I was first appointed the Information and Privacy Commissioner of Ontario, Canada in 1997. When I joined the office, I realized that it had some brilliant lawyers. But my background was different. I was a psychologist, and so I brought a new perspective to the office. I wasn’t looking at regulatory compliance or regulatory action after a privacy incident or data breach had taken place, I wanted a proactive means of preventing privacy-related harms from arising. I was thinking about a model of prevention, much like a medical model of prevention.
So, I created Privacy by Design framework at my home over three nights at the kitchen table and brought it to office. It took me some time to get the acknowledgement and the approval of my lawyers working in the office. That’s because what I was proposing was a very different method of embedding privacy into the operations, baking it into the code so that it is always present. In 2010, at the annual Data Protection Commissioners’ Conference in Israel, I proposed a resolution that Privacy by Design should complement regulatory compliance, so that there could be a model of prevention in place. To my surprise, it was unanimously passed as an international standard. Since then, Privacy by Design has been translated into 40 languages around the world.
Yes, these two terms are often used interchangeably. For instance, at commissioners’ conferences, we have both Privacy Commissioners and Data Protection Commissioners. To me, these terms are very important — data protection is essential for protecting privacy. However, the term privacy goes above and beyond data protection, because it forms the very foundation of our freedom. It’s not just about protecting the data, it’s about ensuring that our freedom continues now and in the future.
Privacy is all about personal control relating to the disclosure and use of private information. That control has to reside with an individual. I keep telling people that privacy is not a religion. If you want to give away your data, be my guest. Just make sure that it’s you who makes that decision and not someone else on your behalf. In my opinion, we cannot have a free and open society without privacy being an essential component.
We are all suffering from the COVID-19 pandemic, and a number of countries are recommending that we develop vaccine passports. It will be a passport to substantiate that you have had a vaccine against the virus. The reason why this concerns me enormously is that it involves very sensitive medical data that deserves the strongest privacy protection possible. If this proliferates, it could become a very strong surveillance tool. These passports would not be limited to travel; countries would use them to check people going to concerts, soccer games, libraries and other public buildings. So, your geolocation would be known to the authorities, and they would know where you are going and who you are meeting. I just hope that we can get past these requirements.
These are positive developments. For the first time, Google is moving towards privacy. Let’s see if they walk their talk, though I believe they will, since they have the right intentions. I am very pleased with that. Apple, on the other hand, has been protecting privacy for years. They have had end-to-end encryption on their mobile devices that is very strong. A few years ago in the US, FBI Director James Brien Comey wanted Apple to break the phone encryption of a guy they had caught. Apple took the matter to court, claiming they cannot do that, and they won.
Recently, for the first time, Apple and Google have built a contact tracing app which totally protects people’s privacy, while enabling them to know if they have been in contacted with someone who is Covid positive. When they were developing this app, Apple called me on two separate occasions and walked me through all of the code to show me how the app does not collect any personal information. So, any step towards protecting privacy is a positive development.
I think the advertisers must learn to appeal to the target audience and get their consent. That may sound extreme, but if you are offering something to people you think they would be interested in, you just need to know how to reach out to them. If consent is sought, and if people are secure that their personal information would not be used beyond the stated purpose, they would show a lot of interest. We offer Privacy by Design certification with KPMG, and the companies we have certified have told us that they love it, as they have been able to build a relationship of trust with their customers.
In this case, I support WhatsApp, or Facebook. WhatsApp has end-to-end encryption, and the Indian government seems to be trying to break that through something that is equivalent to a crypto backdoor — something that can lead to the identification of the original source of a message. In my opinion, that shouldn’t be allowed. I applaud WhatsApp for challenging the government in court , and sending out a message to the Indian users that their privacy matters. End-to-end encryption is the strongest data privacy protection tool online.
GDPR has had a profound impact globally. Countries are making changes to their existing laws to bring them on a par with GDPR, so that they can engage with companies in Europe and do business without any repercussions. For instance, in Canada, the Federal Privacy Commissioner has told the government that we need to upgrade our federal legislation. He has said that we need to have Privacy by Design in our law, just the way it is in GDPR. It has been three years since GDPR came into effect, and I know that there are those who are calling for an upgrade, but three years is not a lot of time for the development of a regulation. So, in my opinion, GDPR is good in its current form. It has had a great impact on the way data is collected and used, and that shall continue to be the case in the future.
Dr. Ann Cavoukian is presently the Executive Director of the Global Privacy & Security by Design Centre, and is also a Senior Fellow of the Ted Rogers Leadership Centre at Ryerson University.
While the first digital transformation was about getting the data in order, making it available and standardizing it, the second digital transition is around the use of that data…
NatureServe started mapping biodiversity before the invention of GIS. Spatial data has been a cornerstone of our work since the 1970s…