On October 18, 2018, Sidewalk Labs (a Google affiliate) proposed its vision for digital governance of the data created through the implementation of a Master Innovation and Development Plan with Waterfront Toronto for a mixed-use community along the Lakeshore in the Eastern part of downtown Toronto.
The cornerstone of the digital governance proposal is a “civic data trust” for the data generated from the Toronto project. Although much of this data would come from the vast array of sensors monitoring the physical environment, it would also involve monitoring human activities and interactions with that environment.
The concept of the civic data trust side-steps an important public policy issue. Should data developed through a public-private partnership be subject to governance through democratic institutions backed by laws designed to protect the public interest, or should this be left to ad hoc private contract arrangements for the purposes of expediency or to preserve the freedom to operate for technology companies?
What is a civic data trust?
In the words of Sidewalk Labs, a civic data trust is:
[…] an independent third party that ensures that value from data goes to the people, communities, government, industry, and society from which it was collected, and that data privacy and security are protected. A Data Review Board, assembled of diverse members of the community, would monitor and enforce data collection and use.
Combined with a commitment to the principles of Privacy by Design, the concept of a civic data trust sounds, at least on the surface, as an innovative answer to critics of the Toronto project who question why Waterfront Toronto would allow Sidewalk Labs to control and benefit from the vast trove of data expected to be generated from the Sidewalk Labs project.
However, I’m skeptical. There seems to be at least three frail premises underlying the proposed civic data trust, each of which is exacerbated by Sidewalk Labs’ dismissal of concerns that the data remain in Canada. The premises are that the civic data trust is a trust, traditional forms of governance of public spaces are not applicable, and the public policy concern is limited to data control. No doubt there are answers that Waterfront Toronto and Sidewalk Labs could offer that I have not thought of, so I’m hopeful there will be rejoinders to my concerns.
The civic data trust is not a trust
The use of the term “trust” is, I assume, meant to conjure visions of ethical collection, use, retention and disclosure of data for the benefit of the community.
All of that may be true in the proposal advanced by Sidewalk Labs. However, the proposed civic data trust is not an actual trust in our Canadian legal system. In a keynote address to the Privacy and Access to Information Section of the Canadian Bar Association on October 19, 2018, Prof. Lisa M. Austin made this point forcefully.
While individuals may feel that they “own” information that is about themselves, including data that is produced by their activities, the legal truth is that there is no recognized “ownership” of that data as “property” in any traditional property law sense. As Prof. Austin reminded us, in order to have a “trust”, there must be property, a “settlor” who owns that property and who intends to “settle” a trust in favour of beneficiaries (or, at a minimum, a well-defined purpose).
Describing this contractual relationship as a trust is a misappropriation of a legal category that manifestly does not apply to this arrangement. It also obscures a larger public policy question – whether data of this sort should be governed by contract or governed by democratic institutions.
The civic data trust is not democratic
The proposal for the use of the civic data trust appears premised on the idea that our existing institutions are not up to the task of regulating the use of this data for the public good. Is this premise true?
It is true that Waterfront Toronto is not subject to Ontario’s access to information or privacy laws. Although Waterfront Toronto was created as a corporation by the Province of Ontario and is governed by directors appointed by federal, provincial and municipal governments, it is not subject to the Ontario Freedom of Information and Protection of Privacy Act, or the Ontario Municipal Freedom of Information and Protection of Privacy Act.
However, as Sidewalk Labs states with respect to the “Urban Data” that would be made available through this public-private partnership:
[Urban Data] could reasonably be considered a public asset.
The civic data trust responds the lacuna that this public asset is not governed by Ontario law. However, this does not mean that the public policy discussion must shift immediately to the appointment of a private independent body to hold the data and regulate access to it.
Residents of Toronto are incorporated as a municipality. With all its flaws, this is the governmental body through which Torontonians govern municipal concerns.
Sidewalk Labs is not a philanthropic organization. As a technology company, it has a strong interest in freedom to operate and, if regulation is required, then regulatory certainty. The civic data trust, as a contract, balances these goals for Sidewalk Labs. However, the case has yet to be made that this is the best democratic way to manage what Sidewalk Labs acknowledges could reasonably be considered to be a public asset.
Data is not the whole concern
In its presentation to Waterfront Toronto, Sidewalk Labs emphasized the public good:
In performing those functions, the Trust would be guided by a charter focused on ensuring that Urban Data is collected and used in a way that is beneficial to the community, protects privacy, and spurs innovation and investment.
However, data is not the whole concern. It is not clear how the civic data trust addresses how the City of Toronto and/or Waterfront Toronto will benefit directly and economically from the intellectual property developed through the use of this data. Although this concern has been raised forcefully by Jim Balsillie, former chairman and co-CEO of Research In Motion in an article entitled “Sidewalk Toronto has only one beneficiary, and it is not Toronto”.
To date, there has not been a clear answer to this concern from Waterfront Toronto or Sidewalk Labs. A key point of leverage for the Waterfront Toronto would be control of the data. However, the civic data trust would possibly place such control outside of Waterfront Toronto’s reach.
The data localization problem
Each of the uncertain premises (the civic data trust is a trust; traditional forms of governance of public spaces are not applicable; and the concern is solely data control) is exacerbated by the fact that Sidewalk Labs proposes that data would not be mandated to be retained in Canada.
I’m no fan of data localization laws. And yet… In this case, the likelihood that vast troves of data in a public-private partnership would be exfiltrated from Canada raises important questions considering the frail premises. In particular:
- How will the civic data trust be enforced outside Canada?
- Is this a one-way door? Once the data is outside of Canada, could Canadian governmental bodies ever reclaim control of that data should future voters decide that this is appropriate for security or other reasons?
- What would prevent the recipients of access to that data from commercializing intellectual property that is not in the public interest? Once the data is outside of Ontario’s jurisdiction, how would limitations be enforced?
Tough issues deserve unwavering scrutiny
No one should expect that these problems would be easily resolved and the fact that they are not (as yet) resolved does not mean that there is anything sinister afoot or that the parties lack competence.
However, the issues are sufficiently important that they deserve unwavering scrutiny. Perhaps most urgently, key players – Waterfront Toronto, Sidewalk Labs, the Privacy Commissioners, and all three levels of government – need to publicly address why it is that existing institutions and laws are not appropriate vehicles to regulate this initiative for the public good.
In its proposal, Sidewalk Labs stated:
Existing requirements attached to the collection of Urban Data only apply when it is identifiable, and are often not followed; there are no requirements attached to the collection of Urban Data that is not personal information.
The key preliminary question is, assuming this is the case, whether existing democratic institutions and statutory frameworks should be extended to ensure that existing requirements do apply to this Urban Data? The fact that democratic processes are slow and cumbersome ways to effect change is not a reason for a body such as Waterfront Toronto, which bills itself as the public advocate and steward of waterfront revitalization, or the Privacy Commissioners, to avoid this question. Torontonians deserve an answer before moving forward with this civic data trust concept.