After speaking with Canadian stakeholders regarding the practice of recycling telephone numbers and the privacy implications associated with it, my journey led me to the North American Numbering Planning Administrator (NANPA), from who I found out that the Federal Communications Commission (FCC) was responsible for awarding them with their contract to administer numbering services across the continent. If the FCC, a federal agency of the US, was responsible for awarding NANPA with their “North American” contract, the natural question became, “What role or involvement did Canada have in the grand scheme of things? Or were we just tagging along for the ride?”
It became clear to me that I needed to go international and attempt to connect with US stakeholders, but also seek out EU representatives, since the EU has been a world-leader in brining forward privacy legislation related to all things digital.
The United States of America.
From my own research, I identified three committees that might have had some connection with the practice of recycling telephone numbers and the privacy implications associated with it, and they were: The Subcommittee on Oversight and Responsibility, Cybersecurity, Information Technology, and Government Innovation Chaired by Congresswoman Nancy Mace, The Subcommittee on Communications, Media, and Broadband Chaired by Senator Ben Lujan, and The Subcommittee on Communications and Technology Chaired by Senator Maria Cantwell.
Trying to connect with these US committees and the FCC, as a Canadian, was extremely difficult because their online submission forms required a US zip code as well as a US number. Once I managed to connect with their offices, it turned out that I needed to put my requests in writing and mail them to Washington, D.C., which would end up being a months-long process. Instead of going with the mailing route, I decided that it would be more effective to do a policy review to see whether there was any favorable legislation that existed within the US and if it could be transplanted here in Canada.
After a little bit of digging, I uncovered three things of interest: The Administrative Procedures Act, The Virginia Consumer Data Protection Act, and The Office of Information and Regulatory Affairs.
The US’ Administrative Procedures Act
The Administrative Procedure Act (APA) was an Act that was introduced by Congress so that Federal Agencies could become more democratically legitimate and responsive, and to provide for more process and more transparency. The APA was meant to serve as major compromise, enacted in 1946, and was mostly modernized thanks to Federal Court rulings, until recently. In 2017, bipartisan calls for modernizing the APA resulted in Congress passing the Regulatory Accountability Act (RAA), an Act that brought forth consensus-driven bipartisan solutions for modernizing the APA.
One of the RAA’s solutions required Federal Agencies to engage in the economic analysis of rulemaking and for retrospective reviews to make sure that existing rules “made sense”. When the time comes for a Federal Agency to engage in rulemaking that had large-scale implications, made possible by the APA, the RAA required that there be a more rigid process in place to ensure that the tabled legislation was done right. In other words, the scale of impact that emerged from the proposed rules needed to be matched by the depth of the assessment on the implications associated with the proposed rules.
The US’ Office of Information and Regulatory Affairs.
The Office of Information and Regulatory Affairs (OIRA) is a subsidiary office in the Office of Management and Budget, and it is responsible for reviewing significant regulations that are developed, modified, or rescinded by Executive Branch Agencies, and they are responsible for informing the President of the United States on what is going on, and how regulations may align with a President’s priorities.
In short, the OIRA is staffed with career professionals dedicated to the analysis of governmental legislation with expertise in fields like statistics, economics, law, policy analysis, and technology, and it positions the OIRA to best understand the intended and unintended consequences behind legislative outcomes. So, once a President decides to increase or decrease the amount of regulation in a sector, a decision like that is only made after consultation with the OIRA and ideally with a complete understanding of the effects of those outcomes.
The US’ Virginia Consumer Data Protection Act.
The Virginia Consumer Data Protection Act (VCDPA) is an Act that applies to for-profit businesses that conduct business in Virginia or produce products or services targeted to residents of Virginia, and control or process the personal data of residents of Virginia. The VCDPA defined “personal data” as any information that is linked or reasonably linked to an identifiable person. It also created a second category of “sensitive data” that included data revealing: 1. racial or ethnic origin, religious beliefs, mental or physical health diagnosis, orientation, citizenships or immigration status; 2. the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; 3. the personal data collected from a known child; or 4. precise geolocation data.
One aspect of the VCDPA that seems to be causing some confusion has to do with the prohibited processing of sensitive data without obtaining consumer consent, and it is even more stringent with sensitive data related to children. However, if a consumer selected to opt-out of the sale of their personal data, the VCDPA states that businesses do not need to honor those requests for consumers with public accounts because such situations result in “shared data” and are deemed ineligible for data protection. What further complicates the VCDPA, according to privacy activists, is that big tech was invited to play a key role in the tabling of the Act, but the fact remains that policy makers lack the wherewithal to create effective policies that target the digital world because they lack familiarity with technology.
The EU’s European Data Protection Board
One of the benefits of living in our capital city, Ottawa, is that the city is home to countless diplomatic missions, international agencies, and other global brands. Connecting with the EU’s Delegation to Canada turned out to be quite smooth and I was able to get enough information to further explore data privacy laws, with them introducing me to the European Data Protection Board (EDPB) and the General Data Protection Regulations (GDPR).
The EDPB is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union and promotes cooperation between the EU’s data protection authorities. The EDPB is established by the GDPR, with a mission to ensure the consistent application of the GDPR, but without any supervisory or enforcement responsibilities. Instead, their main duties revolve around providing general guidance to clarify the law and to promote a common understanding of EU data protection laws, as well as adopting any binding decisions or helping settle any disputes should they arise.
The GDPR officially came into effect in 2018, and countries eventually began to mass adopt the privacy standards, with the GDPR serving as a benchmark for data protection regulations for both the US and China. However, the EU has recognized Canada’s Privacy Information and Electronic Documents Act (PIPEDA) as meeting their standard and they accept it as an alternative standard for international cooperation purposes.
Canada’s Standing Committee on Access to Information, Privacy, and Ethics
The Standing Committee on Access to Information, Privacy, and Ethics (SCAIPA) is a bipartisan committee that studies and reports on matters referred to it by the House of Commons, or on topics the Committee itself chooses to examine under its mandate. Its mandate is to study matters related to information, privacy and ethics reports relating to Canada’s highest offices including the Office of the Privacy Commissioner of Canada. Additionally, the Committee can also study legislation and regulation or propose initiatives that relate to access to information and privacy and to ethical standards relating to public office holders.
Once I connected with SCAIPA, it was with the Committee’s clerk, and the information she provided was quite valuable. To start, the job of a committee clerk was to ensure that the committee was getting stuff done, but committees at the federal level are often only assigned a single clerk, which can make it quite difficult for them to engage with Canadians that reach out to these committees. Every committee at the federal level was created by the House of Commons and each committees’ functioning purpose was determine during this “creation” process.
When it came to studying legislation, regulations, and proposals, either it would be by order of the House of Commons, or it would be self-initiated by members of the committee.
These two pathways are the only way that studies could be initiated, and third parties (individuals or organizations) can only participate in the work of a committee by submitting a brief or requesting to appear before the committee to share their thoughts on a specific study, which also requires that the party meet certain criterion to have their request approved.
Office of the Prime Minister of Canada
During the process of interacting with various stakeholders, I realized that I also had two outstanding questions that only the Office of the Prime Minister of Canada would be able to answer. First, “Is there a designated executive office (similar to the US’ OIRA) or branch of government that is specifically responsible for reviewing policies and reporting back to the Prime Minister to determine how certain policies may align with a Prime Minister’s priorities?”, and Second, “Are there any avenues for participation (similar to the US’ “Regulations.Gov” website) where citizens can provide feedback on proposed laws?”
The response conveyed to me indicated that Canada did not have anything similar to the US’ OIRA, largely due to the fact that policy proposals are typically presented by Ministers for consideration by the Cabinet or one of its committees, as a part of the Memoranda to Cabinet process. However, that approach might not be ideal when you consider the complications that can arise when political parties rotate in and out of power because there may be a loss of institutional knowledge due to political turnover, and it is quite easy to overlook the most minor details of policies which will still have major implications. In the end, it was up to political parties to be informed on all the existing policies and how they intersected elsewhere since there were no designated career professionals that were solely dedicated to the analysis of governmental legislation.
When it comes to avenues for participation where citizens could provide feedback on proposed laws, Canada did have something similar to the US’ “Regulations.Gov” and it is called “Consulting with Canadians”. Outside of the “Consulting with Canadians” website, Canadians could look over proposed policies in Part 1 of the Canada Gazette before they became official. Although both avenues can be quite interactive, they somewhat fail to live up to the real-time participation standard that the US version manages to create, which allows for members of the public to review feedback provided by their fellow Americans before the deadline for accepting submissions closes. The benefit of this approach is that it creates for the potential that ideas can snowball into something bigger and better, and there is the potential for proposed policies to go places that may have been outside the purview of policy makers. Most importantly, it could free up Members of Parliament from being inundated with emails regarding policy matters that they are not involved with and where their participation may be overlooked.
The long story, shortened, is that the type of changes that are necessary to preserve people’s privacy by prohibiting re-use of old telephone numbers do not seem to have a specific place to be addressed in Canada, and instead, concerns need to be raised with our MPs.
All we need is a little fine tuning.
One of Charles Darwin’s most famous quotes should describe why adapting to change is important, because it is not the strongest or smartest that survive, but those that are most adaptable to change. Although there may be some Canadians that have a nostalgia for the days of our past and who prefer that we stick to tradition, with policies and protocols that are on the verge of becoming obsolete, the needs of the present and future matter more.
