Data Drop Extra: What is the 'Rights-based' Data Protection framework?
Updated: Mar 31, 2021
My name is John Durland and I'm a lawyer at Gilbert's LLP and I'm here with Paul Banwatt who is also a lawyer at Gilbert's and together we've been looking a lot at the development of privacy frameworks across the World and the rise of data-related rights in particular.
And we thought it might be interesting to explore some under-considered privacy risks that result when businesses integrate third party services into their data practices. So I guess to start, we've recently seen a lot of activity around modernizing privacy legislation. At the Federal level in Canada, we've seen the tabling of Bill C-11. In August, the Ontario provincial government began a consultation to strengthen privacy protections of personal data with a focus on the possible creation of a provincial private sector privacy law.
And a lot of these proposals are chasing this sort of international standard being set by GDPR. So Paul, what do you think of all this? Is a better privacy framework here?
I think "better" is a question of who you're asking. I think some people would say that more rules, it makes a harder system, a harder framework for people to abide by, and are in some ways anti-business. Other people would say that these measures move us closer to a rights-based framework where privacy and data are considered rights of individuals and, the laws treat them that way. One thing to think about is this all starts to move us towards viewing people's data as a form of intellectual property.
And data has always been something that's hard to protect in any intellectual property regime. But we have two kinds of intellectual property. There's intellectual property rights that are created by statute.
And then there's intellectual property rights that in Canada at least are created by the Common Law. So in other words, judge-made law. The kinds of intellectual property that a lot of people are familiar with, like copyright and patent, those are statutory forms of protection and they don't exist unless you have a copyright act and a patent act.
So some of what this does is move personal data into a similar kind of realm. When you look at things like GDPR and the right to be forgotten, and these other kinds of rights that are created they take personal data into a new place that's more akin to the intellectual property regime.
And one of the areas Ontario was seeking input on had to do with an opt-in model for secondary uses of information. And the American DATA legislation in an alternative approach proposes firm restrictions on what data can be collected, stored, and used instead of leaving those permissions to individual consent.
People often consider the privacy risk of rogue employees. It's the root cause behind a lot of recent breaches including Shopify and Desjardins. But less often think of the risks associated with relying on third-party service providers. So if you want to take Dell for example, that breach occurred at a call center in India that provided customer support services for Dell.
What are your thoughts, Paul, on how Canada's privacy framework currently handles the risks of breach from secondary uses of data?
I think this is a huge blind spot for a lot of people and a lot of companies on both sides of the equation. When you sign up with a service, say Facebook, or, you hand over your credit card information to a company, you're purchasing something from you don't necessarily know where your data is going and who's handling it and what third-party services a company is using to carry out their provision of services to you. So it's widespread across the board because every company out there uses some kind of third party service for their email handling or their payment processing and it frequently involves the provision of your personal information to that third party. And there's been a lot of examples some that you mentioned, others like Marriott and Target, where the company that the person thought that they were dealing with isn't necessarily the one that had a problem.
It's some third-party they engage with. I think it's a tricky thing. The only things that we can do are have more transparency or maybe technological solutions to protect data and safeguard it because right now the state of play is that people don't know who they're actually giving their data to, who they're trusting their data with.
And as drafters of privacy policies, you and I know that we often include lists of third-party service providers who might get access to data. Why isn't that enough in this kind of circumstance?
So yes, let's say I have a company and I run an email list and I use a service like MailChimp.
But that's, what's ultimately going to govern that email address that I'm using to sending your email through with MailChimp. So you end up with this sort of chain where there's no direct link between the person whose data is being provided and the company like MailChimp, who's actually taking that data and holding it.
It becomes a difficult problem.
And in addition to changes or proposed changes to the sort of legal frameworks in response to these types of issues, we've also seen a lot of action out of the private sector. Innovation aimed at providing individuals more control over their data. A great example of this is data fabrics.
What do you think the role of these technologies will be in developing a fair practice or fair practices around data?
PAUL BANWATT I think there's sort of two things that can push this innovation forward. One is consumer demand for better privacy measures and other is laws and rules and regulations that force this kind of innovation, just for the mere purpose of compliance.
And I think those two things are both happening at once. I think people are increasingly demanding of control over how their information is used. And I also think that governments are stepping in and trying to be more protective of individuals. And regardless of where you fall in the debate over whether these kinds of laws like GDPR are going too far, I think you can see the role that technology has to play in making it possible to meet some of these needs in a rights-based framework.
All right. It's always great chatting with you, Paul. Breaking outside of just the day-to-day of our business communications. Fun to, to share some thoughts on privacy and data.