Ontario’s privacy commissioner has added his voice to those raising objections to Sidewalk Labs’ proposed digital governance regime for Toronto’s planned data-driven lakefront Quayside project.
A lack of independent public oversight, a cumbersome mandate that overlaps with provincial and federal watchdogs and an insufficient role for the city are the main objections of commissioner Brian Beamish.
Arguably most importantly, Beamish said that if Sidewalk’s proposed data trust for overseeing collected data gets the green light the province first has to create a clear regulatory framework that sets out the mandate, criteria for evaluating the full lifecycle of data, as well as a mechanism for independent oversight. And if new public organizations are created, such as the proposed Public Administrator ( a public entity that would be the revitalization lead) they must be designated as institutions under provincial privacy legislation.
Beamish’s comments were contained in a letter sent this week to Waterfront Toronto on Sidewalk’s draft master plan. Sidewalk Labs is a unit of Alphabet Inc, which is also the parent company of Google.
“Most importantly, the digital governance proposals proposed by Sidewalk Labs highlight the legislative shortcomings in our privacy laws,” Beamish wrote. “I appreciate the efforts of Waterfront Toronto and Sidewalk Labs to explore interim measures to address these deficiencies; however, the provincial government needs to modernize our laws to ensure that privacy protective, transparent, accountable and ethical data practices are at the forefront of all of these complex data projects.”
In February the province launched a public consultation on creating a new data strategy for Ontario with the goal of helping residents and businesses benefit from the data economy while protecting privacy. The consultation will continue to Oct. 9. Last week the province released the second of three discussion papers.
Almost from the beginning of its involvement in 2017 after being chosen as the innovation and funding partner for what has been called the Quayside community, a small part of the 800 hectare site Waterfront Toronto will oversee, Sidewalk Labs has been the target of complaints. They range from, “Why do we need to collect data,” to “Why trust a Google subsidiary,” to “We can’t trust the independent proposed data trust”.
Sidewalk’s draft master plan goes further than Quayside to include a bigger slice of land under what it calls an Idea District. Waterfront Toronto replied that idea is “premature.” The Globe and Mail quoted a Sidewalk spokesperson as saying the company will produce an appendix to the plan on Oct. 31, provided a deal to continue the project is struck.
Meanwhile the oversight agency has been holding a public consultation on the draft plan.
Key to the draft plan is Sidewalk’s proposed creation of a non-profit digital trust to oversee the collection and handling of what it calls “Urban Data” swept up by sensors in the community. Sidewalk had promised that any data collected will be anonymized. The idea of the trust is to meet complaints that a private sector firm would control what could be a huge amount of personal data. However, details about how the trust will operate still have to be finalized.
In his letter Beamish said lack of independent oversight of the trust’s decisions and an expectation that public sector organizations seek approval from the trust for decisions were among his biggest concerns.
To Beamish the digital trust is only one idea for data governance. “At this time, I remain unconvinced that the proposal to create an Urban Data Trust as outlined in the [draft master plan] is the most effective way to protect privacy rights,” he wrote.
The commissioner also wonders about the distinction Sidewalk makes between urban data (defined as personal, non-personal, aggregate or de-identified data collected in a physical space, like sensors in a street) and transactional data (defined as information that individuals provide through direct interaction with commercial or government-operated services, such as apps, websites, and product or service delivery). Sidewalk Labs has not proposed any new rules or processes for the collection or use of transactional data.
There may not be a meaningful distinction between urban and transactional data, Beamish said — both types of data raise privacy concerns. For example, a proposed mobility app that would allow users to pay for transit in the community would likely be considered transactional data and therefore outside the oversight of the data trust. “This is concerning given that such an app, while beneficial for users, could enable a complete portrait of a user’s movements in the area.”
In addition, Sidewalk proposes the data trust would be created in two stages. But there would be no independent oversight of the trust and its decisions during the first phase. Nor would it be subject to Ontario’s access and privacy laws, Beamish added. He doesn’t back a two-phase approach.
“I believe that some smart city technologies and the data they generate have the potential to help cities better manage urban environments and deliver services in a more effective and efficient way,” Beamish wrote. “Privacy does not have to be a barrier to these technologies. However, the increasing reliance on data – in some cases personal information – requires more robust protections.”
Cybersecurity Conversations with your Board – A Survival Guide
A SURVIVAL GUIDE BY CLAUDIO SILVESTRI, VICE-PRESIDENT AND CIO, NAV CANADA