Privacy by Design by Regulation: The Case Study of Ontario

• Author: Avner Levin
• Position: Professor, Law & Business Department, Ted Rogers School of Management, Ryerson University
• Pages: 115-159

Privacy by Design by Regulation:

e Case Study of Ontario

Avner Levin*

is article presents the ndings of a case study examining the role of the regulator in

facilitating Privacy by Design (“PbD”) solutions. With the introduction of PbD into

the new European Union General Data Protection Regulation, it is important to

understand the conditions under which PbD can succeed and the role which regulators

can play (if at all) in promoting such success. Two initiatives with similar technology

are examined: rst, a PbD success, the introduction of facial recognition technology

into existing cameras in casinos in Ontario, and second, a PbD failure, the expanded

deployment of cameras within the public transit system of Toronto. e ndings are

organized into three overarching themes: PbD-focused ndings, leadership and

organizational ndings, and regulator-focused ndings. e article argues that privacy

continues to persist as an engineering problem despite PbD, that (related to that) there is

growing recognition of privacy as an issue of organizational change and leadership, and

consequently, that the role of the regulator must evolve if PbD is to become a meaningful

regulatory tool, an evolution that carries with it both risks and opportunities for privacy.

* Professor, Law & Business Department, Ted Rogers School of

Management, Ryerson University. is paper was supported by a research

grant from the Blavtanik Interdisciplinary Cyber Research Center, Tel

Aviv University. Many thanks to Professor Michael Birnhack of the

Buchmann Faculty of Law, Tel Aviv University for leading this research

project and for the fruitful discussions we had on privacy by design and to

Michelle Chibba of the Privacy & Big Data Research Institute at Ryerson

University for her invaluable research support and her contribution to the

many drafts of this paper.

116

Levin, Privacy by Design by Regulation

I. I

II. P  D

III. T C S

A. e Legal and Regulatory Background

B. e Two Initiatives

1. e Toronto Transit Commission (“TTC”)

2. e Ontario Lottery and Gaming Commission (“OLG”)

3. e TTC Initiative

4. e OLG Initiative

C. Research Methodology

IV. F

A. e PbD eme

1. PbD and Legacy Systems

2. Initial Reaction to PbD

3. Working with PbD Principles

4. PbD and Education

5. Legislating PbD

6. eme Summary

B. e Organizational eme

1. Internal Support

2. e Role of the Internal Privacy Of‌f‌ice

3. eme Summary

C. e Regulator eme

1. e Regulator’s Role in Early Stages

2. Regulatory Support for the Initiatives

3. Primary vs Secondary Regulator

4. Collaboration or Enforcement

5. e Overall Role of the Regulator

6. eme Summary

V. C

A. Privacy as an Engineering Problem

B. Privacy, Organizational Change, and Leadership

C. PbD as a Regulatory Tool

D. e Future of PbD

117

(2018) 4 CJCCL

I. Introduction

This paper presents the f‌indings of a case study examining the role of

the regulator in facilitating Privacy by Design solutions. PbD is an

approach to privacy which urges organizations to design privacy into new

initiatives rather than deal with privacy as an after-the-fact “problem”.

e approach has been embraced by many, but executed by few, for a

number of reasons, such as the dif‌f‌iculty in translating the idea of PbD

into engineering algorithms. With the introduction of PbD into the new

European Union General Data Protection Regulation1 (“GDPR”), it is

important to understand the conditions under which PbD can succeed,

and the role regulators can play (if at all) in promoting such success.

is case study contributes to this understanding by examining

the Province of Ontario, Canada, and the role of its Information and

Privacy Commissioner in two PbD initiatives. Ontario was not chosen at

random. Its Privacy Commissioner at the time the initiatives were taking

place, Dr. Ann Cavoukian, was a champion of PbD. Cavoukian tirelessly

and passionately promoted PbD both domestically and internationally,

and outcomes such as the 2010 Jerusalem Declaration of Privacy

Commissioners in support of PbD and the inclusion of PbD in the new

GDPR can largely be attributed to her advocacy.

is case study wishes to examine the role the Commissioner played

as a regulator and whether the conduct of the regulator had any bearing

on the success or failure of PbD. e two initiatives that are examined are

the introduction of facial recognition technology into existing cameras in

casinos in Ontario, an initiative that is generally lauded for the success

of PbD, and the expanded deployment of cameras within the public

transit system of Toronto, in which PbD did not take hold. Since, in

both instances, the potentially intrusive technology and its potential

PbD solution were similar, the case study is able to focus on the role of

1. EC, Regulation (EU) 2016/679 of the European Parliament and of the

Council of 27 April 2016 on the protection of natural persons with regard

to the processing of personal data and on the free movement of such data,

repealing Directive 95/46/EC (General Data Protection Regulation), [2016]

OJ, L 119/1, art 25(1) [GDPR].