Principles for a responsible and innovative data economy

\

Data is changing our economy

New technologies allow us to gather and make sense of ever-larger amounts of data, enabling smarter, faster decisions that can improve the lives of Canadians. The challenge is to get the right data to the right place at the right time. Data is costly to collect, store, and process. A further challenge is determining who the data belongs to and how to distribute the value it creates.

Canada has traditionally relied on markets to efficiently allocate valuable resources – a good starting point for how to think about data, too. But markets only function successfully when there are clear rules, when participants have well-defined and enforceable rights, and when transactions occur in a transparent, competitive, and secure marketplace.

A framework for the future

With these important conditions in mind, we believe government policies, laws, regulations, and business practices concerning the data economy in Canada should reflect the following nine principles:

  1. Protection of private data: Individuals have a right to privacy. They should be able to control their personal data and protect it from unauthorized access and misuse. Similarly, businesses should be able to control and protect the (non-personal) data they collect or generate. When there are overlapping interests in the same data, the scope and division of those interests need to be clear.
  2. Freedom to share: Individuals should be free to share their personal data with businesses as they see fit, including in return for enhanced services or other forms of value. Businesses that collect and process personal data must limit the use of that data to the purposes for which individuals have given consent – or for what is otherwise consistent with that person’s reasonable expectations and interests. Businesses should be able to share their own (non-personal) data with whomever they wish and on whatever terms they agree.
  3. Transparency: Participants in the data economy, whether individuals or businesses, should generally understand what data they are sharing and for what purpose, how that data will be used, the key risks involved, and what value (if any) they will receive in return. Within reason, businesses collecting personal data should provide individuals with this type of information in a clear and concise manner.
  4. Competition: Companies should compete primarily on the value they can create with data, rather than their control over it. The portability and interoperability of data across service providers should be encouraged, provided it does not weaken data protection or violate contractual obligations. If a company’s exclusive access to certain data undermines competition, it may be appropriate to mandate that the data be made available to other parties.
  5. Free data flows: Individuals and businesses should be free to transfer data across provincial and international borders, provided appropriate safeguards are in place. There should be a general presumption against local data storage and processing requirements. Governments may need to exercise sovereignty over data flows in rare cases when it is necessary to protect the public interest.
  6. Open government: Non-private data generated or collected by governments and related institutions should be open and publicly available in usable formats. Individuals and businesses should be able to access and share the private data they have provided to governments.
  7. Data stewardship: Businesses must be responsible and accountable to those whose data is under their care. They should have policies to ensure the integrity and accuracy of the data and to guard it against unauthorized access and misuse. Safeguards should be proportional to the sensitivity of the data and the potential for harm. Businesses should disclose any significant deviations from their practices and be able to address complaints and provide appropriate remedies.
  8. Outcome-based regulation: Regulations concerning data should be outcome-based and not overly prescriptive. Companies should have the flexibility to develop and deploy suitable data-management practices to meet their obligations. Industry-led certifications and standards should be encouraged and recognized where appropriate.  Regulators should be able to sanction those who intentionally flout the rules or exhibit gross negligence.
  9. Regulatory coordination:  To ensure a level playing field and avoid unnecessary administrative costs, data regulations across sectors, regions, and countries should be coordinated to the greatest extent possible. Where harmonization is not achievable or desirable due to different local needs, mutual recognition or compatibility should be the goal.