The course Comparative Law: Privacy and Data Protection is offered this coming term at Osgoode Law School. IP Osgoode interviewed the course co-professors, James Williams (Osgoode site, personal site) and Michael Power (Osgoode site, personal site) for their insight on the exciting contemporary debates in the field.
Whether you’re a law student interested in public sector law, regulated industries like banking or healthcare, technology trends or information management, this course is for you. IP Osgoode extends a warm thank you to Williams and Power for their time for the interview as well as their passion for the study of privacy and data protection.
What drew you into the privacy and big data field of law?
MP: While with the Department of Justice in the 1990s I served as Coordinator of the Department’s Electronic Commerce Secretariat. I was one of the principle authors of the Electronic Documents Act. When that bill was merged with the then Personal Information Protection Act, literally at the last minute, I had to learn about that statute. Later, when I left government for private practice, the information security aspects of my law practice found me explaining privacy obligations to clients and the privacy law practice evolved from there. Privacy law represents the legal side of a juxtaposition of consumer/human rights/civil liberties law with technological innovation, which I find fascinating. You can literally “wait a moment” and see new legal issues arise as the consequences of technology deployment play out.
JW: I became interested in this area through taking a privacy law course with David Loukidelis and Murray Rankin. Privacy is a very broad (and to some degree nebulous) concept that has attracted attention from a wide variety of disciplines, including psychology, philosophy, economics and computer science. In addition to being notoriously difficult to define, it is intertwined with other areas of law, including constitutional and commercial law. There are some very deep problems in this area, both in terms of theory and practice. It also turns out that privacy is very fertile ground for computer scientists. There is a rapidly expanding body of work in both industry and academia that presents techniques to address privacy risks posed by data aggregation, data mining, ubiquitous computing, social networks and other technologies. While some areas (e.g., anonymization methods for data) have advanced rapidly, a lot of work remains.
How do you feel Canada is doing compared to US/EU re: data privacy?
MP: In terms of law, generally I think we’re in a better position that the US in that our comprehensive approach can deal with evolving issues. The American “sectoral” approach may or may not be able to address something new. However there are aspects of American law — genetic privacy, for example, that are further ahead of Canada. I also think the European approach, while also comprehensive, is more regulatory in nature and more problematic in operational terms. In some respects, governments in Canada think “privacy” as a legislative issue is “done” and I don’t see that in Europe or the US. I think the future evolution of privacy law in Canada will occur at the provincial level because of the constitutional limitations of the federal government in this area. For example, “revenge porn” can’t easily be dealt with under a PIPEDA/PIPA framework aimed at commercial exploitation of personal information.
JW: That’s a tough question. Canada has really drawn inspiration from the US, not only from its jurisprudence but also for some of the fair information practices. Nevertheless, our data protection regime was really crafted in response to developments in the EU. As Michael mentioned, we have a comprehensive approach that is applicable across industries. There are some gaps and weaknesses in our law, of course. Select sectors in the US are definitely ahead of their Canadian counterparts, and I think that the FTC likely inspires more terror than our privacy commissioners. Comparing the two systems is difficult, and perhaps fertile ground for a paper.
Is "big data" hype all it's cracked up to be? Do we have the person-power capacity in Canada to properly utilize it?
MP: Data analytics, which is what “big data” is all about, is fine in theory, with a lot of benefits both at the institutional and individual level. However, we’re far from achieving those benefits in that organizations in Canada, whether large or small, have immature data management regimes. I suspect those benefits will come but not before a lot of time, effort and money is wasted figuring out how best to get them. The “cloud”, as a concept, first arose in the 90s and is only gained traction in the last few years. Data analytics may follow a similar timeline.
JW: One has to be careful with buzzwords. Data aggregation and analysis has been around for decades, and a brief look at the work of Arthur Miller and Alan Westin shows that legal scholars have been concerned about these activities since the late 60’s. Since then, computing power and availability has improved significantly, the amount of data collected has grown, and there are some novel techniques that complement traditional methods of statistical inference.
I do think large-scale data analytics is going to be very useful as a tool for disciplines like medical research, materials science, biology, urban planning and ecology. However, a lot of the techniques are not easy to deploy. There are major issues with data acquisition, data quality/cleansing, choosing appropriate methods, and validating the resulting models. Some techniques work best with massive amounts of data and computing power.
The firms that have the requisite resources (both human and computational) and tacit knowledge have a major advantage. As a result, most of the people with the background for large-scale, distributed machine learning and data analysis are being drawn to the US.
I think it will be difficult for Canada to compete. Innovation is unlikely to arise from those large firms (e.g., banks and insurance companies) or government agencies that have experience with traditional data analytics. Startups in Canada don’t have access to the scale of funding available in the US, and it doesn’t make sense for promising ventures to stay. This also affects human resources; while Canada has a few world-class statistics and computer science departments, the small number of industry-oriented PhD graduates from those programs will likely be lured south.
How effectively are federal and provincial privacy commissions protecting Canadians' personal data? What are some of their challenges?
MP: The effectiveness of Privacy Commissioners is constrained by the legislation we have in Canada, which defines their roles, and their budgets. I think they do the best they can but there are limitations and we should ask ourselves whether we our expectations are too high and whether we should rely too much on them. As for challenges, I suspect the answer varies depending whether you’re speaking about the public, private or healthcare sectors. Each has their own issues.
JW: I think they have had a lot of influence, but their effectiveness is circumscribed by their legal powers and budget. Given their limited resources, I think they have been quite effective at promoting awareness of privacy issues and investigating complaints. The federal commissioner has been particularly active in sponsoring relevant research. Apart from obvious challenges like resourcing, it is difficult to keep up with advances in technology. Another challenge arises from the fact that they have fairly limited powers to make orders or impose monetary penalties.
"Young people don't care about privacy" is a common retort to proponents of ethical and contentious data collection. Do you believe this to be true?
MP: True? Not at all. That is a general statement concerning a complex subject. How I define my “privacy interests” may be different from that of a 16-year-old. “Young people” may have different, more nuanced notions of privacy but they are there. And for both of us, our requirement/need for privacy evolves as we age. I tend to believe that privacy — in all its forms — is an inherent aspect of the human condition. If we don’t have it when we need it, we’re somehow less than human.
JW: A fair amount of empirical research has been done on this issue, and while there are some pessimistic results, it is clear that young people do care about privacy. However, privacy is ultimately a social norm that is expressed through a variety of practices in a surrounding social context. The way that people interpret and achieve privacy differs according to such factors as culture, communication modalities and individual preferences. I don’t think young people care less about their physical privacy, but they do differ from older generations in the way that they think about online privacy.