A Discussion on Tech in Toronto | Privacy and Data

A Discussion on Tech in Toronto | Privacy and Data

A Discussion on Tech in Toronto - part ii | Design
//Sidewalk Labs' project to build the Quayside community "from the internet up"

By Aisling O’Carroll

NOTE: This is a multi-part series to be released online over the next few months. See the other parts here.

Illustration by Sidewalk Toronto.


PRIVACY AND DATA

What concerns or implications are raised by a private, corporate entity, Alphabet Inc., having access to such a vast amount of personal and public data? What is the government’s role in managing this process and project?

Mariana Valverde (MV) | Countless cities, provinces, and countries already have or are developing data policies that have or will soon have the force of law. For instance, the city I come from, Barcelona, has a data policy that is regarded as far more democratic and publicly oriented than most; and the European Union has recently placed new privacy obligations on all major providers of electronic communications, rules that are being implemented even outside of the E.U.

Both Canada and Ontario have privacy laws, privacy commissioners, and regulatory bodies that govern utilities and telecommunications providers, etc. And of course there is intellectual property law, some of which is global (through the WTO) and some of which is national. Therefore, we are not starting from scratch in regard to legal and regulatory limits on private data systems or private providers of other services (such as the trash disposal featured in Sidewalk’s imaginative artists’ renderings). Just because a space doesn’t currently have buildings on it does not mean that federal, provincial, and municipal laws and regulations are inoperative. And the politicians in all these levels of government could at any time make new laws and policies, which would apply everywhere in the territory. No bit of Toronto’s waterfront is or could be a legal island.

Privacy is only one of the concerns raised by big data. Sidewalk’s Rohit Aggarwala is adamant that individuals’ data will not be sold to advertisers, and repeated “we will not sell your individual data” several times at a public meeting I attended at the Metro Toronto Convention Centre earlier this year. This might very well be true. Selling individual data to advertisers is by now passé and fraught (given recent scandals). If what the Google folks want is to use a piece of Toronto as a lab to develop new data systems or new software, which seems more likely, then there will still be an exploitative relationship—especially if sensors collect data from passersby who didn’t sign up to live or work in the area. Thus, even if our individual privacy is safeguarded, we will become, without our consent, the lab rats in Google’s lab—except that unlike actual lab rats the company won’t be feeding us.

H.C. Robinson (HR) | The main device by which private companies inform people about data collection and use is the “user agreement,” and it is largely unread and clicked through. Its status as a contract—an enforceable promise in which two parties on either side of a bargain agree to do something, and can hold each other to that promise—is being debated in law. What this means is that people consent to data-collection systems largely without knowing what is being collected, how it will be stored, for how long, to whom or what entities it can be sold, and how it will be used. Woodrow Hartzog, Professor of Law and Computer Science at Northeastern University, has a book out on potential remedies for this (Privacy’s Blueprint, Harvard 2018). Being a member of a community that occupies a space that is structured by both public law and private user agreements raises issues about who “owns” the data and how it can be used. At a minimum, in these spaces we should ensure the kinds of legal protections we have for publicly held private data—such as the ability to request public records and to expunge them in certain contexts.

Who will, or who should, maintain ownership of the data generated by this community? How will the use of this data be controlled?

AV | Data collected in the public realm should always be accessible to the public while making sure that individual rights are fully respected especially around privacy and identity. The data should also be governed by the legislation of the host community and national laws of the country where it is generated.

MV | Even when data are privately owned, democratically elected governments can and should increase and improve how they regulate the accumulation and use of data. Uber notoriously surprised many local governments by proceeding to collect vast amounts of traffic and other data relevant to city governance without being obligated to share the data with the city; but with the Facebook-Cambridge Analytica scandals, public sentiment is changing. City governments are finding ways to legally force private corporations to share their data (for example, in the case of municipal regulation of Airbnb, some cities are developing legal rules making data sharing compulsory).

In general: governments regulate private cars, real estate, privately owned utilities, restaurants and bars, privately owned boats and airplanes, and so on, for very good reasons. I can see no reason why data in digital form ought to be exempt from the regulatory web that has long governed the use of different forms of private property.

previous: part iv | Trust in the City
next:
part vi | Control and P3s