Who owns my privacy and why I don’t want people to know where I drive

To me, “big data” has become synonymous with Big Brother, the central political figure behind data collection and monitoring in George Orwell’s “1984.” Big Data plays a similar role in today’s society, but it’s not often clear who or what organizations play this role, and what parts of my private data are being collected to violate my personal privacy. Following the revelation of the Facebook-Cambridge Analytica scandal in 2018, the public consciousness has grown to include privacy and data collection as primary concerns, but there hasn’t been much transparency, or changes in this practice.

In the Facebook- Cambridge Analytica scandal, people’s personal information was harvested without their consent and was used to create “psychographic”[1] profiles that were then used as part of political manipulation in the Brexit vote, as well as the 2016 American Election.[2] More recently, Facebook was caught outsourcing the transcription of audio-chats that occurred in Facebook Messenger to contractors working as a third-party, thus exposing the private conversations of those Facebook users who had opted into the transcription service offered by Facebook.[3]

But the collection of data occurs in all aspects of daily life not just through social media. A statistician working for Target explained how the retailer kept tabs on its customers’ purchasing habits and tried to target (no pun intended) pregnant women based on their purchasing patterns.[4] This led to a father learning that his teenage daughter was pregnant after Target sent maternity flyers addressed to the teen. These instances highlight the lack of consumer awareness, truly informed consent, and control that people have over their own information. This is a huge issue as “data flakes off us like dead skin cells”[5] and in those moments corporations should not be profiting.

To address the issue of data exploitation, the European Union has implemented the General Data Protection Regulation (“GDPR”)[6] that aims to protect a citizen’s privacy and increase the amount of control an individual has over their own data. The GDPR also addresses the transfer of EU citizens’ personal data outside of the EU in jurisdictions like Canada, that don’t have equivalent legislation already in place. Currently, the federal government has a measly two pieces of legislation governing Canadian’s privacy and personal data, the Privacy Act [7] and the Personal Information Protection and Electronic Documents Act (“PIPEDA”).[8] The Privacy Act applies to federal institutions and is meant to govern “a person’s right to access and correct personal information that the [Canadian] Government […] holds about them”[9] while PIPEDA oversees the private sector. However, neither of these provide resources to Canadians to educate themselves or protect their data. PIPEDA outlines “fair information principles[10] but these fail to provide avenues for consumers to seek recourse when their privacy has been violated, or ways of monitoring and protecting their privacy. Canadians might be protected by the patch-work privacy laws that provinces have enacted, or the legal precedent set by some Canadian courts.[11] Canada lags in data protection and empowering people to control their data.

This becomes increasingly important in the discussion of autonomous vehicles which are an emerging area of data collection. Data will need to be collected to ensure the safe operation of these vehicles and to prevent security breaches that could be exploited by ill-meaning entities. Big data has already greatly contributed to the advancement of autonomous vehicles, but it is unclear what data has been collected, and how this data has been collected.[12] Deployment of these vehicles doesn’t make clear how future data will be collected and used but could lead to the evisceration of privacy altogether, which could have devastating consequences. I believe that in order to successfully and safely integrate autonomous vehicles, rigorous data regulation must first be developed and well-established before the day that my future car drives me to my destination.

The Facebook-Cambridge Analytica scandal threatened democracy, and now the potential improper collection and management of data could threaten our physical safety in the form of autonomous vehicles. The type of successful data regulation I foresee ought to require the informed consent, control, and awareness of consumers that the data collection is occurring.[13] No longer should “Terms and Condition” pages or mandatory cookie tracking agreements be used to exploit the average internet user.

 

Written by Julianna Felendzer, Osgoode JD Candidate, enrolled in Professors D’Agostino and Vaver 2019/2020 IP & Technology Law Intensive Program at Osgoode Hall Law School. As part of the course requirements, students were asked to write a blog on a topic of their choice.

[1] Psychographic profiles rely on a consumer’s psychological characteristics to describe them, this encapsulates values, opinions, attitudes, interests, and lifestyles and can be used to personalize advertising.  See William D. Wells, “Psychographics: A critical review” (1975) Journal of Marketing Research 12 at 196.

[2] Issie Lapowsky, “How Cambridge Analytica Sparked the Great Privacy Awakening”, WIRED (17 March 2019), online: <www.wired.com> [perma.cc/VL7T-FRE6].

[3] Sarah Jeong, “No, Facebook Is Not Secretly Listening to You”, New York Times (20 August 2019), online: <www.nytimes.com> [perma.cc/8C9M-3E3F].

[4] Charles Duhigg, “How Companies Learn Your Secrets”, New York Times (16 February 2012) online: <www.nytimes.com> [perma.cc/ENG8-D47Z].

[5] Charlie Warzel, “The High Stakes of Living Online”, New York Times (6 August 2019), online: <www.nytimes.com> [perma.cc/JP7Q-D7KZ].

[6] EC, Commission Regulation (EC) 679/2016 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), [2016] OJ, L 119/1.

[7] Privacy Act, RSC 1985, c P-21.

[8]  Personal Information Protection and Electronic Documents Act, SC 2000, c 5.

[9] Office of the Privacy Commissioner of Canada, “Summary of privacy laws in Canada”, online: <www.priv.gc.ca>  [perma.cc/PC8J-XNJY].

[10] Office of the Privacy Commissioner of Canada, “PIPEDA fair information principles”, online: <www.priv.gc.ca> [perma.cc/5W8C-4ZYU].

[11] Douez v Facebook, Inc., 2017 SCC 33 [Douez].

[12]  Magnolia Potter, “Big Data’s Role in Self-Driving Car Development” (5 April 2019), online: <www.insidebigdata.com> [perma.cc/CU5J-983F]. See also Bernard Marr, “BMW: Using Big Data And Artificial Intelligence To Create Autonomous Cars”, online: <www.bernardmarr.com> [perma.cc/Q62M-6BWA].

[13] Lucille Perreault, “Big Data and Privacy: Control and Awareness Aspects”(Paper delivered at the International Conference on Information Resources Management (CONF-IRM), Ottawa, 20 May 2015) [unpublished].