“Privacy by Design” has long been understood as the “gold standard” of data protection and at the core of how to sustain privacy rights in the digital age. It is a concept that can be said to have been “made in Canada,” developed by former Ontario Information and Privacy Commissioner Dr Ann Cavoukian around and about 1997. It is seen as a way to balance commercial interests, as well as the promise of leveraging and processing ‘big data’, with the right to privacy, which, according to many, should be seen as fundamental human right, as discussed in a previous blog post. Bill C-11, An Act to enact the Consumer Privacy Protection Act (“CPPA”) and the Personal Information and Data Protection Tribunal Act (also known as the Digital Charter Implementation Act), is currently in its second reading in the House of Commons. It is Canada’s first attempt since the coming-into-force of the Personal Information Protection and Electronic Documents Act (“PIPEDA”) over 15 years ago, to modernize, strengthen, and clarify Canada’s approach to privacy law.
The main driving forces behind the proposed CPPA are (i) the desire to maintain Canada as an “adequate” jurisdiction for European personal data transfers under the European General Data Protection Regulation (“GDPR”), (ii) the apparent and understood need to modernize Canadian privacy law so it is appropriate for contemporary technology and uses of data and (iii) recent high profile data breaches affecting Canadians’ personal information that illustrated the impacts of breaches and limitations Canadian regulators have with respect to enforcement. Read more about data breaches in our recent blog post.
The CPPA includes an overhaul to the current PIPEDA framework as it relates to enforcement, with significant fines and penalties and enforcement mechanisms, along with other significant changes. While at the same time, retaining familiar tenets of Canadian federal privacy law, such as “consent” and the focus on “accountability.” Surprising to many, however, is the fact that the principle of privacy by design is nowhere to be found, either explicitly or by indirect reference to its seven foundational principles.
What is privacy by design?
Broadly speaking, privacy by design requires designing a system or process in a manner that protects the privacy rights of individuals, rather than considering the associated privacy implications of a system or process only after deployment. It is a principle that many consider to be a crucial element in protecting privacy rights meaningfully and is an explicit legal obligation under the GDPR:
“Art 25 (1) Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. (2) The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. (2)That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. (3) In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.”
Privacy by design is the marriage of two ideals: (i) protection of personal information; and (ii) its coinciding sustainable commercial use, centered around seven foundational principles. These seven principles are:
- Proactive not reactive: preventative not remedial.
- Privacy as the default setting.
- Privacy embedded into design.
- Full functionality: positive-sum, not zero-sum.
- End-to-end security: full lifecycle protection.
- Visibility and transparency: keep it open.
- Respect for user privacy: keep it user-centric.
Privacy by Design’s Future in Canada
On June 12, 2020, Bill 64…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
