Should privacy by design be part of Canadian law?

Ann Cavoukian has long touted the benefits of “data privacy by design” and now the European Union has passed an overarching privacy law called the General Data Protection Regulation, which embeds that requirement.

The regulation comes into effect in 2018 in the EU. What is unusual about the regulation is that it applies to all EU member countries, replacing the separate privacy laws of each of its 28 countries.

Privacy by design was first developed by Cavoukian in the 1990s when she was privacy commissioner of Ontario. It is an approach to protecting privacy by embedding it into the design specifications of technologies, business practices, and physical infrastructures.

“That in itself is huge,” said Cavoukian, now the executive director of the Privacy and Big Data Institute at Ryerson University.

She was speaking on an International Association of Privacy Professionals panel last week in Toronto called “Privacy by design: How I learned to stop worrying and love disruptive technology.”

Even though privacy by design has been embraced globally for many years, the EU law is the first time it’s appearing in a statute.

Cavoukian noted that Canada’s privacy commissioner, Daniel Therrien, is also now asking if privacy by design should be embedded into Canadian law.

“Keep your eyes open for this, and if you lead by privacy by design it will be more likely you will be compliant with the GDPR and you will be more likely to be meeting the requirements of many jurisdictions because privacy by design raises the bar considerably,” she said.

Abigail Dubiniecki, legal counsel for the Canadian Air Transport Security Authority, noted that even if an organization doesn’t have operations in the EU, if it is directing services to EU residents, it can still be captured by the requirements.

With distrust of how organizations are handling personal data at an all time high, how can organizations foster trust with customers in the private and public sector?

“You have to find ways to grow trust,” said Cavoukian. “When I was privacy commissioner I told businesses to treat privacy as a business issue — focus on the tech and how you can increase privacy thereby increasing trust and be compliant with the legislation.”

Cavoukian said with the Internet of Things exploding at such a rapid pace, if companies took time to reflect on the protections that could be embedded from the outset, they would be much further ahead. Companies are still too siloed though to make sure it happens at the design stage

“When I talk to software designers and ask why they aren’t embedding privacy into the design of their technology they say, ‘We’d love to do that but the instructions we receive don’t reflect the need to do that.’ They say if we had the instructions at the front end, it’s easy to do,” she said.

She referred to the “risk intelligence approach” which anticipates risk and identifying them upfront in an effort to mitigate risk by incorporating privacy into design.

Dubiniecki said some view the problem as a generational gap — that some older age groups are more concerned about privacy than others that have “softer” security concerns.

“There is the idea that some will sacrifice privacy for personalization,” she said. “They want something customized to their needs so some innovators see privacy as a barrier to innovation but others see it as an opportunity.”

Cavoukian agreed it is an opportunity. She says people often see privacy as an impediment but in fact she says “privacy breeds innovation.”

“If you can embed privacy from the get go it will assure customers and keep regulators out of your door because you will be building it in in the strongest way possible.”

Protection of data should also be the top concern of any organization, she said.

“In this day and age of cyber attacks, if you don’t have data protection end to end you won’t have privacy. You have to have secure data collection and through the secure destruction of the data,” she said.

“Remember, it’s not your data — just because you have custody and control of it because you collected it doesn’t mean it belongs to you — it belongs to the data subject.”

Recent articles & video

BC Court of Appeal overturns ruling requiring disclosure of privileged information on birth alerts

Ontario Superior Court finds Ottawa negligent in response to Uber's entry, damaging taxi industry

BC Supreme Court upholds drivers' liability in car crash injuring cyclist

Ontario Superior Court orders child's return from Alberta in custody dispute

Alberta court rules expert evidence inadmissible following settlement in medical negligence case

New metric developed to assess socioeconomic challenges of US law school applicants

Most Read Articles

Alberta court refuses to stay bankruptcy proceedings in favour of family law proceedings

New CRA audit powers proposed in federal budget raise uncertainty, say Davies tax lawyers

Mergers and acquisitions in the AI space need unique due diligence considerations: Dentons lawyers

Poilievre's plan to trample Charter rights won't stop at tough-on-crime measures