Transcript: The New Economy Series: Governing Cross-Border Data Flows
[The animated white Canada School of Public Service logo appears on a purple background. Its pages turn, opening it like a book. A maple leaf appears in the middle of the book that also resembles a flag with curvy lines beneath. Text is beside it.]
Webcast | Webdiffusion
Mark Schaan: Hello, everyone, and welcome to the fourth session in the New Economy series. My name is Mark Schaan. I'm the Associate Assistant Deputy Minister for Strategy and Innovation Policy at Innovation, Science and Economic Development Canada. The New Economy series is a partnership between the Canada School of Public Service and the Centre for International Governance Innovation, a leading think tank in Waterloo, Ontario.
[Translated from French] Today, we're discussing the flow of data across borders and Canada's recent efforts to regulate the cross-border flow of data through trade gaps.
And what a great topic for today. Data, as many say, is like the new oil. I've never liked that term. I like to think of it more as data is the water that continues to flow freely and in great quantities and is essential to the lifeblood of the new economy. But it's continuing to prove challenging to both regulate, understand and work with, particularly in the context of trade.
So, a few facts on trade. The importance of trade to Canada's overall economic well-being cannot be understated. Two-way goods and services trade accounts for approximately sixty-five percent of Canada's gross domestic product. However, trade in goods and services only tells a part of the story, and the increasing value of trading information such as data and intangibles cannot be ignored.
[Translated from French]The free flow of data across borders is essential to the global economy and allows businesses, in particular, to rely on a relatively unimpeded flow of data, which enables them to thrive and prosper.
The world is producing more data than ever before. There are so many statistics that tell us about just how important data is. But according to the World Economic Forum, the world produces two point five quintillion bytes a day. And five years ago, McKinsey estimated that the value of data flows overtook the value of global trade in physical goods. Canada is also a unique trading nation in some respects. We're the only G7 country that has a free trade agreement with every other G7 member, and our fourteen free trade agreements cover sixty percent of the global GDP.
Yet the free flow of data across borders poses risks, many of which are unique compared to goods such as oil or cars. Data can contain sensitive information about people, companies and ideas that must be used appropriately. Countries around the world are thinking about how to protect the rights of their citizens and promoting the competitiveness of their industries and businesses worldwide. Within the Government of Canada, departments such as Global Affairs Canada and departments like mine, Innovation, Science and Economic Development Canada, as well as the Trade Commissioner Service and Export Development Canada all have roles to play when it comes to trade, whether it is helping Canadian firms prosper abroad, negotiating trade agreements or ensuring that sound regulations are in place.
[Translated from French] These organizations are working together to increase Canada's share of global trade and build a fair, efficient and competitive marketplace.
Whether you are attending this event because you work directly on the subject or simply because it's of interest and you want to learn more. Our hope is that this session is informative and introduces new concepts or ideas that are of value in your role as public servants.
Before passing the floor over to Aaron, I would note a few housekeeping items for the session. First, you should all have a copy of the presentation, which was sent with the invitation for this event. Simultaneous translation is available in the language of your choice through the portal. Instructions were sent to you with your webcast link. You can submit questions for the moderated Q&A period near the end of the event. You can do this by clicking on the icon of the person with their hand up on the top right of the screen.
[The other five video windows reappear.]
And now it's my great pleasure to introduce our partner for this series, an extraordinary advocate of good thinking and continued contributions to our ideas in this new economy: Aaron Shull, Managing Director and General Counsel at CIGI, who will offer a few words of welcome, introduce CIGI and introduce the three panelists. Over to you, Aaron.
[Aaron's window fills the screen. He is a white man with short dark hair and a trim beard. He wears a white button-down shirt and a black tie. A poster with information about CIGI hangs in the background in front of the bare wall. The poster reads, "Centre for International Governance Innovation. Influential research. Trusted analysis. We make a difference in today's world by fringing clarity and innovative thinking to global policymaking. Cigionline.org @cigionline."]
Aaron Shull: Great. Thank you very much, Mark. And it is an absolute pleasure for me to be here. And I would like to thank you for agreeing to moderate this session. And I'd also like to extend a warm welcome to our audience here. I know the people are busy. We all have day jobs, but this is an incredibly important topic so I offer a hearty thanks to our colleagues at the Canada School; to you, Mark; and to the audience.
The Centre for International Governance Innovation is what you call a public policy research institute—the shorthand for that is a think tank. And our hope in taking this partnership on with the Canada School was to bring some of the top thought leaders in the country and indeed around the world, together with one goal in mind, that was to support the growth and development of public servants in the strategic knowledge, competencies needed to better serve Canadians in this rapidly changing, tumultuous and what I would call extremely uncertain new economy.
So, I do hope you enjoy the session. And I'd also like to offer a special word of thanks to the President of the Canada School, Taki Sarantakis. This was a pretty visionary course when we agreed to take it on, and it was because of Taki's leadership role here today. So special thanks to Taki for that.
Before we begin, I'd like to take this opportunity to introduce our panelists very briefly, because we have assembled a really, really stellar group of thinkers here today. First is Patrick Leblond. He's a senior fellow at CIGI, an expert in global economic governance, international political economy, regional economic integration, financial regulation, business and policy. Patrick is an associate professor at the University of Ottawa and holds the Tellier Chair on Business and Public Policy at the University of Ottawa's Graduate School of Public and International Affairs.
Next, we have Blayne Haggart. Blayne, I'm happy to report, is the newest CIGI Senior Fellow as of today. He's an associate professor of political science at Brock University, where his research focuses on the political economy of intellectual property and knowledge. He's also a research fellow at the Centre for Global Cooperation and Research at the University of Duisburg-Essen, Germany.
Next, we have Susan Aaronson. Susan Aaronson is also a CIGI senior fellow. She's an expert in international trade, digital trade, good governance and human rights. She's also a research professor of International Affairs at George Washington University and a cross-disciplinary fellow GWU's Elliott School of International Affairs.
And last but certainly not least, we have my friend and colleague Neil Desai. Neil is a senior fellow at CIGI and at the Munk School of Global Affairs and Public Policy at the University of Toronto. He's a faculty member at the Singularity University. His day job, he's an executive at Magnet Forensics, which is an amazing Canadian technology company. I promise this is not a commercial for Magnet. But they develop digital forensic software and are doing some real good in the world. Neil previously held senior roles within the Government of Canada, at Global Affairs Canada and the Office of the Prime Minister. Neil brings both an industry and firm perspective, but he's also someone who spent time in government. So we're delighted to have him with us.
That is our group of panelists. I hope you agree with my assessment that they are some of the top thought leaders on this. That's why I'm happy that they're here and CIGI is delighted to be able to support the initiative. Mark, back to you.
[The other participants' windows pop up. Aaron's window disappears.]
Mark Schaan: Thanks so much, Aaron. I think we'll now turn to our panelists who are going to explore a variety of topics during their presentations, and I believe we're going to be led off by Patrick.
[Patrick nods. He is a white man with grey-black hair and glasses. He wears a dark blue suit jacket over a white shirt. Patrick sits in a home living room, and behind him is a large wood cabinet beside a floor lamp.]
Patrick Leblond: All right. Thank you, Mark.
[Patrick's window shrinks to the bottom right corner as a slide deck fills the screen. The title slide reads, "Governing cross-border data flows: How trade in data is different from trade in goods and services."]
So, I'll do my presentation in English, as opposed to trying to make it bilingual. However, I will be happy to take questions in French later on in the Q&A and discussions. So if I could have the next slide, please.
[The next slide reads, "Data and the Border. Patrick Leblond, Holder of the CN Paul M. Tellier Chair on Business and Public Policy, University of Ottawa. CIGI Fellow." The next slide appears, titled "Types of Data." Five blue circles are numbered 1 to 5. Each one has a bubble coming out of it with an explanation. They are:
- "Personal data (e.g. birthdates, passport numbers)
- Confidential business data (e.g. payrolls)
- Public data (e.g. census data, scientific data)
- Metadata for AI, data analytics, etc.
- Machine-to-machine communication (e.g. IoT)"]
I was asked to provide a what Aaron calls a chapeau, so basically a sort of introduction to the topic of data and cross-border data flows and some of the issues that in a way, my colleagues will discuss a little bit more afterwards. So, the first thing to make clear is that when we talk about data, we're talking about different types of data. Often the term data gets kind of fused together. Mark talked about data being like water, but in fact, there are different kinds of water out there. We have salt water, sweet water, clean water, dirty water. It's a little bit the same thing with data.
Here is a slide that shows you different types of data and there are others that obviously could be out there and eventually over time will develop. But the main categories are certainly the personal data; everything about us in terms of birthdates, passport numbers, et cetera. Health data would also qualify in terms of personal data. Then you have business data; often confidential, payroll is one example. But you could think about data that airplanes generate and send back to the Boeings and the Airbuses and the Bombardiers to say, "OK, here's how the plane is functioning." And then from that, obviously, there are analytics and improvements that can be made to those planes.
Public data we're familiar with. So, whether it's census or other types that are generated by governments or at least made available to governments, the same from the universities. Metadata is data that tends to be aggregated, that is often used for artificial intelligence and other types of data analytics. It tends to be anonymized so at least from that data we're not supposed to be able to identify people—although there are questions as to whether if you group different metadata sources together, you could potentially kind of re-individualize some of this data.
And finally, something that we're going to see more and more is machine-to-machine communication. So, the whole notion of Internet of things, machines, whether it's your fridge or your washer or your car that communicate with other data. And you can see that even with the Teslas, for instance, where, in fact, computers can basically enhance the performance of your car without you knowing or doing anything about it.
And next slide, please.
[There is a brief pause.]
[The presentation flips to the next slide.]
So now that we know the data—sorry, go back.
[The presentation returns to the previous slide, titled "Digital Trade vs. Cross-Border Data Flows." On the left half of the slide are logos for various companies, including Amazon, Netflix, Visa, Google Maps, Alipay and Facebook. On the right side of the screen is a circle split into six sections. Each has an arrow flowing to the next section. They read:
- "When data flows across borders, it may or may not be affiliated with a transaction
- Much of the data flowing across borders and powering new sectors is personal data, but the people who are the source of the data do not control that data
- Trade in data occurs on a shared platform (internet) and firms, users and governments do not all have the sale responsibility for its stability
- Suppliers do not need to be in the same physical location as end-user for transaction to occur
- If states restrict data flows, access to information is reduced, diminishing economic growth, productivity and innovation
- Status of data as export or import is unclear, leading to questions as to when international laws apply"]
We know that there are different types of data and all these data across borders. And obviously the issue is how do we govern that? One approach is to do nothing and just let those data cross borders without any types of regulations or others, and I'll get back to what that implies. But before we go there, I think it's important to make a distinction because often it gets confused in the minds of people as to—"well, digital trade is about trading data." I think as much as we talk about water and goods and services, we have to differentiate the same thing when it comes to the digital world.
On the one hand, you have companies, digital companies that provide goods and services. Whether you're Facebook, you're providing a social network service, but even more you're actually providing an advertising service and selling space on your social network for advertisers to basically reach out to consumers; the same for TikTok, for instance.
On the other hand, you have Google Maps, which is a map service which Google offers, but at the same time, eventually we might pay for that service—or at least that brings us back to Google and Google can collect data on where we're going and sell that back to advertisers so they know where we've been and what we're looking at. These are all examples, Alipay, Visa, financial services, but underneath there's a lot of data that takes place, right? They offer payment services, but it's generated by data.
Whether it's cloud services, Amazon Web Services, Microsoft, now all the data goes onto the cloud and it crosses borders but this is a service. Underneath, there's the data, but the data itself is not necessarily what's traded in terms of a valuable transaction, even though the fact that data moves across borders, it's vital for these companies to function.
And the same for Netflix and Disney. They offer us movies and TV shows. But those are services, again, that are being offered to us. Or if we download, that then becomes a product, a good. So we really have to differentiate between digital goods and services and data flows on the other, even if sometimes it might be difficult to actually make that distinction. But I think when we talk about governance and especially when we talk about the role of trade agreements, that distinction becomes more and more important. And we can get back to that in the Q&A. Next slide, please.
[The slide is titled, "The Data Trilemma." A red triangle is in the centre. Its three corners are labelled "Free Data Flow," "Trust," and "National Data Protection," respectively.]
So in terms of thinking about data governance and data flows, I think it's valuable to think of it in terms of a data trilemma. And what that means is that basically you can't get the three sides of the triangle together. You can only at best get two of them. So if you want national data protection, you want to have your own regulation in terms of data, but you want to allow the free data to flow, the danger is that there might be a trust issue because you might have very good regulations but once the data leaves, you don't know what happens in another country, how they will deal with that data.
Right now, we're hearing how the US is trying to ban TikTok and potentially WeChat. There's a whole issue around Huawei when it comes to the Chinese and what happens with the data if the Chinese get their hold of it. So then there's the whole question of trust. And on the other hand, if you want free data flow between countries but you want a high level of trust, then it becomes very difficult to have purely national data protection regulations and standards and governance. Then you have to have a multi-country data governance or data standards area where data can flow within that region, but everyone follows the same rules and therefore we can create trust around that.
So I think it's a nice way to think about the issues that we're facing when it comes to wanting free data flow across borders. But at the same time, how do we ensure that businesses and governments and people trust that that data is protected, that data is safe, et cetera? And if you have just national data protection, then the danger is that different countries are going to have different regimes and potentially that reduces trust. So it kind of brings it to the international or supernational level, which is in a way what the EU does. Next slide, please.
[The slide is titled, "3 Digital Realms: Splinternet?" Side by side are the flags for China, the EU, and the US. A double-sided arrow spans their width, with the label "Independent National Data Regulation" on the side China falls on and "Free Cross-border Data Flow" on the US side. China and the EU are in a box labelled "National/Supranational Laws and Regulation," and the US is in a separate box labelled "FTAs." Each flag has another label beneath it: China's is "Cybersecurity Law," EU's is "GDPR," and the US has "USMCA."]
With that—and I'll finish here before I pass it on to Blayne—what we're seeing now is really three digital realms. One of the big questions that is on everyone's mind is whether this is really going to lead to some kind of splinter net; the fragmentation of the Internet, potentially, at least between China and the West, but potentially even between the three realms. On the one hand, where the focus is really on free cross-border data flows, you have the United States where they've really decided to kind of manage data flows through free trade agreements. The prime example, obviously, is the USMCA or CUSMA in the Canadian perspective.
At the other end, you have independent national data regulation; this is where China is. And in the middle, you have the European Union with its GDPR. But what's interesting is that the US is trying to maintain free cross-border data flows and impose some of its views on others and blame—we'll talk about that in the context of the USMCA or CUSMA. But you also have China and the EU that are trying to extend their realm to other countries. China does it through what it calls a Digital Silk Road, which kind of overlaps the Belt and Road Initiative and trying to bring these countries inside the Great Chinese Firewall, whereas the EU, what it does is try to extend its GDPR regime to other countries by saying, "Well, if you want to be able to trade and flow data with us and especially personal data, you have to be compliant or adequate with the GDPR regime. And only in that context can your data flow to your country and vice versa."
So it's trying to extraterritorialize its regime, and Canada falls between, in a way, the EU and the US in terms of how it is. And it'll be interesting where things will go. And then we're trying to—the word here is interoperability. And we'll see how much Canada can maintain its interoperability, let's say, between the EU regime and the US regime in the future. But that's certainly one of the big challenges. I'll stop here. Thank you very much.
Mark Schaan: Thanks so much, Patrick. That's very, very helpful. I think we'll now turn to Blayne Haggart to continue on and look at data specifically in the context of the Canada-US-Mexico agreement.
Blayne Haggart: Yeah, thank you, Mark. Thanks for the invitation to speak here today, and thanks to everyone for taking time out of your day to listen and to participate in the event.
[A new slide show begins. The title slide reads, "Data and the USMCA. Blayne Haggart, Graduate Program Director, Associate Professor, Political Science. Brock University." The next slide appears, titled "USMCA: A highly consequential agreement." Two bullet points read, "Precedent-setting data rules" and "Agreement structure: Review and sunset clause."]
As Mark said, in my comments I want to focus on the USMCA's effect on data governance. Now, this agreement has a reputation for being really little more than an update of NAFTA. People have been making fun of it for a long while now as being simply a Donald Trump branding exercise by a president who doesn't realize that they just changed the name of the underlying agreement. But I've never been really convinced by that argument, and I would point to at least two parts of the agreement to signal that the USMCA is more than just a branding exercise, but in fact, it will have significant new effects on the future of the Canadian economy and on how Canadian policy making is conducted.
[Blayne's video window fills the screen. He is a white man with shoulder-length curls. He wears a blue and white striped button-down shirt. Blayne sits in a home office. An overflowing bookshelf sits off to one side, and a piano keyboard is against the back wall below four paintings.]
And as the slide suggests here, the two parts are the rules of the USMCA as it relates to data and also the overall framework of the agreement. And to give away the ending of my intervention, I believe that these rules are going to make Canadian policymakers—so everyone on this call, pretty much, or whatever we're calling these things these days—it's going to make your jobs that much more difficult when it comes to crafting data and digital policy that reflects Canadian needs and our particular interests. Next slide, please.
[The slide is titled, "Lessons from intellectual property negotiations." Three bullet points follow:
- "1995 Agreement on Trade Related Aspects of Intellectual Property Rights (TRIPS)
- Key US interest
- Other countries: Little understanding of IP's importance"]
To understand why the USMCA is so consequential, in order to deal with this blind spot that's developed regarding the agreement, I find it useful to compare its treatment of data to how previous agreements have dealt with another foundational issue in the knowledge economy, namely intellectual property. In both cases, we have a situation where trade negotiators and policymakers outside the United States were slow to understand both the importance of IP and now data, and the effects of these new rules that they were negotiating.
Back in 1995, the world negotiated the agreement on Trade Related Aspects of Intellectual Property Rights, or TRIPS, as part of the package that created the World Trade Organization. TRIPS instituted strong and enforceable global levels of intellectual property protection, and the United States and its IP-based industries—think pharmaceuticals, motion pictures, that kind of thing—they were the main forces behind it, and it was one of the United States' main demands for creating the WTO in the first place.
Now, other countries went along with this mainly because they saw it as a trade-off to get what they wanted in other areas. But the big problem was that countries that were signing on to this did not really understand what they were signing on to. For example, Australia, to just take one country as an example, they thought because of this agreement they would end up becoming an intellectual property superpower—even though the rules of TRIPS, by giving more power to those who control existing intellectual property, i.e. US-based companies—it actually cements a subservient relationship amongst IP owners and IP users.
TRIPS also inaugurated a world in which trade agreements started to become less and less about traditional tariff issues and more about things like IP and now data. Some of the reasons for this is because tariffs themselves, particularly after the WTO, they are at world-historic lows, so that means that the overall gains that a country, except for the most protected sectors, would get from any further tariff cuts are relatively minimal. But instead, agreements like USMCA and as well as its kind of more regional predecessor, the Trans-Pacific Partnership—these agreements have been more about locking in rules in other areas, including IP and data. Next slide, please.
[The slide is titled, "USMCA as a data/IP agreement." Four bullet points follow:
- "Chapter 19: Digital Trade
- Art.19.11: No restrictions on cross-border data transfers
- Art.19.12: No data localization
- Art.19.16: No requirement for access to proprietary source code (e.g. algorithms)"]
You fast forward 22 years from TRIPS and the USMCA is repeating the same kind of history that we saw with TRIPS, only this time with respect to data. There are new rights and obligations that we find in the USMCA—mentioned only a few of them here. Article 19.11, saying that there's, there should be no restrictions on cross-border data transfers. Article 19.12 says you won't be able to, except in very certain circumstances, to require the localization of data in your jurisdiction. Like I said, there are some loopholes there. There's a little bit of room for innovation on that area in terms of policy. Article 19.16 basically says that you're not allowed to regularly review a proprietary source code such as algorithms on a regular basis, for example, for regulatory reviews.
Now, in terms of these rules, Canada finds itself in a very similar position to Australia in 1995. Data as a commodity and the larger issues of the effects of these transfers of data and how data should be regulated—these are all very new issues and everybody is still trying to figure these things out. And this is what CIGI's Dan Ciuriak, who I believe appeared at an earlier event in this series—it's what he means when he says that data itself is not treaty ready. However, by agreeing to these rules and a trade agreement, we've effectively pre-empted a necessary debate over what is in the best interest of Canada on these issues.
And there are also good reasons to believe that these rules are kind of designed to cement the power and influence of the existing transnationals capable of collecting and processing data at scale, namely US companies like, for instance, Google. As a result, Canadian policymakers will have to be very creative in working within these limits to come up with sound policy. Next slide, please.
[The slide is titled "Imperial North America: USMCA's effect on policy autonomy. A list reads:
- "NAFTA: Hard to change
- Market access: The US carrot and stick
- USMCA Art.34.7: Review and Term Extension
- Sunset clause: 16 years
- Regular review at 6 years"]
The problem, though, with this creativity is that the USMCA also limits the effectiveness, or at least has the strong potential to limit the effectiveness of any creative idea you might come up with. To understand why, think back to another intellectual property event that Canada was involved in, namely our last big digital copyright reform from about 2005/2006 to 2012.
Now, one of the unsung benefits of a trade agreement between a larger country like the United States and a smaller country like Canada is that it increases the smaller country's potential to exercise autonomy in its domestic policymaking, especially in an era where trade agreements are increasingly more about domestic policy than stuff that just happens at the border.
The United States sees copyright and intellectual property as a core national interest. It's part of its national security strategy, which is the same document that deals with nuclear and military capabilities issues and the big geopolitical stuff. Yet Canadian digital copyright reforms unfolded largely in response to our national politics. The United States lobbied hard and it certainly was listened to as a lobby in this debate. But at the end of the day, its economic might and Canadian economic dependence on the United States was not decisive. And the result was a largely made in Canada copyright reform.
The reason we were able to do this was largely because of the existence of NAFTA. The main way that the United States is able to convince other countries to implement its preferred IP laws is by either offering access to its market or by threatening to cut off this access. But NAFTA guarantees Canadian access to the US market, so this tool was off the table for them.
Even though the USMCA looks like a trade agreement, it's not your parents' NAFTA mainly because even on implementation, it does not provide secure long-term access to the US market. Article 34.7 introduces a 16-year sunset clause with regular reviews after six years. Data, I would argue, is seen by the United States is at least as important an issue as copyright, and it's become a foundational part of the US economy tied to the rising importance of intangibles that Mark mentioned earlier. So they are going to be paying very close attention to this issue, and their interests and the interests of large companies are not necessarily the same as those of smaller countries or emerging companies. This review process means that in six years, this stick is going to come back out.
If Canada figures out a smart way to protect Canadian interests in data, this will potentially be on the table with the threat of the overall loss of the access to the US market or preferential access to the US market hanging in the balance. Because judging by past behaviour, they will take this opportunity offered by the de facto regular renegotiation of an agreement to address any Canadian innovations that they may deem not to be in their interest. Also to highlight, this is a bipartisan issue in the United States, so it's not going to go away if Trump loses in November.
Now, this change signals that, or at least my big worry here is that it signals that we're moving into what I think of as almost being an imperial phase in North American relations with a clear hierarchy of countries' interests amongst the three countries characterized less by mutually agreed upon rules than by the potential for more coercive and power-based approach to regional economics, backed up by the omnipresent threat of the removal of secure access to this market. At the very least, these rules on the sunset clause and the regular review means that for those of you on this call, when it comes to crafting sound and lasting data policy, I think you'll have your work set out for you. I'll leave it there.
[Blayne smiles. A new title slide fills the screen, reading, "Why data is difficult to negotiate, yet negotiations at the WTO proceed. Susan Ariel Aaronson, Research Professor of International Affairs & Director of the Digital Trade and Data Governance Hub. GIGI Senior Fellow."]
Mark Schaan: Thanks so much, Blayne. Quite a lot there. Obviously, that we'll hopefully have a bit of time to unpack when we get to the questions. I'll now turn to Susan who can walk us through a little bit around the WTO aspects vis-à-vis data.
Susan Aaronson: Hi everybody, and thank you so much for attending. If we could go to the next slide, please.
[There is a brief pause.]
Can we go to the next slide?
[The next slide is titled, "Why is data different?" Bullet points are listed below:
- "Data is at root of new economy, but data is different from other services...
- Data is essential to democracy, good governance, accountability
- May not be associated with a transaction when flowing across borders
- Can be a good, service and/or both
- Unclear location, so hard to tax or apply custom duties. Unclear if export/import."]
OK, so first I want to talk about why data is so difficult to both understand and to plan for, and how that might affect how we negotiate trade agreements. Data is something different, right? We've already talked about—Patrick already mentioned that data can affect not only an economy, but also the strength of a democracy.
[Susan's video window fills the screen. She is a white woman with chin-length wavy brown hair, and she wears a black, white, and blue patterned blouse. Her camera is angled upward so we see the ceiling, half of the windows, and coats hanging on a rack.]
We've seen how disinformation can bring down governments, whether it's about COVID-19 or the truth about what Trump is doing or any other government leader. It's essential to democracy, good governance and accountability. The other thing is that it's really unclear if trade agreements are the right place to govern data because we don't know when it is an import or an export, because it travels across borders in nano sections and it's hard to pin down location. Also, it may not be associated with a transaction like if you still use Facebook, that evil platform, unless you're buying something, you're looking at something on Facebook, there's no actual trade that is occurring because you're not exchanging money. Next slide, please...
[The slide doesn't change.]
Can you move to the next slide?
[There is a short pause. The slide changes. Susan's audio cuts off slightly as she speaks.]
Can someone move to the next slide? OK, thank you.
[The slide is, "Why is data difficult to negotiate? Key questions for rule-makers." Questions follow:
- "What kinds of data are covered?
- Should it include rules governing the mixing of data?
- Should you create explicit rules or rely on the broad exceptions (e.g. for malware, disinformation, cybersecurity?)
- Should you require open public data and personal data?
- Should you have rules regarding specific data driven sectors (such as AI, 3D printing) that totally alter comparative advantage and can affect democracy and autonomy?"]
All right. So that in turn affects negotiations. If you're trying to negotiate a trade agreement such as that of the WTO, where you have lots of economies that are already transitioning like Canada to an economy built on the monetization and analysis of data, the first thing you have to ask is "what kind of data should be covered under this agreement?" Should it cover metadata? Should it cover Internet of things data, sensor to sensor data? Yesterday I was in a discussion with the Justice Commissioner of the EU and he said they're actually considering making different rules to govern certain types of companies. For example, he said a Ford Motors use of data is very different from, let's say, TikTok's use of personal data. And so he thought that's something that we need to weigh.
You've got to decide what kinds of data you're going to include, and I would say in trade agreements that would include proprietary data, personal data and public data, and that is data that is provided for or funded by government. If my research is funded by the Canadian government, it should be open and available to anybody under a trade agreement.
Should they include rules governing the mixing of data? Then, if there are certain things you want to ban, whether that's malware or disinformation or spam, do you create explicit specific rules or do you rely on the exceptions? And then some normative thoughts, like in Canada—Canada is a leader in the open government partnership. But other countries don't have that same tradition of that feedback loop, that good governance, or they don't have rules governing personal data. Something like only 74 percent of all countries have such rules. So, do you require those rules?
And then, do you go sector-specific? Should you have specific rules related to specific data-driven sectors such as AI and 3D printing that have huge effects on the economy and the policy? That's something to think about. Can we move to the next slide? Thanks. OK.
[The slide is titled, "No shared objective for e-commerce negotiations." Three boxes of varying shades of green are filled with text. The first reads, "No one agrees on what they are talking about. No shared definition of e-commerce. Some states are negotiating e-commerce, others are negotiating e-commerce and data driven services." The second reads, "No shared conception of what are 'barriers' to cross-border data flows—all nations including democracies filter and censor. All states hoard some types of data and require some types of data to be stored within country borders." The last box reads, "WTO may be wrong venue. Negotiators are discussing the governance of data with significant implications for access to information, freedom of expression, democracy, good governance, and economic stability."]
When I looked at these trade agreements, honestly, I do find this kind of shocking. Whether it's CUSMA or whether it's even DEPA, which is the most recent and probably the best trade agreement that deals with these issues because it's built on trust, we are negotiating way too soon for several reasons. First, because are we really talking about e-commerce or are we really talking about data, e-commerce and a wide range of services built on data, like 3D printing or AI? So that's the first thing.
Secondly, what are these barriers to cross-border data flows? The United States defines this differently and its definition has changed dramatically under the Trump administration. The United States has, in my mind, become extremely protectionist with bans on Chinese apps. In my mind, that's totally crazy because you can't have such a ban and say you believe in the open Internet, which is the US position. The US position still remains for the WTO to call for the free flow of data with some limited and very clear exceptions.
And then one thing that we found, and I'll show this in the next slide, we're having this negotiation in secret among countries. And at the same time, we're all deeply worried about the governance of data and what it means for human rights, such as access to information, what it means for us as individuals, our autonomy, our freedom of expression, how we work together in groups to build a civil society and even economic stability.
If we could go to my final slide.
[The presentation shifts to a slide titled "Latest research for CIGI." Bullet points follow:
- "We examine every public communication re. e-commerce 1998-2020. Issues remain the same—e-commerce moratorium on customs duties and concerns of developing counties.
- Must develop internationally accepted and interoperable rules
- Find a grand bargain of giving developing countries what they need re. capacity building, time to learn governance, in return for shared rules. Meanwhile, US, China must find common ground re. national security concerns regarding data driven tech. build a constituency through trust."]
Thanks. In this project that we just finished, we looked at every communication from 1998 to 2020 at the WTO that was open. Here we have the secretive negotiation, but yet, for 22 years—the actual negotiations include 85 countries. Since 1998, the WTO has had a work program and a work program just means "we're going to research what we're going to talk about when we eventually have a negotiation." But since 2019, beginning with 76 but now 85 countries are actually negotiating.
Susan's audio glitches occasionally as she speaks.]
And what we found was pretty shocking: some countries make their negotiation, their positions public. Canada is one of those countries. It's very rare. We found eight countries, something like 10 percent of the communications were actually negotiating documents so that's pretty small. What countries were using these documents to do was to signal and what they seem to be saying is there's something inherently unfair about this. First of all, many of these countries don't even have data-driven sectors, so they don't know how to govern them or put in place rules for protecting public data, protecting personal data. Developing countries are saying that they need time, they need to learn this governance if you're going to demand shared rules.
Then we also see, of course, the US-China tug-of-war, which I think is extremely dangerous, and one can only hope that Biden, when he is president, ends this, or at least lessens it, because these two nations hold so much of the data-driven sector and the world's peoples' data. So we've got to find a new way to do this that is built on trust. And I look forward to hearing your questions. Thanks.
Mark Schaan: Thanks so much, Susan. And again, lots there, and I'm sure we'll pick up on some of these thematics as we get to the questions.
[A new title slide appears, featuring the logo for Magnet Forensics. The "M' is stylized like a magnet. Text below it reads, "Data-Driven Business Across Borders: Implications for National Prosperity, Security and Values. Neil Desai, Vice-President. Senior Fellow, CIGI."]
Last, but certainly not least, I'll turn to Neil, who will give us both a practitioner in terms of actual ethical face of living this out in a firm context, but also some of his thoughts given his other hats that he wears. So over to you, Neil.
[Neil's video window fills the screen. He has deep brown skin and short black hair. Neil wears a maroon shirt under a black sport coat. His camera is angled upward so we see the upper halves of the light blue walls behind him and a section of the ceiling.]
Neil Desai: Thanks so much, Mark. And thanks to CIGI and the Canada School for this kind invitation. Next slide, please. I'll just tell you a bit about Magnet Forensics, not because I'm trying to sell you something, but I think it's important to see the context of data-driven business and how governance affects it from the bottom-up dynamic.
[The slide is titled "Magnet Forensics." A subheading reads, "Digital investigation software used by the global police, national security and other public/private organizations in their investigations." A list of bullet points follows:
- "Founded in 2009, by a Canadian police officer
- Software tools to recover, analyse and report on digital evidence from smartphones, computers, IoT and the cloud
- Becoming a standard tool for investigations of cyber-enabled and cybercrime
- Headquartered in Waterloo with a presence in Ottawa, US, Asia-Pac, EMEA and LATAM"]
We are about a 10-plus-year-old company founded by a Canadian police officer in Waterloo, Ontario. He was working on a couple of cases where children were being lured out on social media—a very common thing now—and it really bothered him, so he created some technology originally to recover critical evidence in those investigations, and Magnet Forensics was born.
Really what we do is we create technologies to recover, analyze and report on digital evidence in a lawful fashion from smartphones, computers, IoT devices and cloud-based services. We're quickly becoming a standard for investigations globally. We have about 300 folks between our head office in Waterloo and Ottawa, as well as presence globally. Next slide, please.
[The slide is titled "Trusted by over 5000 agencies in 95 countries. Law Enforcement, National Security and Other Public/Private Organizations." Two dozen logos for various police departments and security agencies fill the screen under sections for Europe/Middle East, Asia-Pacific, North America, and Central/South America.]
I'll just mention that we have about 5,000 public and private organizations with investigative authorities in 95 countries using our software. We're extremely proud of the 12 federal agencies in Canada using our tools as well as the municipal and provincial partners. But Canada does make up five percent of our business, only five percent. I think that's also important to keep in mind as we think about data-intensive business and that that's pretty common for globally scaling businesses. Next slide, please.
[The next slide reads, "Data is essential to modern business. It is consequential to national prosperity. National security. And the expression of national values and sovereignty. But it doesn't flow free or equally."]
So I'm really giving you that background, not because I think we're unique. I think there are hundreds of Canadian companies that have the potential to create or own a large market share of business verticals that didn't even exist a few years ago. But I do believe our specific experience vis-à-vis government in Canada and globally that impact the scaling of our company is important to you because they have natural parallels to other data intensive sectors, and I also think the evolution of traditional industries such as manufacturing that a lot of folks in government are thinking about.
Beyond the pure economic considerations, I also think there are some real important governance approaches to the data that have outcomes in the national security context, as well as the expression of our national values and sovereignty. And just so we're all on the same page on definitions, I'm really simplistic. I consider the role of government to be to secure citizens in a holistic sense, preserve and grow their standard of living and to do so in a way that's congruent to the overarching values we hold that for me are largely freedom, democracy, human rights and the rule of law. Next slide, please.
[The slide is titled "Data // National Prosperity." Text reads, "Fundamental to the development of wholly new industries and transformation of legacy sectors. Access to critical data is highly nationalistic. Governance is dispersed. And it is winner takes all."]
It's often said that data is fundamental to the formation of new sectors or the transformation of traditional ones, and I honestly believe that's not hyperbole. I think our example is a great one for that. The sector is about 10 years old. The market's valued today at around four billion dollars on the product side and the services side alone is worth 2.9 billion last year in the US. That's just the US on the services side. It's growing around 15 percent, compounding annually.
The largest customers today is policing, globally of these types of software, but it's dispersing around the Fortune 500, as well as other agencies needing to do investigations. It's interesting to note that policing has about 90 percent of their budget today tied up in personnel, but almost every crime today has a data component. So think about your smartphone, tablets, computers, IoT devices like ring doorbells and Nest thermostats and how much they data they generate every second. Every one of those individual pieces of data can be critical to an investigation.
The most common use of digital forensic software is the investigation of child sexual exploitation. It's commonly and improperly referred to as child pornography. It's a crime that's blown up in the Internet age, as have other cyber-enabled crimes like human trafficking and hate speech. So our industry has grown out of immense need. These aren't crimes that policing can simply hire their way out of. Even if they had the money to add officers to do these investigations, there's a global shortage of cybersecurity and forensics professionals. And looking at these horrific types of crime images and videos all day, every day is resulting in terrible forms of PTSD amongst the investigators.
So this is where I think most forward-leaning leaders and public sector in policing realize that the organization has to be transformed. But fundamental to that transformation and what we think about every day is how do you leverage data to be a key enabler of that? There's obviously laws about how such sensitive data is managed in most modern countries.
Here in Canada, despite being a Canadian company, we're not doing any of our strategic AI work with Canadian police agencies. We did have discussions and legal negotiations for two-plus years with the federal government. Around the same time we started, a foreign player skipped over official procurement and went straight to the users and gave them software tools for free, knowing the value of their products would grow over time and become indispensable if they get into the "supply chain," a term often used but not fully understood in a data context.
We see this a lot in procurement in Canada. Practically speaking, this governance doesn't really reside in trade agreements around data. This is about business practices, unwritten governance, about decisions made at the operational level. I'm often asked by former colleagues on the trade side as to how these newer trade agreements are faring and are they improving the situation or are they making our business more competitive? And I feel terrible to tell them these types of stories because frankly, we're in businesses that will have hundreds, if not thousands of percents of margin. So reducing tariffs by ten to 20 percent are meaningless in a long-term winner-takes-all type business. Much of what we're coming up against in the digital economy related to data-intensive business are nontariff barriers; that could be governance related to operations, procurement, legal review and as well as the regulatory and policy levels. Could we move to slide six, the security slide?
[The slide reads, "Data residency requirements do not apply to the majority of critical data putting public safety at risk. Threats are both geopolitical and criminal in nature. Technological advances are outpacing governance responses. These trends are only accelerating."]
In the realm of security, I know we have data sovereignty and privacy requirements for public sector data in Canada, and that's great. But we see in our business the immense volume of private sector-related data related to national security and public safety investigations. This could be data from social media providers, e-commerce sites, smart technologies like wearables. And the reality is very little of this data resides in Canada and our laws around evidence have not kept up with digital advancements such as the cloud, which make a crime totally remote, a natural phenomenon now. The lack of meaningful public policy and global collaboration around data as evidence is well known by both state actors and sophisticated cyber criminals and it's being exploited daily.
There are some solutions right now in the public policy realm. I'll just note that the US passed a law last year called the Cloud Act, which speeds up the transmission of data when there's a valid court order in an investigation. They're signing treaties with countries that hold a lot of cloud servers—Ireland being the first. I don't think we're having similar policy discussions in Canada, and I think that's troubling.
We are not able to throw our weight around when it comes to moving large, FANG-sized companies into getting data when it's lawful, when Canadian courts are demanding it. And that's frankly putting public safety at risk. The longer an investigation takes, there are studies that show the less likelihood of a successful conviction or exoneration, for that matter. I think we have to keep that in mind.
Regardless of what the US is doing on the cloud act or what our response is to that, we are also not creating governance that's flexible to go where technology is going. Even if we were to pass the Cloud Act today, it wouldn't respond to, say, layering on the block chain on top of the cloud because we have a partner country where we can issue that court-ordered treaty-based process where they will help us get the evidence from a private sector player.
But if the data doesn't sit in any one jurisdiction, which jurisdiction do we go to to execute our court orders in the future? So that would be a block chain example of how our governance is falling down on where technology is going. We switch to slide seven, please.
[The slide is titled "Data // National Values + Sovereignty." Text reads, "The data that enables development becomes the de facto standard. The norms, values and laws where technology is developed are transferred to where technology is used. Jurisdictions that don't have globally relevant technologies will see their sovereignty erode."]
I mentioned values and as we come to that data and values discussion, I think it's pretty self-evident that if we as a country are largely dependent on foreign technologies for critical public service delivered through tech in our health care, our public safety and our education, we're putting our sovereignty at risk. But I also think we have to be cognizant that we're going to be bound by foreign laws and practices around data by fiat.
I think this has implications outside of the public sector. I'll just put this in practical terms: at the height of COVID, if all of our small businesses only had the choice to sell on Amazon, to sell online, we would be subservient economically to a foreign player, but we'd also be, I would say, subservient legally to foreign jurisdictions who may not be as interested in, say, non-competitive behaviours that injure Canadians from abroad. And I think that's some news that's coming out in the last few days that might be the reality.
It's why I really believe there are some opportunities to create competitive data-intensive businesses with different visions and values, which I believe, for example, is critical to Shopify's ascension. Yes, it's great tech, but I actually think they brought a different vision and a different set of values to a common business problem.
I also think that might make people feel a little comfortable that there is a globally competitive player, but I should mention we don't have globally competitive players in other platform areas of technology which are ultimately eroding our democracy, our rule of law and the protection of our vulnerable populations.
I might come off as an economic nationalist. I'm really not. I'm a realist. I just feel we have to be eyes wide open when we're adopting foreign data intensive tech in our public sector as well as in our private lives, and understand the impacts are having on us as individuals, our society and our broader sovereignty. Last slide, please.
[The slide reads, "Governance matters. Prosperity, security and values/sovereignty are intertwined. Get to know your growing tech companies."]
I might have painted a bit of a bleak picture for you. I'm not going to sugar coat it. Much of the work we do day to day at Magnet is pretty dark. The world is getting a bit dark in the Internet age. It is a bit of a Wild West when it comes to data and the criminal element. But I will say I'm always motivated by the passion, commitment and national pride of the civil servants we work with on addressing the critical issues around cybercrime.
But those personal traits won't go far enough. We have to acknowledge the importance of governance in these questions and create government structures that are more flexible to the realities of data-driven business and in a data-driven global economy. And that really goes well beyond trade agreements. I think there is dispersed governance happening and we don't realize that a lot of it is happening in some of the farthest reaches of government. I think we have to align all of our governance structures to be more flexible, as I mentioned, but also focused on three things: the prosperity of Canada, the security of Canada and the values of Canadians.
These don't have to be short term imperatives; I think these are long-term, but we really do have to have that focus in all areas of our governance. And I really don't think you as civil servants have to go at it alone. I believe there are proud Canadians doing credible things today at start-ups and scaling technology companies. I think you'd really benefit from getting to know them and understanding the challenges they face in the sectors you are thinking about every day. And they would benefit from better understanding government and the consequences of governance to their business. I think this has to happen before we get to the point where we hit critical moments. We have to have these moments of understanding much earlier. I'm going to leave it there and hopefully we can get to some specific examples in the discussion. I'll turn it back to Mark for that discussion.
[Mark, Susan, Blayne, and Patrick's windows reappear alongside Neil's.]
Mark Schaan: Thank you, Neil. And thank you to all the panelists. These comments are very interesting and very helpful.
We covered a lot of grounds. Thankfully, I get to be the one asking and not answering the questions because there's lots of the stuff that we covered today that I would be hard-pressed to know exactly where we might land. Maybe I'll start with an open-ended question for all of our panelists.
You talked about a trilemma, Patrick, that builds off of the work that you and Susan have done about this notion of national policies that potentially set out safeguards and rules, but then this international imperative to basically continue to allow for data flows and for continued sharing of information, and then this concept of trust. I would actually even add in maybe more contours to this kind of multisided die of objectives. There's an element of personal privacy, protection and autonomy that sometimes comes up against things like national security and continued preservation of the public good as that's defined. And then potentially also geopolitics and the continued necessity for both trading relationships, but also domestic sovereignty. In so many cases, it's challenging to know what you optimize for.
So maybe I'll put you all on the spot a little bit. This isn't in the standard questions, but to ask you, each of you to say, what do you think we should be optimizing for in a data-run environment, recognizing that many of these things are often in tension with one another and that we're not always going to be able to produce the magic unicorn that allows for a happy geopolitical relationship while preserving privacy, while also ensuring national security, while also allowing for sovereignty and domestic autonomy. I don't know who wants to start, but maybe that's the kick-off question.
Patrick Leblond: Should I start? I guess you put me a little bit on the spot, so I'll go first.
[Mark and the other participants chuckle.]
I mean, obviously these are challenging and I think the trilemma is the way Susan and I looked at it, is the notion of trust is very broad and probably the least well defined in this idea. When you talk about protecting privacy and protecting national security, in a way they all fall within the trust element where you have to make sure that when Canadians' data—whether it's business data, government data or personal data flows outside the country—in what way is it protected? In what way does it endanger people personally in terms of putting them at risk in a way that Neil talked about? Or does it put in a way the government or the national security at risk?
That's the notion of trust, right? If people are going to trade data and more and more as they become aware of the risks associated with this data moving and sharing, are they going to trust it? More and more of what we see is that people become less and less trustworthy. And will there be a point where people will not accept? As, again, Neil made very clear, but also Susan, in terms of democracy, it is the role of government to protect these things. And that's really a major challenge in terms of how do we do this? Because we have to achieve all these objectives at the same time.
The trilemma shows that if we all tried to do it individually, then that creates a problem. That's really how it's going to work if we do our own thing, the EU does its own thing, the US does its own thing. We're seeing it with the whole privacy shield between the US and the European Union where now, it hasn't really started, but already there are risks that companies—I think it was potentially Google now—that could not move data out of the EU back to the US. How is that going to affect business? The whole notion of Brexit is potentially going to make it very difficult for UK companies to actually bring data, share data with the EU. Therefore, how is that going to affect trade, for instance, between these two countries or even the ability of financial services companies operating?
And that's just one example of the fact that, a little bit like climate change, we can't go at this alone. And at the same time, we cannot take commitments, as Blayne made very clear, in free trade agreements that then kind of tie our hands at the national level. So it does require looking at our like-minded friends and allies who share the kinds of values that we have to say, "OK, can we agree on certain standards the same way we've done with financial regulation?" We have financial standards. We have international organizations—doesn't mean that all countries are there, but it creates best practices. It creates best standards that then other countries are invited to adopt. And within that, our financial system feels relatively safe. So maybe that's the kind of model that we should aspire to.
Mark Schaan: Thanks, Patrick. We'll come back to that, I have no doubt. I know Neil wanted to get in there and so did Blayne, and I have no doubt Susan does, too. So I'll turn to Neil next.
Neil Desai: These issues are deeply intertwined. We want these things to be nice and simple where the Department of Finance deals with the economy and public safety with public safety. And the reality is—I don't think the government, and I don't mean the Government of Canada, I mean public sector in Canada, broadly speaking, is well structured. We have to start thinking of some new ways of dealing with these types of issues.
I'll make one practical example. Our national security agencies are reviewing a data-intensive foreign player, Huawei from China, whether or not to include them into our 5G networks in Canada—and this is common among The Five Eyes countries. At the same time, there are 12 research partnerships at 12 different Canadian universities going on for 6G technology with Huawei and AI, two data-intensive businesses. The left hand really has to start talking to the right hand because I would argue the security implications and the prosperity implications for Canada are greater at those 12 universities in a practical way than we actually know on the 5G technology, where we have some inferences on the threats to public security coming out.
What I'm offering here isn't a solution; I'm offering a very tough challenge. How do we reform our governance of this country so that we can all be focused on the prosperity of Canadians, the security of Canadians and the values that we like to hold near and dear to our hearts?
Mark Schaan: Yeah, and Neil, we'll come back to that, too, on whether or not it's more joined up than it may seem at times, but I totally agree that it's playing out in multiple theatres. Blayne and then Susan.
Blayne Haggart: Sure, thanks. Yeah. Just a couple of thoughts from your question and also what Patrick was saying about his and Susan's trilemma. On the trilemma, it seems to me also along the lines of trust, you could also put in their shared values like a kind of an understanding about where everybody's coming from. And I think that would fit very nicely into the idea of trust.
In terms of what we should maximize, one of the things that I'm getting from all of our presentations is just the extent of how many different issues are tied up with respect to data. It's not just about buying and selling tractors. And so a lot of stuff is going on here. The fact that we don't understand all these things—the four of us are trying to figure these things out; everyone's trying to figure these things out. To me, that means one of the things that you would want to maximize in this situation is domestic experimentation; basically, country by country experimentation to try to figure out where we stand. How do we stand on something—when should data be open? Because people push for the idea of open data as being the solution, but sometimes you don't want to have open data because, for instance, if you have open data coming out of a municipality and allow anybody to come in and use that, not every company has the potential to maximize their use of open data. So you could end up in a situation where, for instance, Google, to take one example completely randomly with respect to smart cities, could come in there and dominate small start-ups.
These are questions that have to be talked about. We have to think about these things domestically where the values and the governance are—certainly in Canada, we've got lots of different communities and disagreements. But you're going to have more of a common language within a country than outside of a country. And beyond that, what you would want to try to aim for is something like what the economist Dani Rodrik would call "thin globalization," of figuring out, "OK, we're not going to be able to come to strong agreements." And something like USMCA probably goes way too far. But there are certainly some bare standards and things that everybody could agree on that level.
And for that I look back to, for instance, the original kind of intellectual property agreements from the 1800s where the whole idea there was this was the minimum consensus as opposed to what we ended up with in '95 where, basically, kind of a maximalist approach that was then imposed on other people. It's kind of what's the bare minimum we can all agree on. And that would be a very nice starting point for these discussions.
Mark Schaan: I may also come back on that in terms of minimum common product, maybe lowest common denominator on things like privacy, but we can come back to that. Susan, I'm sure you want to get in here as well.
Susan Aaronson: Well, it seems to me that the data-driven economy and innovators are moving faster than governance, right? And that is not a recipe for building trust. There is a trade agreement that I briefly mentioned before that called DEPA, which is the Digital Economy Partnership Agreement between Singapore and New Zealand.
[Susan's audio cuts out occasionally as she speaks.]
And I think it is really interesting because it begins with trust as... essential. And so if you proceed from that notion that it's not just about ensuring data flows that benefit business, but instead it's about building trust amongst the providers of personal data and the consumers of data-driven services. If you begin with that premise, then you are more likely to resolve Patrick's trilemma and to build faith that governance is effective and equitable. But I fear that we're all in this rush to foster trade agreements that enable these data-driven flows without really thinking about what underpins successful governance. And I just wanted to thank the person that moved my slides.
[Susan and Mark laugh.]
Mark Schaan: Thank you, Susan. And maybe I'll turn to a secondary question that builds on the previous one—and maybe just to be provocative, perhaps. Two sides of the question are, one, do we actually think that there is the capacity to have a forward momentum on data regulation or data governance given the nature of data in that data is both, as we've all talked about in your previous answers, this diffuse, extraordinarily everything and nothing at the same time phenomenon that tends to incite small constituencies around very particular, very pointy examples of data utilization? So, the usage of facial recognition technologies in very particular scenarios like policing.
And then, on the other hand, these massive conceptions of all of the data that's being generated by our direction with the built environment and infrastructure. So, do we actually think that we can get some sense of where the values consensus actually is? That's one half of the question that you might want to interact with. The second half is even if we did, do we think the data is actually something that's governable in real terms?
And Patrick, you gave us the example of the financial securities aspects. Arguably, there's the same leakage issue that some people might refer to in that regard, which is having one bad actor is sort of like the equivalent of having a non-smoking in a smoking section or is this like having a non-peeing section of the pool? Can we actually have free flow data flows where the possibility for someone to taint the entirety of this environment—all the good actors stay in the nice consensus group where they've all agreed to do good things, but then the data flows immediately to folks that potentially aren't subscribed to the same good rules.
So, part one, do we actually think there is a growing consensus around values and norms around the usage of data, and might we be getting there? And then second of all, even if there was, do we think it's actually something that you can govern in an internationalized context, given the free flow of data as it stands? And I apologize that I'm using none of the questions that people suggested I use. So they're all winging it.
I see Neil wants to jump in first.
Neil Desai: Yeah. Taking this out of the abstract and bring it down the practical, I think we have to recognize that roughly speaking, 90 percent of the world's data is unstructured and more and more of that type of data is proliferating every day. And that will only increase as we get into more IoT smart devices. The self-driving car today, the prototypes generate a gigabyte of unstructured data a second. And as we bring on more things online, that's only going to grow. So I'm more interested in the 10 percent as opposed to big data—I would refer to as smart data, the valuable data that actually powers business.
But we're talking about these things as though governance is only at a state or public sector level, and I think the reality is more and more that governance is actually happening at the private level. Decisions in the code base are actually boxing in governance decisions in practical terms. So I'm not trying to say that I have any conclusion about this, but I also think we have to be on the same page when we're talking about a game. I think we all have to play the same sport here and realize that if we're going to govern something, let's at least make sure we're talking about the right things here.
Within that context, I think we also have to understand the business model today of large platform data-driven technology companies. I would equate them to colonial-era countries that are playing long-term, highly capital intensive, wealth-amassing efforts that are frankly marginally profitable today. But if they win the whole category, then they can turn over. And I'm not just talking about Google and Facebook. A company like Salesforce—Salesforce is really going to be the last main CRM for sales organizations to use. They bought everyone else. When no one's left and you're the only one who can provide data insights on how major sales organizations operate, you can then control price. So I think we also have to be very realistic of how the businesses are operating because they are the ones governing data today.
Mark Schaan: Thanks, Neil. Blayne, I think you wanted in and then—I think everyone wants in, so let's do Blayne next.
Blayne Haggart: Sure. I think it's a great question. Are we moving towards a consensus? I think absolutely we're moving towards a consensus because we're discussing these issues. I would strongly argue that these things are definitely governable, because one of the things that I take away from Neil's presentation and your intervention just now, is that there are rules governing these things. They're not always being set in the places where we normally expect rules to be set, but they're being set.
The question is never "Are these things governable or ungovernable?" Because obviously they're governable. Of course, we could set rules. We will set rules. There will be a consensus. It will not necessarily be a consensus that everybody is happy with. So the question right now that we're all facing is—basically, it's two questions. First of all, what is in the best interest of Group X? Say, what is in the best interest of Canada, but it could also be small business or individuals or whatever? And then, who's going to make the decisions? How are they going to be made?
The challenge is, at least for the Canadian Civil Service, to make sure that you start developing an understanding of these issues and to make sure that Canada has a seat at the table or the Canadian government, since this is who we're talking to today, has a seat at the table when we are discussing these things. But, of course, there will be a consensus, and there will be and there is governance in this area.
Mark Schaan: Patrick?
Patrick Leblond: Thank you, Mark. Yeah, I agree. Certainly, the surveys that are being done—and CIGI does one on a regular basis about the Internet and what people think across a number of countries—and privacy is certainly something that most people care about. And even in China. Surprisingly, the Chinese care a lot about their privacy even though the government seems to know everything about them. So it seems that there is at least a consensus on a number of issues and norms out there.
Now, the question that you pose in terms of "can we govern this internationally," well, I think it goes back to what Blayne was saying: rules are being set anyways. And the big question is, for a country like Canada, do we want to be part of the rule makers or do we just want to be a rule taker? That's a major issue.
We want to do business. We want our companies to do business with the EU. We want them to be able to move data across from the EU to Canada. Well, if the conditions are that Canada's regime is compliant or adequate with the EU's GDPR, well, in a way, we are being forced to use their standards, right? The same with the Americans if they decide that, hey, through the USMCA, you're going to abide by section 230 of the—God, I forget. The Communications Decency Act. Then, well, you can't sue Facebook, you can't sue Google, you can't sue any of the platforms for their content because it's not their content.
If we want to change that, as there is talk about doing this in Canada a little bit like in other countries—can we do that? So we have to be very cognizant that there are rules out there. The question is, can we work with those countries? And obviously it's all about negotiations and compromise. But at the very least, I think we have to have these conversations. And maybe, as Susan said, the WTO is not the right place to have that kind of conversation, because ultimately it's not about trade agreements. It's really about standards for data and maybe different standards for different kinds of data.
Mark Schaan: Thanks, Patrick. Susan?
Susan Aaronson: Well, you guys are more optimistic than me; I do not see this consensus on data at all, in fact. We're just beginning a project to map the governance of data. Unfortunately, we can only do 40 countries in that mapping. But from what I see is that so far I do not see consensus.
There are things on the side like the global partnership on AI, and part of this stems from this desperate, and it might be myopic, rush to build data-driven sectors without really thinking about the implications of building those sectors for income inequality, employment, development strategies. The World Bank is going to issue a report warning about this soon in their 2020 World Development Report, which will be on data. And AI is an example of this. I am the daughter of a scientist. I'm all for AI. That is different from—we need to come up with some sort of shared rules that let people understand when algorithms are making decisions.
Now look, algorithms have been used in decision making for centuries, if not longer. But it does seem to me that there's something different here going on, and I think there are people who are "woke" to it and people who are not.
[Susan makes air quotes around the word "woke."]
And because we have so many other immediate problems, we haven't thought this through. But I don't see this consensus. Also, I do not think trade agreements are the right place to do it, but I couldn't tell you where they are. Moreover, imagine if you're from Senegal and you might have two AI labs in the country and you might have firms that use various forms of AI or any other form of data-driven analysis to become more efficient, but to restructure your economy based on that and to negotiate international agreements right now based on that.... I just think until they have the governance skills and a real understanding of the potential for data as an asset, et cetera.
[Susan shrugs with her lips pursed.]
Mark Schaan: Thank you, Susan.
[Translated from French] We have a question from a discussion participant regarding data ownership and the possibility of giving data ownership to citizens.
And maybe I'll build on their question. So their question is when we—I'm sure all of us have encountered in our conversations around data and digital, which is what if people own their own data and can we get the models that are more user centric in their usage of data?
I guess I'd ask two questions to the panel. One, we tend to shy away, at least in my conversations, from the notion of data ownership, because it's more about data control, data usage and data sharing, which is who gets to collect it, who gets to use it, and then who do they get to share it with, and kind of thinking of those as discrete actions as opposed to this construct of, "I have it, it's mine," because it can often live in more than one spot at the same time.
So, can we actually get to more user-centric models of that, first of all? And then second of all, do we actually think that the relative literacy and capacity is there for citizens to be able to actually control their data? And to the points that we've made earlier about standards and other things, this is where some people have suggested, "I actually am kind of busy. I actually have this job all day. I don't have time to consent to every single usage and other things." And so maybe this should be, to your point, Patrick, more like the financial industry where I tell some data broker out there that I'm a "purple" risk level. I like some of my data invested in a public good forming kind of stuff and stuff that has a direct relationship to my home. But I'll never, ever want anyone to know my SIN number or my birth date.
I guess my two questions, the two-sided questions, are, one: is data control by user a helpful construct? And is there ways of getting more to those sorts of models? And then second of all, is that actually even feasible in a world where the data is accumulating at such volumes and where potentially people literally have other things to think about, like their kids and their lives and their dogs and their work. So I'll start with Blayne, who got in first and then we can do the tour de table.
Blayne Haggart: Sure. Certainly the idea of individual data ownership or data control is a really dominant way of thinking about these things right now with respect to something like the European GDPR. I don't know how useful it is in terms of public policy and thinking about it as a general concept. And one way to get into this—we could talk for a long, long time about this, but one way to think about this is that you might think I own my data, but your decisions about what you do with your data, if that's where we go, has effects on others. So, for instance, do you want to release your heartbeat data to a Fitbit-type company. But then it goes and sells that data to an insurance company that uses that data to basically restrict access to health insurance. Data and issues like privacy are largely social and they exist at the level of the community.
Also, with respect to the idea of understanding, I can barely understand these things sometimes. And often times, when you look at the GDPR "do you consent to this?" it's very, very hard for the individual to get a grasp on this. And it's kind of like asking, "OK, how much asbestos do you want in your products? How much arsenic are you comfortable with as a person?" These are issues that individuals are not—most of us don't have the capacity to deal with these issues time and time and time again. Some of these issues are also at sufficiently harmful levels to society that basically the decision should be made at a social level by government and by regulators.
Mark Schaan: So I've been a bad moderator and I realize where basically at time, so I'll ask my panellists to be super quick in their responses. I know Patrick, you wanted to get in there.
Patrick Leblond: Thank you. Just to add quickly to what Blayne said, I think, obviously, we agree that people don't necessarily have the knowledge. There's too much asymmetry of information. But two points: one is that there's a lot of talk about data trust that you talk about like financial intermediaries who would be able to take on this. But then we go back to some of the issues that were raised about monopoly. Are we going to end up with just a few giant data trusts that would basically control everyone's data? And would that be better than having it with Facebook or Google or others?
So, that's one point. And the other is the recognition that, I would think, a lot of the value is derived not in a single individual's data, but as a group. There's a lot of value in terms of understanding people's behaviour, not just one particular case. So then if a number of people start saying, "No, I don't want my data to be available to this company or for this purpose," then does it actually reduce the value of everyone else's data? And how do we price that? So, there's actually a compounding effect to the data, which when we talk about data ownership may not be taken into account. So it talks about all these kind of negative and potentially positive externalities associated with data.
Mark Schaan: That's really helpful, Patrick. Neil, did you want in on this?
Neil Desai: Yeah, maybe I'll just quickly say that I go back to my original thesis that we need to get more flexible governance. The idea that we're going to govern all of the data being created, to me, is not plausible. And right now what we're frankly doing is trying to govern via whack-a-mole, either specific technologies that are causing issues or we think are going to be of importance in the narrow future. I think we have to have a longer time horizon and a more specific focus on the things that matter to Canadians and really focus in on our data governance there, and do it in a principle-based fashion that allows us and our smart civil servants to actually use those smarts and be flexible in their decision making.
Mark Schaan: Thanks so much, Neil. And Susan?
Susan Aaronson: Yeah, a couple of points. I love that term: governance does whack-a-mole. I think that is how governments govern. But I think people need to be aware of two points. Very few companies have all sorts of data from people of all around the world.
[Susan's audio glitches and cuts out as she speaks.]
There's no way to govern... level. And those companies are not transparent on how they use that data to create new data-driven services. I'm looking at you, Facebook, Google, TikTok—which may not exist soon—et cetera. The other point is... no way it can be property because it is a reflection of what we think and what we're doing and how we behave over time... And so to view it as property... dangerous...
Mark Schaan: Susan, I think your Internet is sadly giving us a couple of issues.
Susan Aaronson: I'll shut up now.
[Mark and Neil laugh.]
Mark Schaan: Oh, we got that.
Susan Aaronson: Yeah. Did you—
Mark Schaan: We got a good chunk of that, Susan, so I think we're good. I would offer to our audience a huge and heartfelt thanks to our panelists. We've heard a lot about the complete ubiquity of the data environment and the construct probably needs to be broken down. We've tried a little bit today, to construct it in different formats, to think about it in different ways. What is it that we're talking about when we're talking about data. What are we talking about when we're talking about it in certain contexts and in transactional context? I think we probably need to think about the distinction even between personal information and non-personal information, because those can be helpful. I think we've revealed some zones around governance issues and how we're going to kind of think about these either in a trade context, in a global context, or even in a marketplace context, on an individual transaction basis. And I think we've also heard about the need for agility and flexibility.
My last moderator's prerogative would be, I think the challenge is always corporations, in particular, love of governance by principle until there's heavy enforcement. And then they really, really love very specific details about what they can and can't do. So I think finding that sweet spot is really going to be one of the challenges that the public service is going to have to face as we move this forward.
I would just offer again my extreme thanks to our extremely astute and thoughtful panelists. You've given us a ton to think about. I know we could talk about this all day. I know we're literally at time—one sentence from each of our panellists. If you had to give kind of one sentence to the 850 public servants who are on the line about one take away that they should contemplate or think about as it relates to this phenomenon of the data economy and the data society, what would that one sentence be? And it's unfair, again, because these are unscripted so you're literally getting these people's thoughts fresh off the top of their head. Anybody want to go first?
Patrick Leblond: I can go first. Well, to use Facebook, we could say it's complicated.
I'm not sure, I don't have any pearl of wisdom, unfortunately. But thank you very much for having me on.
Mark Schaan: Blayne?
Blayne Haggart: Building on the idea that it's complicated, I'd say it's complicated, but it's also not impossible. If we can regulate something as weird and abstract as money and banking, which is just—anyone who's ever taken a monetary policy course knows it's so weird. This is something that is doable. Data is a new issue. There are lots of different angles for it that we have to take into consideration. But it's not impossible to wrap our heads around.
Mark Schaan: Great. I don't know if Susan or Neil want to go next.
Susan Aaronson: I think that Canada is in a very good position to influence the debate over our data, and it can do so, I think, by leading with other countries and also ensuring that there's a feedback loop in the governance of data. The data charter is a good place to start.
Mark Schaan: And Neil?
Neil Desai: I'll close by saying your jobs are really, really important to data-driven businesses like mine, and that's not just in places like I said. It's across government, the broader public sector. So it's just getting to know companies related to, broadly speaking, related to the work you're doing. It may not have consequence today for you or the company, but I can tell you you'll probably find a patriotic Canadian behind that business and that relationship will prove important to our country in the future.
Mark Schaan: Thank to all my panelists. Big thank you to Patrick, Blayne, Susan and Neil, and to Aaron at CIGI to help respond to the learning needs of public servants in this area. The CSPS will be launching a data community in the near future and will be reaching out to existing networks for input and participation.
[In the bottom left corner, a purple text box appears with the URL canada.ca/school-ecole.]
And the next event in the New Economy series will be held on October 20th. The event will focus on cybersecurity, standards and digital identity in shaping the new economy. Huge thanks to our panelists. Many thanks to the School and thank you, everyone, for your participation today. Thank you.
[Mark smiles and the Zoom call fades out. The animated white Canada School of Public Service logo appears on a purple background. Its pages turn, closing it like a book. A maple leaf appears in the middle of the book that also resembles a flag with curvy lines beneath. The government of Canada Wordmark appears: the word "Canada" with a small Canadian flag waving over the final "a." The screen fades to black.]