Information & Ethics Committee on Feb. 5th, 2019

I would try to avoid the government mandating this, but there are things we can learn from the GDPR in Europe. It is probably the most-discussed regulation around data right now, and probably the most forward-looking.

There's something in there called purpose limitations, which basically says that if I give you consent to use my data for a certain purpose, you can't use it beyond that. That speaks to a lot of what I commented on in my opening remarks around context and consumer expectations.

It's about using the data in the way the user expects based on the original negotiation or relationship when they started, and then limiting it to that. The way Google makes money is by moving from Gmail to location tracking, etc.

As far as we understand, Apple is not using that data to also then micro-target ads at you or use it for any other purpose.

That's within the device. We can get deep into the weeds but it's—

Either way, without going into the weeds on who's doing what, I think a higher bar is definitely in order and should be discussed for the companies that see a substantial amount of your activity; I call them service providers. That may mean that they can't use the data for that purpose. It's no different from walking into a store, say Target, and they're going to track your data as part of the store experience. That's probably acceptable and you can choose not to go to Target ever again because you don't like it. But if you walk into Target and then they track you outside of the store, everywhere you go, that's the problem you're speaking of, and that's where there needs to be a higher bar.

The GDPR in the EU and, to a degree, the new California Consumer Privacy Act, which will come into effect in 2020, offer us models for setting limits. One limit that you proposed is a limit on data retention. One interesting part about GDPR is the requirement to disclose the data retention duration at the moment of gaining consent. When you sign up for a service the requirement is, “we will hold your data for six months”, and you are learning that limitation at the moment of signing up and giving consent.

I think we have some good models now to work from to evaluate and to see how these limits are set. The other limits that my colleague Mr. Kint has been referencing—limiting use based on the context of collection and prohibiting uses across contexts—would be also important frameworks to establish. The key here is also enforcement. My experience working with the Information Commissioner's Office as well as the court system in the U.K. shows that enforcement of these limits is where the rubber hits the road.

I would confirm that last point.

I saw that you were recommending giving more powers to the privacy commissioner. That's hugely important. I think the powers that the ICO commissioner had came in at the 11th hour. She was fortunate to have those, so I would recommend that. Certainly, GDPR, has real teeth to it, with the 4% fine of global turnover. That makes a difference, and we're starting to see some of that enforcement.

I have a lot of check marks next to your recommendations. There are a lot of really good recommendations. The things I put stars next to are super important things like modernizing the Competition Act and really recognizing that these companies—with which, as Mr. Baylis points out, you don't have a fair deal because they have so much power and so much data that you have to use them, and there are only two different operating systems, let's say, or only one search engine—actually should be evaluated based on the data, as part of the trade-in value. The fact that they're free shouldn't allow them to run away with a monopoly.

I'd like to bring up the concept that data doesn't really go away. Companies can claim they've deleted it or say whatever the heck they want, but it has been rolled into other things by then. There are derivatives of it and they probably did keep some backups.

I would focus more on the data becoming stale after a while. Therefore, implement new rules, regulations, laws, to tighten their ability to collect the superfluous amounts of data, and let that other data become stale, old and of no use because it's so old. Don't worry about trying to wrest it out of their hands, because you're never going to.

One aspect of the Estonian model that is important and valuable is the principle of collecting once. Not requiring citizens to keep inputting their data is the key idea of this unified national identity, and it prevents this problem that citizens in most countries face of constantly giving the same information to multiple different entities. Each time data is supplied, another weak point is created.

Figuring out how to make the supply-once and secure-forever model work logically makes a lot of sense, because it also helps separate identity from other data. Having mechanisms to create de-identification and anonymization built into the structure works well and so on.

The Aadhaar model in India, another national identity system. has come up. I can corroborate what Mr. Vickery said about it. I've had students doing their own research who found these systems to be alarmingly easy to penetrate, at least in India. To have a digital model that does not also have a strong data protection regime on top of it is a risky endeavour. In some ways Estonia might be well-placed, because it has both this digital government and 20 or 30-year tradition of European data protection linked to it.

We also look at China as an extreme in the other direction, where a surveillance industry.... The distinction between private enterprise and the government is completely blurred and the use of surveillance for social control and social coercion is quite alarming. We do look at the new emerging privacy and data models around the world to figure out which places are figuring it out.

I'm not a security expert, so I'll turn most of my time over to Chris. I have heard positive reflections on the Estonian model and I have not heard the security concerns. The way it's described, it makes sense, but I haven't heard of any issues. It's most often the example that comes up in a positive light and is starting to be studied. It may just be a test of time to make sure it's the right one, but I'll let Chris weigh in.

I believe it's healthiest to assume there has been a breach at all times, to make a system so segmented and resilient that even if there is a breach, you can find it, recover quickly and the damage will be minimal. I don't think you should put all your eggs in one basket. I believe the solution to having people submit the same info over and over again is to minimize the amount of information that is necessary from them. For example, here in the United States, we're not supposed to give out our social security numbers all the time, according to the government, yet every doctor's office asks for that number. Doctors' offices shouldn't be asking for it.

Minimize, optimize, make it streamlined, but I just don't think putting all of your eggs in one basket is a good idea.