Tuesday, December 6, 2022

Canadian data laws need to respect the sovereignty of Indigenous data, argue John Borrows and Lisa Austin, professors at the University of Toronto’s Faculty of Law. A number of provisions in the newly-proposed Bill C-27 legislation could better align with Indigenous laws and values, and in doing so address the urgent goal of reconciliation. Republished commentary from U of T's Schwartz Reisman Institute for Technology and Society.

The federal government has introduced Bill C-27, or the Digital Charter Implementation Act, which is meant to build “a foundation of trust” in our digital world. The centerpieces of Bill C-27 include new legislation meant to strengthen privacy protection and create new rules for responsible AI. Unfortunately, this strategy for public trust has left out Indigenous voices. What has been absent is serious consultation with Indigenous communities and any attention at all to whether Bill C-27 is consistent with the federal government’s obligation to implement the United Nations Declaration on the Rights of Indigenous Peoples (UNDRIP). Trust in our digital world, as in our analog world, must address the urgent goals of reconciliation.

Both within Canada and globally, the movement towards Indigenous Data Sovereignty calls for data laws that recognize Indigenous authority over Indigenous data and data governance according to Indigenous worldviews. Indigenous data is a broad category that encompasses data about individuals, communities, intellectual property, and data about lands and resources. Because of its breadth, Indigenous data is currently regulated under a myriad of laws, including Canada’s privacy statutes. However, this landscape of Canadian data laws ignores the principles of Indigenous self-determination and self-government.

 Professor John Borrows and Lisa Austin
Canadian data laws ignore principles of Indigenous self-determination and self-government, argue John Borrows, The Loveland Chair in Indigenous Law at the University of Toronto Faculty of Law and fellow Law Professor Lisa Austin, Chair of Law and Technology and associate director at the Schwartz Reisman Institute for Technology and Society.

Indigenous governments require access to data needed to govern. Privacy statutes provide pathways to such access, whether by enabling data flows from the private sector to government institutions or by enabling data flows between different types and levels of government institutions. But the new proposed privacy legislation—like the existing Personal Information Protection and Electronic Documents Act (PIPEDA)—treats some forms Indigenous government the same way it treats banks and telecoms. Indigenous governments should not be regulated as if they were part of the federally regulated private sector. Nor should they necessarily be made subject to the public sector legislation. For one thing, public sector legislation also required an overhaul for consistency with UNDRIP. But more importantly, we need to create legislative pathways to recognize Indigenous data laws.

Indigenous data should be governed according to Indigenous laws and values. Although this will take time to implement, there is no excuse for ignoring potential short-term steps to improve non-Indigenous laws. For example, there are a number of provisions in the new proposed privacy law that permit the disclosure of personal information for research purposes. Such provisions already exist in our current laws. However, there are no guardrails to require that where this is the information of Indigenous persons that the research adhere to OCAPⓇ principles (Ownership, Control, Access and Possession)—a set of principles developed by the First Nations Information Governance Centre and already operationalized in research across the country.

Other provisions of the new proposed privacy law permit the disclosure of “de-identified information” without knowledge or consent for “socially beneficial purposes.” However, again, there is no requirement that where this information pertains to Indigenous communities that there be authorization from those communities. There are better models to follow—including BC’s new Anti-Racism Data Act, which has a number of provisions requiring consultation and collaboration with Indigenous peoples.

There are many other provisions that should be re-examined through an Indigenous Data Sovereignty lens.

In its original consultations regarding the Digital Charter, the federal government indicated that it heard from Indigenous Peoples and received the message that the goal of Indigenous Data Sovereignty needed to be respected, including frameworks like the OCAPⓇ principles, and that digital and data transformation must be assessed through the lens of Canada’s obligations to implement UNDRIP. Unfortunately, none of this translated into Bill C-27’s implementation of the Digital Charter. This is unacceptable.

Indigenous Data Sovereignty requires a fundamental rethink of many of Canada’s data laws, not just those laws proposed in Bill C-27. But the need for a comprehensive future plan should not be an excuse for the lack of a current plan of any kind. The path towards reconciliation includes our digital world and it needs to start now.