Data Drop Extra: What is the 'Rights-based' Data Protection framework?

JOHN DURLAND

My name is John Durland and I'm a lawyer at Gilbert's LLP and I'm here with Paul Banwatt who is also a lawyer at Gilbert's and together we've been looking a lot at the development of privacy frameworks across the World and the rise of data-related rights in particular.

And we thought it might be interesting to explore some under-considered privacy risks that result when businesses integrate third party services into their data practices. So I guess to start, we've recently seen a lot of activity around modernizing privacy legislation. At the Federal level in Canada, we've seen the tabling of Bill C-11. In August, the Ontario provincial government began a consultation to strengthen privacy protections of personal data with a focus on the possible creation of a provincial private sector privacy law.

California's Consumer Privacy Act went into force this year and is undergoing its fourth set of modifications. And then senator Sherrod Brown introduced a discussion draft of the Digital Accountability and Transparency Act, which in reference to he stated "Privacy isn't a right, you can click away." Referring to the sort of illusory consent that a lot of individuals provide when they agree to the privacy policy they didn't read or don't understand.

And a lot of these proposals are chasing this sort of international standard being set by GDPR. So Paul, what do you think of all this? Is a better privacy framework here?

PUAL BANWATT

I think "better" is a question of who you're asking. I think some people would say that more rules, it makes a harder system, a harder framework for people to abide by, and are in some ways anti-business. Other people would say that these measures move us closer to a rights-based framework where privacy and data are considered rights of individuals and, the laws treat them that way. One thing to think about is this all starts to move us towards viewing people's data as a form of intellectual property.

And data has always been something that's hard to protect in any intellectual property regime. But we have two kinds of intellectual property. There's intellectual property rights that are created by statute.

And then there's intellectual property rights that in Canada at least are created by the Common Law. So in other words, judge-made law. The kinds of intellectual property that a lot of people are familiar with, like copyright and patent, those are statutory forms of protection and they don't exist unless you have a copyright act and a patent act.

So some of what this does is move personal data into a similar kind of realm. When you look at things like GDPR and the right to be forgotten, and these other kinds of rights that are created they take personal data into a new place that's more akin to the intellectual property regime.

JOHN DURLAND

And one of the areas Ontario was seeking input on had to do with an opt-in model for secondary uses of information. And the American DATA legislation in an alternative approach proposes firm restrictions on what data can be collected, stored, and used instead of leaving those permissions to individual consent.

People often consider the privacy risk of rogue employees. It's the root cause behind a lot of recent breaches including Shopify and Desjardins. But less often think of the risks associated with relying on third-party service providers. So if you want to take Dell for example, that breach occurred at a call center in India that provided customer support services for Dell.

What are your thoughts, Paul, on how Canada's privacy framework currently handles the risks of breach from secondary uses of data?

PAUL BANWATT

I think this is a huge blind spot for a lot of people and a lot of companies on both sides of the equation. When you sign up with a service, say Facebook, or, you hand over your credit card information to a company, you're purchasing something from you don't necessarily know where your data is going and who's handling it and what third-party services a company is using to carry out their provision of services to you. So it's widespread across the board because every company out there uses some kind of third party service for their email handling or their payment processing and it frequently involves the provision of your personal information to that third party. And there's been a lot of examples some that you mentioned, others like Marriott and Target, where the company that the person thought that they were dealing with isn't necessarily the one that had a problem.

It's some third-party they engage with. I think it's a tricky thing. The only things that we can do are have more transparency or maybe technological solutions to protect data and safeguard it because right now the state of play is that people don't know who they're actually giving their data to, who they're trusting their data with.

JOHN DURLAND

And as drafters of privacy policies, you and I know that we often include lists of third-party service providers who might get access to data. Why isn't that enough in this kind of circumstance?

PAUL BANWATT

So yes, let's say I have a company and I run an email list and I use a service like MailChimp.

So you, my customer have given your email address to me. You've agreed to my privacy policy. And in my privacy policy, I've told you that I'm going to use MailChimp to send emails, but you only indirectly agreed to MailChimp's privacy policy. I'm the one, the company who's going to agree to MailChimp's privacy policy.

But that's, what's ultimately going to govern that email address that I'm using to sending your email through with MailChimp. So you end up with this sort of chain where there's no direct link between the person whose data is being provided and the company like MailChimp, who's actually taking that data and holding it.

And that's a problem because, while they've agreed to let MailChimp use their data via my privacy policy, have they read MailChimp's privacy policy? Do they know what the standards and practices of that company are? And can we really expect somebody to do that? Can we expect somebody to audit all of the third parties that are going to be used by every company that they interact with?

It becomes a difficult problem.

JOHN DURLAND

And in addition to changes or proposed changes to the sort of legal frameworks in response to these types of issues, we've also seen a lot of action out of the private sector. Innovation aimed at providing individuals more control over their data. A great example of this is data fabrics.

What do you think the role of these technologies will be in developing a fair practice or fair practices around data?

PAUL BANWATT I think there's sort of two things that can push this innovation forward. One is consumer demand for better privacy measures and other is laws and rules and regulations that force this kind of innovation, just for the mere purpose of compliance.

And I think those two things are both happening at once. I think people are increasingly demanding of control over how their information is used. And I also think that governments are stepping in and trying to be more protective of individuals. And regardless of where you fall in the debate over whether these kinds of laws like GDPR are going too far, I think you can see the role that technology has to play in making it possible to meet some of these needs in a rights-based framework.

JOHN DURLAND

All right. It's always great chatting with you, Paul. Breaking outside of just the day-to-day of our business communications. Fun to, to share some thoughts on privacy and data.

PAUL BANWATT

Yeah, absolutely