In a Toronto office tower, on the 25th floor, you find the centre of a perfectly ironic storm: Everyone wants to talk to Dr. Ann Cavoukian, the queen of privacy. The current swirl concerns revelations that Statistics Canada has ordered Canada’s banks to hand over the records of 500,000 Canadians without their consent. But any day could bring news of similar import, but Cavoukian maintains it’s also an opportunity.
Let’s start with a couple of big-picture questions. First, why should we care about privacy?
If you value your freedom, you value privacy. It’s no accident that Germany is the leading privacy and data protection country in the world. They endured the abuses of the Third Reich and the complete cessation of all their privacy and freedom. When your freedoms go, the government takes all your information and says, “If you’re a law-abiding citizen, you’ve got nothing to hide.” And the effect is, it shrinks your cognitive bandwidth. People go inward. They’re scared to talk. It’s the exact opposite of innovation and creativity.
What are the responsibilities of business regarding data privacy?
When I was Ontario’s privacy commissioner for, like, 17 years, I used to tell businesses, “Treat privacy as a business issue, not an issue of regulatory compliance.” In opinion polls, 91% of people say they are concerned about their privacy. I’ve never seen concern for privacy that high. If you do Privacy by Design, shout it from the rooftops. Tell your customers the lengths you’re going to, to protect their privacy. They will reward you with repeat business.
Give me a thumbnail understanding of what Privacy by Design is.
The essentials are: You collect information from your customer, you tell them why you want it, what you’re going to use it for. They agree to that. That’s called the primary purpose of the data collection. You restrict your use of the information to that purpose alone. If everybody did that, you wouldn’t need people like me. But very few people do that.
Briefly, what are the seven principles of Privacy by Design?
First, be proactive—prevent the harm from arising. Second, privacy is the default. You don’t have to ask for privacy; we give it to you automatically. Third, embed it in design. Bake it into your data architecture, into your code, into your policies, so it’s not an afterthought. Fourth, positive sum, not zero sum. It’s “privacy and,” not “privacy versus.” Privacy and creativity. Privacy and data utility. Not either-or, win-lose, but win-win. Fifth, strong security end-to-end, with full life-cycle protection. Sixth, tell your customers what information you have on them. Give them a right of access to your data. I tell companies and the government that while you may have custody and control over someone’s data, it doesn’t belong to you. It belongs to the subject. And seventh, keep it user-centric. When you focus on the needs of your customers, the rest flows.
You came up with that in the late ’90s. Have things evolved as you expected?
It took a little longer than I thought. But in 2010, Privacy by Design was unanimously passed as an international standard by the International Assembly of Privacy Commissioners and Data Protection Authorities. I talked to a number of the commissioners afterward to thank them, but also to ask them why everybody voted in favour of it. They said that in this day and age of ubiquitous computing, massive online connectivity and social media bounding, they were just seeing the tip of the iceberg in terms of privacy harms. They wanted to find a way to avoid the massive base of the iceberg. Regulatory compliance was considered to no longer be sufficient.
Is the standard intended to be adopted at a countrywide level? Or is it meant to be adopted more granularly, at the company level?
Across the board. For the first time ever, Privacy by Design was included in a major new law introduced in the European Union, called the General Data Protection Regulation—the GDPR—which came into effect in May. It raises the bar dramatically on privacy. All 28 member countries of the EU have to upgrade their privacy laws to comply with the GDPR. And all countries are modifying their laws to be compliant with the GDPR, because everyone wants to do business with the EU without any restrictions (see footnote 1 below). But I’ve also been working with a lot of companies. I offer Privacy by Design certification in partnership with KPMG. The number of requests I’ve had in the past year have tripled. Because you don’t need a law to do Privacy by Design. You just have to follow the seven foundational principles. If you can show that you’re compliant by being certified, that shows the EU good faith.
Can you tell me what percentage of large Canadian companies are compliant?
I’m sure it’s not a huge number. But I can point to some companies—Telus, for example. They have obtained four Privacy by Design certifications, and they’re applying for more. We certify a product or service as opposed to a company. Telus goes to great lengths—unlike Bell, for example—to tell their customers what they are doing to protect their privacy.
What about our banks?
The banks haven’t done it yet, and I think they are considering it. But banks are more conservative. It’s still relatively new.
What about Facebook, Amazon, Netflix and Google?
[She rolls her eyes] Let me tell you what Facebook is doing, which drives me crazy. They say they are doing Privacy by Design, and clearly they are not. They modified it and call it “Private by Design.” I’ve been very outspoken against that. I tweeted out that all they have to do is come to me and get certified, and I’d be happy to say they are doing Privacy by Design. What are the odds of that? Ain’t gonna happen.
Speaking of being outspoken, why did you resign from Sidewalk Labs? (2)
See, when you have sensors and technology everywhere, there’s no opportunity for people to consent or revoke consent. Data is being collected automatically. So I said, because of that, what your technology has to do is de-identify the data at source. Anonymize it. Meaning that when the sensor picks up the data, before it goes anywhere, you strip all personal identifiers out.
What sorts of identifiers?
It could be licence plate numbers. It could be video surveillance cameras gathering your facial image, biometric data. A whole string of data. I said, you’ve got to strip all personal identifiers. And in fairness to Sidewalk, they’ve agreed to all of this. I never had pushback from them on that issue, to de-identify at source, full stop.
So what happened?
What happened was that Sidewalk Labs were getting criticism for their governance model—not privacy, but how were they going to use the data? Is it going to go to Google? Alphabet? How are they going to benefit from it? A lot of pushback. So they had to come up with some kind of solution that would hopefully appease all the forces. At a ghuge meeting of the advisory board in October, they said they were creating a “civic data trust,” consisting of Waterfront Toronto and Sidewalk Labs, but also the other players—companies that are going to be developing the IP, the sensors, various levels of government. I didn’t have a problem with any of that. But they said, “And of course we will encourage everyone to de-identify the data at source, but we can’t promise that.” I was crushed. After that, I felt I had no choice.
Now it’s on Waterfront Toronto, the body that is running this. It’s on them to put this in writing and say, “Everybody who wants to play here, you have to de-identify at source.” They have to lay down the law on this.
What troubles you more—the potential for corporations to invade privacy for profit or the potential for governments to invade privacy for surveillance?
I think more the government. Because if you don’t like the way a particular corporation is treating you, you can move your business somewhere else. You can’t do that with the government. And there’s so little transparency. CSIS, CSE, RCMP—we don’t know all the data they’re collecting. Tim Cook from Apple appeared at this year’s international conference in Brussels on privacy. I just think he’s fabulous. Of all the companies, they have done the most to protect privacy, end-to-end encryption.
Apple has an incentive because it’s trying to differentiate itself from Facebook and Google. What’s the incentive for other companies?
If they want to stay in business, they can’t continue operating the way they are. Facebook has already been pinged by the information commissioner’s office in the U.K. for some privacy infraction. (3) The same will happen to Google and others. And under the GDPR, the fines for non-compliance are 4% of your annual general revenue. Imagine 4% of Google or Facebook. (4) Off the charts.
On Nov. 1, new Canadian regulations took effect that require companies to do more to record and report data breaches. What’s your reaction?
Most companies will try to comply, and I’m pleased that’s included in the legislation, but the language concerns me. If you look at breach notification, it says there has to be “a real risk of significant harm.” What’s “significant?” How do I know if the risk is “real?” If you are a company, you can challenge both of those. I’m guessing it will take a couple of cases to go to the privacy commissioner and he’ll have to adjudicate and set down what his expectations are.
What do you say to Canadian companies that think what they’ve been asked to do is too costly?
I tell them the exact opposite. Yes, there is a cost associated with doing it proactively. But it will be a fraction of the cost you will incur when you have a data breach. And I guarantee you will have a data breach. It’s not just the financial costs of the class-action lawsuits. Think of Target. (5) The cost to your brand and to your reputation may be irreparable.
- With the implementation of the GDPR, Canadian law is no longer considered equivalent to EU law, which threatens Canada’s ability to trade freely. A report released in Feburary by Canada’s standing committee on access to information, privacy and ethics called for an update to Canada’s privacy laws. Cavoukian expects something to be in place next year.
- In 2017, Sidewalk Labs partnered with Waterfront Toronto to begin development of a smart neighbourhood called Quayside. The innovations from this 12-acre pilot project will be scaled across the 800-acre Eastern Waterfront
- On Oct. 25, the Information Commissioner’s Office in the U.K. upheld a 500,000 fine levied on Facebook for failing to keep users' personal information secure from third-party developers.
- See infographic above.
- In May 2017, Target agreed to pay $18.5 million (U.S.) to settle claims from a 2013 cyberattack involving 41 million customer accounts. By the end of 2017, its loss from the attack was estimated to be $1 billion (U.S.).
Trevor Cole is the award-winning author of five books, including The Whisky King, a non-fiction account of Canada’s most infamous mobster bootlegger.