IT World Canada

You don’t have to sacrifice privacy for security, says former Ontario privacy commissioner

Ann Cavoukian spent more than 15 years as Ontario’s Information and Privacy Commissioner between 1997 and 2014, but her new venture expands beyond provincial borders.

Cavoukian has created a new global council called Global Privacy and Security by Design to promote and advocate for research into the next level of privacy protections. The council’s board includes notable names such as Telus CEO Darren Entwistle, SecureKey CEO Greg Wolfond, and former US secretary of Homeland Security Michael Chertoff.

Inspired by the constant debate between needing more security without sacrificing personal privacy, she believes Canadians can have both.

“Whenever there’s an increase in terrorist incidents – dating back to Charlie Hebdo, San Bernardino, Manchester, Vegas, Paris, the list goes on and on – the pendulum swings right to forgetting about privacy and focusing on public safety and security via any means possible and that’s what sparked this council,” Cavoukian tells IT World Canada. “Of course we need security, but not at the expense of privacy. You can have both; you must have both. Privacy forms the foundation of our freedom and liberty, we can’t give up on that.”

Raising awareness is the first step, but when it comes to practical action, Cavoukian thinks the best way to achieve this balance is to proactively embed privacy and security functionalities into the designs of developing technologies like artificial intelligence (AI) and machine learning. Thus, the council was created with an explicit goal of researching how exactly this can be done.

“I hear so many people tell me ‘Oh, we have to say goodbye to our privacy because technologies are expanding surveillance and data collection and there’s nothing we can do because it’s for our own safety’ and that’s so wrong. You can have both, and that’s why education is our first goal,” she explains. “But our second and equally important goal is working with the engineers, computer and data scientists, and innovators on how they can embed privacy into the design of the products or services they are creating. We need to tell them this is important from the get-go, not when they’ve already delivered the program and privacy becomes an afterthought.”

The former privacy commissioner, and now Distinguished Expert-in-Residence at Ryerson University, wants to go into postsecondary schools to work with students and professors as well as target executives within the corporate community to spread her message.

The council’s third goal is to collaborate with policy designers in both government and business in hopes of tearing down the traditional “silo” approach to developing privacy strategies.

“Companies and even the government need to get past the separation of departments. You’ve got to have cross pollination and people talking to each other about the deliverables that they want and the goals they want accomplished. If marketing or legal teams care about privacy but that priority doesn’t get to the programmers before they start their code, there needs to be less of a silo approach. It’s ambitious but we have no other choices,” Cavoukin stresses.

A fundraising gala was held for the international council on Jan. 25 in Toronto and it raised thousands of dollars from attendees that include Deloitte, Microsoft, and Google executives, proving that the message Cavoukian is spreading is resonating with a wide audience.

She points to Germany as a leader in the privacy and data protection space, saying that its emphasis on privacy is a model that should be emulated. She also commends the European Union’s new General Data Protection Regulation (GDPR), which comes into effect on May 25 and essentially strengthens the rights of individuals to control the use of their personal data, and believes similar action should be taken in North America. The GDPR includes both privacy by design and privacy by default, which requires that companies and governments restrict the use of the information they’re collecting from someone for the primary purpose intended for the data collection.

“This is such an amazing statute because for the first time ever, it includes privacy by design and privacy by default. You don’t give information to a company or government to do whatever they want with it, you give it for a particular purpose that is warranted. Under the GDPR, these organizations are not permitted to use it for any other purpose without coming to you obtain your positive consent,” she says. “That’s the opposite of what happens now. Unless an individual takes the time to scour the terms of service to understand what data is being used and opt out – which no one does – personal data is being collected and used for purposes beyond what you gave explicit permission for.”

Canada’s data privacy regulation governing the private sector, the Personal Information Protection and Electronic Documents Act (PIPEDA) has been in effect since 2000, and Cavoukian says it’s time for updated legislation so the country can keep up with the global pace.

“Canada was on par with the former EU privacy law and we traded with them without any concern, but GDPR is leaps and bounds ahead. Our federal privacy commissioner Daniel Therrien has called for an upgrade of the law because so much has changed since the early 2000’s and we’re obviously behind that,” she agrees.

While the US s struggles with rampant surveillance and no independent commissioners, Cavoukian doesn’t see Canada going down the same path as its southern neighbour.

“We do fare much better than the US and I don’t think we’ll go in that direction. Over my dead body,” she laughs. “We’re much more closely aligned with the EU on privacy measures and I’m pleased with federal commissioner Therrien’s approach in trying to update Canada’s regulations.”

Cavoukian is hopeful for the future, convinced that emerging tech like AI will help Canadians find the right balance between security and privacy.

“We’re looking to fund research into embedding privacy in new technology because we need to pave the way and prove this is doable. My view is we have to believe this is possible; we don’t have a choice. If you value freedom and liberty, then you value privacy,” she concludes.