The Business Council of Canada is calling on the government to adopt a set of principles for a “responsible and innovative” data economy that includes a proactive stance in favour of individual privacy. The move could have major influence on the federal government’s national data strategy.
The council, whose members lead companies that represent more than half the value of the Toronto Stock Exchange, provided the list of principles to the government on September 21 and will release them publicly early this week. Copies of the submission were provided exclusively to The Logic.
Talking Point
Calls by the council to mandate that data be made available to others if exclusive access undermines competition, could put the council—which includes the CEOs of the country’s Big Five banks and Big Three telecoms—at odds with foreign tech giants. The principles, if adopted, open the door to more flexible privacy rules in Canada, as well as to emerging practices like open banking.
The privacy principle—one of nine in total—holds that Canadians should be able to control their personal data and be protected from unauthorized access or misuse, something European Union regulators sought to address with the controversial General Data Protection Regulation (GDPR) implemented earlier this year.
The council also says, on the matter of competition, that companies in Canada should compete on their ability to create value with data, rather than compete for its ownership.
For example, it says, “If a company’s exclusive access to certain data undermines competition, it may be appropriate to mandate that the data be made available to other parties.”
This could put Canada’s leading businesses—the council includes the CEOs of the country’s Big Five banks and Big Three telecoms—at odds with foreign tech giants whose business relies on the large amounts of data they hold on individual consumers.
However, the council says the government should adopt a principle that allows for free data flows across international boundaries. It also suggests data be stored abroad, barring rare cases of public interest, which will likely be attractive to foreign-based firms. Government requirements around data residency have prompted some of the largest tech companies—including Amazon, Google, Microsoft and IBM—to build data centres in Canada in recent years.
In addition to individual privacy, competition and data flow principles, the council also recommends that the government’s approach to data include giving consumers freedom to share their data with businesses, transparency standards for why information is shared and “data stewardship”—or the idea that businesses should be held accountable to consumers whose data they possess.
The principles, if adopted, open the door to more flexible privacy rules in Canada, as well as to emerging practices like open banking, where financial service providers make customer data shareable to third-party providers.
The Business Council of Canada’s “Principles for a responsible and innovative data economy”
- Protection of private data: Individuals have a right to privacy. They should be able to control their personal data and protect it from unauthorized access and misuse. Similarly, businesses should be able to control and protect the (non-personal) data they collect or generate. When there are overlapping interests in the same data, the scope and division of those interests need to be clear.
- Freedom to share: Individuals should be free to share their personal data with businesses as they see fit, including in return for enhanced services or other forms of value. Businesses that collect and process personal data must limit the use of that data to the purposes for which individuals have given consent – or for what is otherwise consistent with that person’s reasonable expectations and interests. Businesses should be able to share their own (non-personal) data with whomever they wish and on whatever terms they agree.
- Transparency: Participants in the data economy, whether individuals or businesses, should generally understand what data they are sharing and for what purpose, how that data will be used, the key risks involved, and what value (if any) they will receive in return. Within reason, businesses collecting personal data should provide individuals with this type of information in a clear and concise manner.
- Competition: Companies should compete primarily on the value they can create with data, rather than their control over it. The portability and interoperability of data across service providers should be encouraged, provided it does not weaken data protection or violate contractual obligations. If a company’s exclusive access to certain data undermines competition, it may be appropriate to mandate that the data be made available to other parties.
- Free data flows: Individuals and businesses should be free to transfer data across provincial and international borders, provided appropriate safeguards are in place. There should be a general presumption against local data storage and processing requirements. Governments may need to exercise sovereignty over data flows in rare cases when it is necessary to protect the public interest.
- Open government: Non-private data generated or collected by governments and related institutions should be open and publicly available in usable formats. Individuals and businesses should be able to access and share the private data they have provided to governments.
- Data stewardship: Businesses must be responsible and accountable to those whose data is under their care. They should have policies to ensure the integrity and accuracy of the data and to guard it against unauthorized access and misuse. Safeguards should be proportional to the sensitivity of the data and the potential for harm. Businesses should disclose any significant deviations from their practices and be able to address complaints and provide appropriate remedies.
- Outcome-based regulation: Regulations concerning data should be outcome-based and not overly prescriptive. Companies should have the flexibility to develop and deploy suitable data-management practices to meet their obligations. Industry-led certifications and standards should be encouraged and recognized where appropriate. Regulators should be able to sanction those who intentionally flout the rules or exhibit gross negligence.
- Regulatory coordination: To ensure a level playing field and avoid unnecessary administrative costs, data regulations across sectors, regions, and countries should be coordinated to the greatest extent possible. Where harmonization is not achievable or desirable due to different local needs, mutual recognition or compatibility should be the goal.
Source: The Business Council of Canada
The principles follow an August 9 roundtable meeting between the council and Navdeep Bains, minister of science and innovation.
It was part of a series of consultations Bains is holding as the federal government develops a national strategy on big data.
In attendance were executives from 13 council companies including Sun Life, Loblaw Companies Ltd, Portag3 Ventures, Air Canada and Scotiabank.
A meeting summary prepared by the council, also to be released this week, shows that the executives and Bains discussed Europe’s GDPR rollout, but that the companies largely prefer Canadian regulation remain under the “principles-based and technology-neutral” Personal Information Protection and Electronic Document Act.
Reasons cited for this included that GDPR—which has strict opt-in consent requirements for businesses collecting data on consumers and could lead to hefty fines—is expensive for small businesses, could make it difficult to deploy artificial intelligence and actually makes it more difficult for consumers to understand and manage their privacy by bombarding them with terms of service.
“One participant even suggested re-conceptualizing personal data as a form of labour,” reads the meeting note.
The document also reveals that federal officials surveyed the meeting attendees on skills and training for workers in an increasingly digital economy. The council attendees told the government that Canada has shortages of qualified computer science, data science and cybersecurity employees, a commonly heard refrain in technology circles.
Of note, however, was the issue of traditional companies—such as those in banking, retail and natural resources—who said talented employees don’t realize their sectors are “working with increasingly sophisticated digital technologies.”
Much of the discussion about Canada’s digital economy has revolved around the role of foreign digital technology giants in Canada and the ability of domestic startups to scale up in a world where those companies are market-dominant. However, in recent months, the business council has acted as a conduit for conversations between Canada’s most important legacy companies, which are becoming increasingly interested in technological disruption.
In May, the organization put together a half-day roundtable of 14 innovation leaders from companies across different sectors—including Maple Leaf Foods, CIBC, EllisDon and Air Canada—to talk about how disruption and innovation were impacting their businesses.
According to an email last month from council CEO John Manley, the event was such a success that the group was formalized as the Corporate Innovator Network. It will now meet twice a year for a series of roundtables where small groups of companies will exchange feedback on their best practices in evolving their businesses alongside industry and technological disruption.
Over 50 companies have joined the group’s August email, and they will meet in Toronto later this year.
