We Can’t Have Free and Open Society Without Privacy as an Essential Component

In an interview to GW Prime, Dr. Ann Cavoukian, a leading privacy expert and the brain behind the Privacy by Design framework, shares her thoughts on emerging data privacy trends, and the need to protect people’s information to ensure their freedom.

You served as the Privacy Commissioner of Ontario, Canada for three terms, elevating the office from a regular regulatory body to a thriving agency known for its cutting-edge innovation and leadership. Can you tell us something about your experience in terms of the challenges and opportunities you encountered, and how did you come about creating the Privacy by Design framework?

I was first appointed the Information and Privacy Commissioner of Ontario, Canada in 1997. When I joined the office, I realized that it had some brilliant lawyers. But my background was different. I was a psychologist, and so I brought a new perspective to the office. I wasn’t looking at regulatory compliance or regulatory action after a privacy incident or data breach had taken place, I wanted a proactive means of preventing privacy-related harms from arising. I was thinking about a model of prevention, much like a medical model of prevention.

So, I created Privacy by Design framework at my home over three nights at the kitchen table and brought it to office. It took me some time to get the acknowledgement and the approval of my lawyers working in the office. That’s because what I was proposing was a very different method of embedding privacy into the operations, baking it into the code so that it is always present. In 2010, at the annual Data Protection Commissioners’ Conference in Israel, I proposed a resolution that Privacy by Design should complement regulatory compliance, so that there could be a model of prevention in place. To my surprise, it was unanimously passed as an international standard. Since then, Privacy by Design has been translated into 40 languages around the world.        

People often use data protection and data privacy interchangeably. How are these two terms different, and what steps can private and public players take to ensure both data protection and privacy?

Yes, these two terms are often used interchangeably. For instance, at commissioners’ conferences, we have both Privacy Commissioners and Data Protection Commissioners. To me, these terms are very important — data protection is essential for protecting privacy. However, the term privacy goes above and beyond data protection, because it forms the very foundation of our freedom. It’s not just about protecting the data, it’s about ensuring that our freedom continues now and in the future.

Privacy is all about personal control relating to the disclosure and use of private information. That control has to reside with an individual. I keep telling people that privacy is not a religion. If you want to give away your data, be my guest. Just make sure that it’s you who makes that decision and not someone else on your behalf. In my opinion, we cannot have a free and open society without privacy being an essential component.

Can you shed light on a few emerging data privacy trends globally?

We are all suffering from the COVID-19 pandemic, and a number of countries are recommending that we develop vaccine passports. It will be a passport to substantiate that you have had a vaccine against the virus. The reason why this concerns me enormously is that it involves very sensitive medical data that deserves the strongest privacy protection possible. If this proliferates, it could become a very strong surveillance tool. These passports would not be limited to travel; countries would use them to check people going to concerts, soccer games, libraries and other public buildings. So, your geolocation would be known to the authorities, and they would know where you are going and who you are meeting. I just hope that we can get past these requirements. 

I wasn’t looking at regulatory compliance or regulatory action after a privacy incident or data breach had taken place, I wanted a proactive means of preventing privacy-related harms from arising. I was thinking about a model of prevention. So, I created Privacy by Design framework at my home over three nights at the kitchen table and brought it to office.

Tech giants like Apple and Google have recently expressed their intent to protect people’s privacy. While Google is attempting a rebrand with a suite of new privacy controls, Apple has introduced the App Tracking Transparency feature. How do you view these developments?

These are positive developments. For the first time, Google is moving towards privacy. Let’s see if they walk their talk, though I believe they will, since they have the right intentions. I am very pleased with that. Apple, on the other hand, has been protecting privacy for years. They have had end-to-end encryption on their mobile devices that is very strong. A few years ago in the US, FBI Director James Brien Comey wanted Apple to break the phone encryption of a guy they had caught. Apple took the matter to court, claiming they cannot do that, and they won.

Recently, for the first time, Apple and Google have built a contact tracing app which totally protects people’s privacy, while enabling them to know if they have been in contacted with someone who is Covid positive. When they were developing this app, Apple called me on two separate occasions and walked me through all of the code to show me how the app does not collect any personal information. So, any step towards protecting privacy is a positive development.

With the proliferation of data, especially location data, there always is this concern around privacy. In such an environment, how can advertisers and marketers operating in the mobile and online space do good business while ensuring privacy?

I think the advertisers must learn to appeal to the target audience and get their consent. That may sound extreme, but if you are offering something to people you think they would be interested in, you just need to know how to reach out to them. If consent is sought, and if people are secure that their personal information would not be used beyond the stated purpose, they would show a lot of interest. We offer Privacy by Design certification with KPMG, and the companies we have certified have told us that they love it, as they have been able to build a relationship of trust with their customers.

WhatsApp is currently engaged in a tussle with the Indian government over its controversial privacy policy. What are your views on this issue, and which side do you support?

In this case, I support WhatsApp, or Facebook. WhatsApp has end-to-end encryption, and the Indian government seems to be trying to break that through something that is equivalent to a crypto backdoor — something  that can lead to the identification of the original source of a message. In my opinion, that shouldn’t be allowed. I applaud WhatsApp for challenging the government in court , and sending out a message to the Indian users that their privacy matters. End-to-end encryption is the strongest data privacy protection tool online.

It’s been three years since the European Union’s General Data Protection Regulation (GDPR) came into effect, becoming the most visible data regulation in the world. How do you see the overall impact of the regulation, and does it require an upgrade?

GDPR has had a profound impact globally. Countries are making changes to their existing laws to bring them on a par with GDPR, so that they can engage with companies in Europe and do business without any repercussions. For instance, in Canada, the Federal Privacy Commissioner has told the government that we need to upgrade our federal legislation. He has said that we need to have Privacy by Design in our law, just the way it is in GDPR. It has been three years since GDPR came into effect, and I know that there are those who are calling for an upgrade, but three years is not a lot of time for the development of a regulation. So, in my opinion, GDPR is good in its current form. It has had a great impact on the way data is collected and used, and that shall continue to be the case in the future.

Dr. Ann Cavoukian is presently the Executive Director of the Global Privacy & Security by Design Centre, and is also a Senior Fellow of the Ted Rogers Leadership Centre at Ryerson University.

More Prime Read

More Prime Read