Digital technologies that collect, process, and analyze data are evolving at lightning speed. In this context, ‘agile’ has become the buzzword not only for the development of these technologies, but also for their governance. For example, Ontario’s data strategy consultation paper on trust and confidence in the data economy speaks of a need “to find new and agile ways to ensure consumer protection”. The assumption seems to be that the process of law making is too slow and cumbersome to achieve properly the goals of protecting the public and ensuring fair competition. Indeed, the endless delays in much needed reform of Canada’s private sector data protection law may be a case in point.

Into this governance gap emerges a proliferation of codes of ethics, national and international standards, guidelines, policies and other ‘soft’ law. The CIO Strategy Council has just published its new standard on ethical design and use of automated decision systems and is seeking comment on a newly published draft standard on Third Party Access to Data and Privacy. The federal government has launched a pilot standards-based cybersecurity certification program for SMEs. In addition to these new normative frameworks, there is also a push towards novel modes of governance, ranging from proposals for new regimes for social media content moderation (platform governance), to models for data sharing such as Sidewalk Labs’ proposed ‘Urban Data Trust’ to oversee the collection, use and sharing of ‘urban data’ in the proposed Sidewalk Toronto development.

            In each of these instances, multiple interests drive the creation of the new norms or governance bodies. Private sector companies want to continue to grow and innovate with greater legal certainty but without undue (from their perspective) constraints. Governments seek to encourage investment and innovation without losing the faith of the public (witness the Ontario Government’s emphasis on ‘trust and confidence’ in its discussions of a new data strategy for Ontario and the federal government’s Digital Charter for “trust in a digital world”). These players are at the norm-setting table. Less obviously represented is the broader public that wants to know that their fundamental rights (including privacy, freedom from discrimination, freedom to receive and communicate information, and freedom from undue surveillance and manipulation) will not be trampled in the race for dominance and riches in the big data economy.

            The point is not that soft law is bad or has no role to play; rather it is that soft law is insufficient, and the more policy space it occupies the more challenges it presents for truly responsive, responsible and accountable governance. For the most part, the new ‘soft law’ contains voluntary and largely unenforceable norms. It typically does not provide for oversight or accountability. Even new governance bodies such as the proposed Urban Data Trust do not easily fit within existing legal or normative frameworks, raising questions about oversight, accountability and transparency. We must also ask serious questions about who is engaged in setting new standards or in determining who gets access to what data, in what circumstances and under which conditions. How is the public engaged and consulted and who represents their interests?

            As the private sector’s desire for governance outside government grows, it is important to step back and consider the crucial role played by transparent and accountable governments in balancing interests and in protecting the public. Governments cannot abdicate the normative space they are designed to occupy. Governments must focus on providing strong, bold boundaries that can shape responsible and responsive approaches to regulating technology. They must set the baseline norms and provide frameworks for oversight, accountability and transparency.

Agile should not become code for an environment in which norms reflect best intentions, drafted in non-transparent contexts dominated by the interests of industry and without proper oversight or accountability mechanisms. Soft law may be agile, but so are cat burglars – agility on its own has little to offer the public interest.