“Accountability has increasingly become the nucleus of effective data protection in a world where the observation of people is critical to how machines and systems work and drives advanced analytics. Canada was the first country to explicitly capture accountability as part of its privacy law, and therefore actions in Canada have impact beyond Canada.”
Martin Abrams, Executive Director and Chief Strategist, Internet Accountability Foundation (IAF).
Emerging technologies such as artificial intelligence (“AI”) are rapidly changing the dimensions of our economy and society: from the ways in which we access information and work together, to how we connect with one another. Increasingly, data is viewed as a resource that companies use to increase productivity and to develop better products and services for their customers. In a competitive globalized world, Canada can benefit from maximizing the use of available data in pursuit of public good and innovation.
Yet Canadians must feel comfortable and involved in these developments in order to come along for the ride. They must be able to trust that their privacy is protected and that their data will not be misused. They must see companies communicating their intentions in a transparent, simple and straightforward manner. This consumer trust is the foundation upon which our digital and data-driven economy must continue to be built.
The potential social benefits of AI applications are countless. They range from preventing crime, diagnosing cancer, and strengthening democracy, to identifying victims of online sexual exploitation, and aiding disaster-relief efforts.
Yet, data accessibility and consumer consent oftentimes pose constraints to the full realization of these social benefits. The challenges of “using data for social good” are real. Meeting these challenges requires a delicate balancing act of complying with relevant privacy laws while establishing and maintaining trust with consumers.
Canada’s Renowned Accountability Model
Clearly, Canadian organizations need to demonstrate that the consumer data they collect and process is managed responsibly. But how best to do this? Surely, the consent-based model upon which Canadian privacy law has long been defined and based cannot solely offer the answer for all data uses: for one, consent is not practically obtained in many data use cases; for another, many consumers continue to express understandable frustration at being inundated with multiple consent notices for every single data use. Thus, consent may be an essential, but often inadequate, means for driving every privacy decision or action.
Canada’s long-standing accountability model may offer a compelling solution to this quandary. Accountability relates to organizations’ acceptance of responsibility for personal information protection by implementing appropriate policies and procedures that promote a robust privacy management program. Done properly, accountability should promote trust and confidence with consumers and regulators, and enhance competitive and reputational advantages for organizations.
Data Accountability for Social Good: A Framework
The Information Accountability Foundation (IAF), a public policy think tank known for its valuable contributions to international privacy conversations, recently initiated an important project that explores how accountability can enable responsible data use for socially beneficial activities. The IAF seeks to address many of the historic challenges of realizing social benefits from emerging technologies, while balancing consumer privacy protections by refining the underlying practice principles and regulatory structures. Similar to the OECD, the IAF aims to develop a framework for using data in socially beneficial activities through privacy-friendly applications.
Many stakeholders, from industry and government arenas, are supportive of the project and their participation and contributions will help further shape the model. The Canadian Marketing Association (CMA) is one of project’s active participants and an organization whose support for responsible data use and privacy precedes the introduction of Canadian privacy laws. “CMA was among the leading organizations to advocate for a national privacy law in Canada and has consistently voiced its support for a co-regulatory approach to privacy – robust, yet balanced privacy laws layered with industry codes and privacy frameworks”, said Sara Clodman, VP of Public Affairs and Thought Leadership at the CMA. “The framework that IAF is developing has the potential to serve as an excellent non-regulatory solution that enhances privacy protections for individuals, while boosting the benefits that data can bring to society”, she added.
The first meeting of the IAF project, held recently at PwC’s Toronto office, encompassed a rich conversation on privacy challenges currently devoid of ready-made solutions. Some of these challenges include: (1) the types of data uses to be considered ‘socially-beneficial’; (2) the types of data-related activities deemed to have a ‘legitimate interest’ under privacy law; and, (3) lack of trust and faith that people have in companies interested in pursuing socially beneficial activities.
This work is very likely to have a significant impact on the future of Canada’s private-sector privacy law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”). The resulting model will provide public policy guidance in advance of proposed changes to PIPEDA, and will contribute to Canada’s leadership and goal of creating a trustworthy governance framework to be applied (nationally and globally) in a new era of advanced computing.
Enhancing Privacy Protections and Data Use through ‘Demonstrable’ Accountability
Demonstrating accountability requires a proactive and structured approach to privacy management through the implementation of appropriate and tangible privacy and data protection measures. This approach ensures compliance not only with privacy laws, but also with industry codes of conduct, best practices and, to the best extent possible, with ethical standards. It strengthens consumer protection through an approach to privacy that is overarching and holistic, rather than the narrow and seemingly mindless checkbox exercise that pure compliance tends to become.
The Privacy Commissioner of Canada, Daniel Therrien, has recently described ‘demonstrable accountability’ as the centerpiece of an expanded enforcement power that he sees as essential to the protection of Canadian consumer privacy rights. The Commissioner seeks the authority to proactively inspect organizations for tangible evidence of accountable practices with respect to data protection. Organizations would not simply represent their compliance through public statements, reports or industry certifications, but rather, be subject to what is essentially an information practices audit by the Office of the Privacy Commissioner of Canada (“OPC”). However, until Canadian laws change to provide OPC with these desired powers, accountability remains a concept that organizations can and should embrace as a privacy program approach.
Learn More About the IAF Project
The Canadian government has made a strong commitment to AI as a major driver of future economic growth, while at the same time reinforcing its commitment to privacy as a fundamental right. The emerging IAF framework will become an essential catalyst for Canadian companies to re-examine and align their consumer data practices to a clearly defined set of accountability principles. It will also help to elevate Canada’s global profile as a leading, socially conscious and privacy-aware, tech innovator.
Learn more about this project through a recent IAF blog post, which includes their letter to the OPC as part of the recently announced consultation process on consent: Accountability is an enforceable as any other privacy management mechanism.
About the author: Cristina Onosé is Lead, Advocacy and Thought Leadership at PwC (previously Director, Government Relations at the CMA). She is a certified privacy professional (CIPP/C, CIPM) and has an MA in international affairs and a certificate in cybersecurity policy from Harvard Kennedy School. Her areas of expertise include Canadian and EU privacy law, cybersecurity, emerging technologies (Internet of Things, self-driving cars), Canada’s anti-spam law and interest-based advertising. Information in this article does not constitute legal advice.