Bill C-27 is a welcome sign that the government is taking Big Data seriously, but it needs some serious finessing before it’ll do more than reinforce the status quo
By Kean Birch for the National Post
Last week, the federal government tabled Bill C-27, the digital charter implementation act, which covers consumer privacy, data protection tribunal processes and the regulation of artificial intelligence systems.
It’s good to see the federal government doing something about regulating personal data and algorithmic technologies like artificial intelligence, considering that the digital economy has been a free-for-all for so long. Other jurisdictions, especially the European Union, are well ahead of Canada in regulating the collection and use of our personal data. Unfortunately, I don’t think Bill C-27 will actually deal with the pressing challenges we’re facing, for a number of reasons.
First, the bill continues to frame the whole issue as a question of promoting trust in the digital economy, rather than a fundamental issue with how we want our personal data to be used and governed. Consequently, the bill does not challenge the corporate world’s understanding of privacy and data protection as little more than cybersecurity risks (such as the risk of data breaches). There will therefore be no change in businesses’ ability to collect and use our personal information as they see fit and we won’t get the ability to opt-out of data collection.
Second, our data is very valuable to businesses, which is precisely why they want to collect and use it. It’s an increasingly important economic asset, as shown by previous research on the growth of Big Tech firms like Apple, Alphabet, Amazon, Microsoft and Meta that I conducted with some of my colleagues.
Part of the reason it’s so valuable is that it’s critical for developing new products and services, especially algorithmic technologies that require large training datasets. Consequently, the control of our data, as an economic asset, matters immensely to the future of competition and innovation in Canada’s digital economy. If our data is hoovered up by overseas Big Tech firms that don’t have to share it with others, it will be nearly impossible for Canadian firms to challenge Big Tech’s market power.
None of this is challenged in the bill, although it does stipulate that businesses cannot require consent to data collection in exchange for their services and products. I’m not sure about the practicalities of this, such as how it will be enforced, but it’s an important move to separate our use of digital services and products from a contractual requirement to hand over our data.
Third, the bill does not address the main problem with regulating the digital economy. Our data becomes more valuable as it is combined with other people’s data. As legal scholar Salome Viljoen notes, the value of personal data is relational — it depends on combining it through various forms of inferential data analytics or algorithmic systems. Individually, our data is a set of singular data points — our individual names, addresses, ages, etc. — which is only useful in limited situations, such as identifying who we are.
When combined, though, they provide a powerful tool for managing and predicting our behaviours, decisions and choices, which are exploited and manipulated by businesses — entailing a range of harms to individuals and damaging societal and political side effects.
As such, it’s important to regulate the emergent properties of personal data collection and use, not simply the individual security risks of someone accessing our own data. Emergent properties are the qualities of a collective system that only exist because of the combination of different elements in that collective; they are not qualities that individual parts of the system have, which means they represent more than the sum of their parts.
Societies are often considered to have emergent properties, but the same applies to personal data. Combining our personal data turns it into emergent data, which entails a range of actual and potential problems not considered in this bill. For example, businesses can manage, predict and manipulate my behaviour, decisions and choices by using other people’s data, even if I have not consented to have my own data collected and used. Their data can then be used to make inferences about me that affect me and make my decision to withhold consent worthless.
Fourth, a very practical implication of emergent data is that we end up with no agency in deciding how our data can and should be used. If we don’t want it to be used in developing problematic algorithmic systems — like facial recognition, or algorithmic hiring systems — there’s not much we can do about it.
The bill does attempt to address this with the requirement for businesses to seek consent for reusing our data, but it’s difficult to see how emergent properties will be regulated when they are difficult to identify before the fact. It would, therefore, be helpful if we could simply state how we don’t want our data to be used.
Finally, even where our individual consent is required in the collection and use of our data, the onus — and cost — is on us to ensure that businesses respect our requests. Moreover, the bill contains numerous instances in which our consent can be considered “implicit,” including when transferring our data to third parties or de-identifying our data. It’s especially difficult to challenge how our data is used after it’s been de-identified, even though there is ample evidence to show that de-identification can be easily reversed or side-stepped.
All in all, Bill C-27 is a welcome sign that the government is taking these issues seriously, but it needs some serious discussion and finessing before it’ll do more than reinforce the status quo.
Kean Birch is an associate professor at York University and co-editor of the journal Science as Culture.