‘Privacy by Design’ Principles Explained - by their creator, Dr. Ann Cavoukian

Dr. Ann Cavoukian has undoubtedly made an everlasting impact across cyber security and privacy as the creator of the framework Privacy by Design, which impacts billions of people across the globe daily.

Our podcast partner, host of the Soulful CXO, Dr. Rebecca Wynn interviewed Dr. Ann Cavoukian - you can catch the episode here - as aside from being the creator of the framework Privacy by Design, Dr. Ann Cavoukian is recognized as one of the world's top privacy experts and served an unprecedented three terms as the Information and Privacy Commissioner of Ontario, Canada. She is the executive director of Global Privacy and Security by Design Center and the author of two books.

This episode breaks down:

• What are the principles of Privacy by Design and why it was created
• How Privacy by Design was embedded into the Sidewalk Labs project
• Is Privacy by Design more of a legislation issue, is it a technology issue, is it a people issue?

The principles of Privacy by Design

Dr. Rebecca Wynn: Let’s talk about Privacy by Design. You’re well known for creating that framework, but not everyone in our audience might be familiar with what it is. What are the principles? Can you briefly tell us what that is and why did you create it?

Dr. Ann Cavoukian: It was so interesting. I was appointed Privacy Commissioner in 1997. And when I first started the office, what was interesting was, you see, I'm not a lawyer, I'm a psychologist. I studied psychology and law, but my background is very different. And so, when I first started, I noticed that the approach the office took to privacy issues was always after the fact, after the data breach, after the privacy infraction, you apply the law, regulatory compliance, and that's very important. But I wanted something proactive that could prevent the privacy harms from arising. I wanted a model of prevention, much like a medical model of prevention. So, I created Privacy by Design, literally at my kitchen table over three nights, and then took it in the office and sold it, so to speak, to all my lawyers. And eventually, they got on side because I was saying it's not one versus the other. It's both proactive measures to try to prevent the harms from arising, you know, privacy measures. We can bake into our operations, bake it into the code, into the design of your operations that complements regulatory compliance, which comes afterward, because there will invariably continue to be data breaches and privacy infractions. So, this took off. And in 2010, Privacy by Design was unanimously passed as an international standard by the International Assembly of Privacy Commissioners and Data Protection Authorities. Then it really took off and it's been followed all around the world, translated into 40 languages. It continues to grow and it's all about win-win. You do privacy and security, privacy and data utility, not one versus the other.

How Privacy by Design was embedded into the Sidewalk Labs project

Dr. Rebecca Wynn: Shifting topics a bit, you've worked quite a bit with Smart Cities. You worked on a great project; can you go ahead and explain that project to us and what that was about? That was the Sidewalk Labs project.

Dr. Ann Cavoukian: Of course. It was so interesting. It started out beautifully. Sidewalk Labs approached me. They wanted to retain me to embed Privacy by Design into the smart city they had been contracted to develop here in Toronto, Canada, and I live in Toronto, so I wanted a wonderful, smart city that preserved privacy. I was delighted that Sidewalk Labs retained me to embed Privacy by Design into this operation. And once I started looking into it in a smart city, the technology is on 24/7. The sensors, the cameras, everything is collecting data all the time, nonstop, which is why I said to Sidewalk Labs, “Look, you want to do Privacy by Design? We are going to have to deidentify data at the source, meaning the minute the data is collected by the sensor or whatever technology, you sever it of all personal identifiers, you remove all personal information associated with the data.” Then you can use the data for much-needed purposes. And it will be very invaluable for formulating how the smart city is going to operate, etc. But personal information will be removed from it, so the privacy risk will have been removed right at the outset, right at the beginning. Sidewalk Labs loved this. They said they liked it because then they could tell people, ‘look, there's no privacy risk associated with what we're doing with all the massive amount of technology we're putting into the smart city’, win-win.

Is Privacy by Design more of a legislation issue, is it a technology issue, is it a people issue?

Dr. Rebecca Wynn: As we go into 2022 to 2025, is Privacy by Design more of a legislation issue, is it a technology issue, is it a people issue? What do we do to make it a better feature?

Dr. Ann Cavoukian: It's great if it is embedded in the law. There's no question. Laws all around the world are being upgraded as a result of the General Data Protection Regulation that came into effect in the European Union in 2018. Privacy is the default, one of the essentials of Privacy by Design, and when they included that in the law, countries all around the world wanted to upgrade their existing laws because they may have had what's called essential equivalence with the previous law in the EU, which they want to maintain and preserve because there's so much business that they can engage in with the EU. So, when the law was strengthened in this manner in the GDPR, including Privacy by Design, then countries all around the world started, including Privacy by Design, into their operations. I say don't rely just on laws and regulatory compliance. Bake it into the code, into the technology, into the design of your operations, into your policies, and you will get a much better win-win outcome.

Dr. Rebecca Wynn: We thank you for sharing your leadership insights. How can people get a hold of more information and learn about their companies becoming Privacy by Design certified? How can they get a hold of you to speak? And as you said, to be an advisor?

Dr. Ann Cavoukian: If they want to email and they want to get certified, with their consent, I will refer them to KPMG who is the certifying body and they'll go in and do the much-needed testing, etc. and then they send me a report and I will certify.

Listen to the Full episode here - where Ann reveals even more unmissable insights such as:

• Why Dr. Cavoukian resigned from her role at Sidewalk Labs and the uproar and ultimate opportunity it created
• What role the developer plays in Privacy by Design
• Dr. Cavoukian’s thoughts on vaccination passports and privacy in healthcare