The Google subsidiary, Sidewalk Labs, is proposing to create an “innovative urban district” on Toronto’s waterfront to be calledQuayside.1
The goal is to overlay the “physical layer” of urban environment (buildings, streets, vehicles) with a “digital layer” of information reflecting the dynamic activities and interactions within the physical layer.
Essential to the creation of this digital information layer is the collection of data, both public and private, reflecting these activities and interactions.
The ultimate objective is to obtain a greater understanding of the nature of dynamic activities within the community, and thereby achieve insights and enhance planning of the urban environment -including energy efficiencies, economic efficiencies, quality of life and sustainability.
Existing data stores –filling in the gaps
There exists already a significant store of digital and other data available from diverse sources reflecting not only activities but also conditions within an urban environment. Such data sources include mobile phones, connected devices, and utility usage databases. Other more public data stores include weather, air quality, municipal taxation and traffic.
However, to achieve a comprehensive view of all activities within an urban environment, Sidewalk Labs proposes to create a new level of data collection in both private and public spaces–through more intensive analysis of activities by people and things as they interact, move about and live within that environment.
Such an analysis could be characterized as filling in the gaps –so to speak –between the existing data stores. It is this filling in the gaps data collection that has created challenges and concerns about the nature of personal information that may be obtained, and the required governance respecting such information once collected. Concerns about privacy are exacerbated by the proposed nature of the collection –through ubiquitous electronic “sensors” and in some instances video monitoring–as well as from transaction data (e.g. parking).
To be clear, not all data collected would be personally identifiable; a significant element would encompass traffic patterns, vehicle travel, pedestrian travel, visits to buildings and other non-personal data.
In order to address the concerns regarding collection and use of identifiable personal data, it is instructive to characterize the data with a privacy lens. As part of such characterization, consideration must be given to not only the entities involved –such as Sidewalk Labs –but also any governance regime that would provide oversight.
1See Project Vision, excerpt from Response to Waterfront Toronto Quayside RFP, October 17, 2017 Private space data
As noted, a significant amount of personal data that may contribute to planning a digital urban community is clearly “private space” data, collected by both private and public entities from sources including home environment controls, mobile phones (not only their locations but also app-generated information),and connected (and potentially self-driving) cars.
Other personally-identifiable data is generated by home and business security and monitoring systems as well as through video surveillance data both within and surrounding private and public buildings. Utility usage information, including electricity, gas and water, is another important data source.
To achieve the envisioned “digital layer” of information for its innovative urban community, Sidewalk Labs will create additional private space data stores and likely will access at least some of the existing private space data to combine it with data collected in the “public space” environments.All of this personal information, if collected by a private sector organization for commercial purposes, must have the consent, either express or implied, of the individual to whom it relates. Furthermore, such data will be subject to the full privacy compliance rules dictated by the Personal Information Protection and Electronic Documents Act (PIPEDA), the national private sector privacy law.
If collected by a public sector organization, consent is not required but there must be statutory authorization. Rules regarding such collection are found in the public sector privacy laws such as the Freedom of Information and Protection of Privacy Act(Ontario).
2Public space dataHow to characterize and treat the personally-identifiable data collected in public spaces?
Should this data be considered publicly available and therefore accessible to any person who wishes to collect it? Or is it personal information that should be governed by the full rigour of applicable privacy laws? If the data is personal information, what privacy laws would, or should, apply?
3Sidewalk Labs currently is proposing that it would collect the data and in certain instances de-identify it.
However a significant amount of data would remain personally-identifiable as collected in the first instance at least, by Sidewalk Labs. Our privacy laws extend protection to personally-identifiable data wherever it is collected, whether in public or private spaces.
PIPEDA applies to collection of personal information for commercial purposes and its rules would apply to any such data collection by Sidewalk Labs, assuming that
2Applicable to provincial government organizations; municipal government organizations are subject to the MunicipalFreedom of Information and Protection of Privacy Act(MFIPPA).
3An argument also may be made that the data is a community asset that should be owned or controlled by the community at large.
See Not for Sale –The case for Non-Profit Ownership and Operation of Critical Community Infrastructure, Ontario Nonprofit Network (November 2018) some of the intended purposes are commercial in nature.
Under PIPEDA, consent of all individuals whose data is collected would be required.
4Any such collection…