have evolved the way individual participation and organizational obligations are thought about. This led the IAF to suggest principles that update both individual participation and organizational obligations. The first part of the principles describes the rights necessary for individuals to function with confidence in a data driven world. The second part of the principles is focused on the obligations that organizations must honor to process and use data in a legitimate and responsible manner. These principles have been translated into legislative language as outlined in the IAF’s June 2019 blog, Privacy Law’s First Objective Is That Data Should Serve People – The U.S. Opportunity To Get Privacy Legislation Right, and organizations are putting this advanced accountability model in place as their way of creating trusted and answerable systems. The latest example of this is Sidewalk Labs[1] in its collaboration with the City of Toronto on the Quayside smart city project.
Last week, Sidewalk Labs unveiled its proposed “Master Innovation and Development Plan” (MIDP) for Sidewalk Toronto, a project that would design a smart city district in Toronto’s Eastern Waterfront. The proposal will be considered by the government and other stakeholders in the coming months to determine whether and how to move forward with the project. This proposed public-private partnership between Sidewalk Labs and Waterfront Toronto seeks to promote affordability and sustainability while reducing climate impact and creating new mobility solutions, such as by prioritizing mass transit and pedestrians over vehicles. As the Future of Privacy Forum noted in their overview, “the MIDP as proposed contemplates substantial data collection and use; it also proposes a range of significant legal, technical, and policy controls to mitigate privacy risks and promote data protection. In the coming year, Toronto residents and officials will analyze the MIDP and work with Sidewalk Labs and Waterfront Toronto to identify aspects of the proposal that could be modified to promote benefits and reduce risks”. There are a number of novel and interesting parts to the MIDP’s approach to trusted governance.
First and foremost, the project acknowledges that some of the urban data at the core of the Quayside effort will be personal and/or sensitive, By extension, it proposes several key measures intended to mitigate the privacy risks while at the same time realizing the “people benefits” of what are many new and innovative ways to use data. There is the contemplation of technical controls, such as employing hardware and software solutions that integrate privacy-protective data collection, use and sharing into the development and operation of the Quayside site. In addition, there are legal and organizational safeguards, such as establishing consistent and transparent processes for using urban data and independent oversight.
The MIDP approach to data governance in many ways parallels the IAFs approach to trusted and answerable accountability. For example, a set of Responsible Data Use (RDU) Guidelines – what will and will not be done with data – sets a foundation for governance. These incorporate many Privacy by Design components and require artificial intelligence systems to address ethical and bias concerns. An extensive approach to assessing the impacts to individuals is contemplated through a RDU Assessment. The RDU Assessment supports the implementation of the RDU Guidelines as a mechanism for public and private entities to weigh the data benefits and privacy risks of digital products and services prior to deployment. The RDU Assessment focuses on transparency and extending protections to diverse groups and communities, in order to ascertain whether a particular technology or algorithmic use case negatively impacts individuals, groups, or communities due to biased decision-making.
The MIDP recognizes the sensitivity of this type of significantly new approach to both technology and data intensive activities as part of the Sidewalk Toronto project and starts to address the added trust mechanisms that will be required. It goes beyond the IAF’s oversight model by proposing the establishment of an Urban Data Trust that would entrust oversight and accountability of the RDU Guidelines and Assessments to a new non-profit entity. This entity would manage urban data and technologies usage independent of Sidewalk Labs and Waterfront Toronto and would oversee day-to-day digital governance of Sidewalk Toronto projects. Sidewalk Labs states the data trust concept is intended to build on existing privacy laws while providing additional protection and review before data-related measures are permitted to go into effect. The Urban Data Trust would also govern third-party data collection and use.
The MIDP is very clear that this outline of a proposed form of data governance is by no means complete and much more collaborative work is required to put this innovative model into place. But just as the exciting technology and data driven approaches contemplated in this project that clearly have people benefits in mind, will require incubation, so too will the trusted governance model. It is “okay” to not have all the answers yet. The incubation of these new trust models need to be approached with the healthy objective they were designed around – Data should serve people, and organizations that serve people with data in a responsible and answerable manner should be able to thrive. That approach is the way all stakeholders benefit. Responsible and answerable data environments that hold the promise of people beneficial data use should not only be allowed to fully develop, but encouraged.
[1] An IAF Strategist has provided some independent consulting to Sidewalk Labs