Entries submitted

C1: Office of the Privacy Commssoner of Canada Entry 1
C2: Office of the Privacy Commssoner of Canada Entry 2
C3: Catalan Data Protection Authority
C4: CNIL France
C5: PCPD Hong Kong
C6: National Institute for Transparency, Access to Information and Personal Data Protection (INAI Mexico)
C7: Office of the Privacy Commissioner, New Zealand
 C8: Spanish Data Protection Agency (Agencia española de protección de datos)
 C9: Federal Trade Commission, US

C1 – Entry by: Office of the Privacy Commissioner of Canada, Entry 1

Description of the initiative: 

Guidance for federal political parties on protecting personal information. The Office of the Privacy Commissioner of Canada (OPC) and the Canadian Chief Electoral Officer (CEO) collaboratively prepared this guidance to assist federal political parties in complying with their new legal obligations relating to privacy policies in anticipation of the October 2019 federal elections in Canada.

Why the initiative deserves to be recognised by an award? The guidance was developed, in part, as a response to heightened public concerns over the data practices of political parties and the new legal requirements for federal political parties to publish a privacy policy on their website and submit it to Elections Canada as a condition of registration. It serves to highlight the international best practices around the use of data by political parties, and further highlights the critical link between data protection and maintaining the integrity of the democratic process. The guidance is an important initiative deserving of recognition since:

  • It speaks to an important matter of public interest: the use of personal information by political parties;
  • It addresses in a pragmatic and collaborative manner an important regulatory gap since the data practices of political parties are not covered by Canada’s federal privacy or electoral laws;
  • It highlights the ability of two independent regulatory bodies – for privacy and for elections – to work together in the service of Canadians; and

It responds to an immediate need, with the advent of Canada’s federal elections in October of 2019.

Complete entry available here

C2 – Entry by: Office of the Privacy Commissioner of Canada, Entry 2

Description of the initiative: 

This guidance on mandatory breach reporting responds to modifications in the Personal Information Protection and Electronic Documents Act (PIPEDA) that came into effect in November 2018. Organizations are now required to report breach with a real risk of significant harm to individuals. The Office of the Privacy Commissioner of Canada (OPC) prepared a draft and held consultations before issuing this guidance to help clarify the new obligations and legal standards.

Why the initiative deserves to be recognised by an award?

This piece of guidance, developed in consultation with stakeholders via public consultations, has been key in helping organizations understand and meet their obligations under Canada’s new federal breach reporting obligations. Available in both English and French, the guidance is written in accessible language so that companies understand their obligations and citizens understand what to expect if and when a breach of their personal information occurs.

Given the changes to Canadian law and their impact on organizations and individuals, it was important to have these done in a timely way. The guidelines were published in parallel with the coming into effect of the mandatory breach requirements and have been well received. Further, the creation of a companion breach report form has given added clarity on the type and amount of information businesses are to provide OPC.

At the end of the day, this guidance has led to the greater protection of Canadians’ privacy by both: (i) promoting compliance with organizations, and (ii) empowering Canadians with knowledge and awareness of mandatory breach reporting expectations.

Complete entry available here

C3 – Entry by: Catalan Data Protection Authority (APDCAT)

Description of the initiative:

Our entry is a software program, to manage the Register of Treatment Activities (Registro de Actividades de Tratamiento (RAT), in Spanish).

Why the initiative deserves to be recognised by an award?

It is an app that can be downloaded and installed easily and for free. It is easy to use and is suitable for both private entities and entities that are part of the public sector.

ICDPPC-Awards_C4_Catalonia

C4 – Entry by: CNIL, France

Description of the initiative:

Données & Design (Data & Design) is a platform aiming at promoting design for privacy and creating a design community for data protection. It helps designers get a practical grip on the regulation and encourage the co-design of good privacy practices for user interface (UI) and user experience (UX). It provides case studies, interface assessment methodologies, and tools to co-design privacy-friendly alternatives to common design practices. Its community includes 500 members on Slack.

Why the initiative deserves to be recognised by an award?

As the CNIL highlighted in its 2019 Innovation et Foresight Report (Shaping Choices in the Digital World, From dark patterns to data protection: the influence of UX/UI design on user empowerment), it is necessary for DPAs to take design into account and guide design practitioners in understanding and applying the regulation, in an open and non-competitive approach, in order to ensure individuals stay in control of their data in the digital world.

Indeed, design has a prevailing role in shaping the relationships between individuals and the digital worlds: the interface is the first object of mediation between law, rights and individuals when it comes to data protection. As a result, this initiative aims at encouraging DPAs to take design into account in their compliance analysis, as well as guiding designers, and professionals who are usually unfamiliar with the regulation, in creating new visual grammars and interaction patterns respectful of privacy and data protection. Those complementary approaches are also a way to give body to the privacy by design principle by providing practical contents and tools for stakeholders to create privacy-friendly interfaces from the outset of their projects.

Complete entry available here

C5 – Entry by: PCPD, Hong Kong

Description of the initiative:

Data Ethics – “Ethical Accountability Framework for Hong Kong, China” The PCPD commissioned a study on data ethics in 2018 for drawing up recommendations on what an Ethical Data Stewardship framework should look like, and providing tools for organisations to achieve fair and ethical processing of personal data. Published in October 2018, the study report recommended that organisations conducting advanced data processing activities should implement ethical data stewardship by adhering to the three core ethical values – respectful, beneficial and fair – and conducting ethical impact assessments.

Why the initiative deserves to be recognised by an award?

The PCPD is one of the pioneers in advocating ethics in data protection arena. The research report, being one of the foremost studies in data ethics, further illustrated the commitment of the PCPD in this aspect.

At the 40th ICDPPC, a Declaration on Ethics and Data Protection in Artificial Intelligence was passed, of which the PCPD was one of the co-sponsors. A new permanent working group has been set up pursuant to the Declaration to further promote ethics and data protection in AI, and the PCPD is one of the co-chairs working to nourish a culture and environment that respects privacy.

Back in town, data ethics has been advocated locally via various platforms and channels, such as a symposium on data ethics in action, a leaflet for small-andmedium enterprises in putting data ethics in practice, and speaking occasions for government and business sector.

Complete entry available here

C6 – Entry by: National Institute for Transparency, Access to Information and Personal Data Protection (INAI Mexico)

Description of the initiative:

The Minimum Criteria suggested for the contracting of Cloud Computing services that involve the processing of personal data (hereinafter Criteria) are intended to establish minimum considerations to guide data controllers for the selection and hiring of cloud computing providers. The above, in order to comply with the obligations established by Mexican regulations on this matter and to avoid breaches to the security of personal data.

Why the initiative deserves to be recognised by an award?

The criteria are a facilitation tool offered to those data controllers for the Federal Law on the Protection of Personal Data Held by Private Parties and its Regulations. These consist of a series of considerations and specific questions for the selection and hiring of cloud computing service providers. In addition, it provides recommendations to control and ensure the provision of the service, as well as the advantages and disadvantages of joining or hiring them. Therefore, this document serves as a guiding framework for before, during and at the end of a hiring or adhesion of cloud computing services.

Complete entry available here

C7 – Entry by: Office of the Privacy Commissioner New Zealand

Description of the initiative:

The Office of the Privacy Commissioner (OPC) launched an own motion inquiry into the Ministry of Social Development’s (MSD) use of its information compulsion powers. OPC found that MSD had been misusing its powers and unjustifiably intruding on the privacy of thousands of New Zealanders.
OPC’s inquiry resulted in widespread public reporting. MSD also agreed to change their practice to comply with their legal obligations and undertake a review of their legislation to ensure consistency with recent privacy and other human rights jurisprudence.

Why the initiative deserves to be recognised by an award?

MSD’s failure to act consistently with their legal requirements affected vulnerable members of New Zealand society – those reliant on the state for support and assistance. OPC’s inquiry gave a voice to those affected by MSD’s failures and affected positive change for them.

OPC successfully brought about this change despite only having recommendatory powers, demonstrating OPC’s ability to successfully influence government through persuasive reporting.

Complete entry available here

C8 – Entry by: Spanish Data Protection Agency (Agencia española de protección de datos)

Description of the initiative: We submit the candidacy for the “Risk self-assessment tool for SMEs and professionals who carry out low-risk processing operations”. The name of the tool is FACILITA_RGPD.

FACILITA consists of an online questionnaire divided into four blocks with a maximum duration of 20 minutes with which companies and professionals can verify through a series of questions that the processing operations they carry out can be considered of low risk and obtain the minimum essential documents to facilitate the application of the GDPR at the end of the test.

Why the initiative deserves to be recognised by an award?

– The objective pursued and the purposes for which it was developed. In Spain there are 2.8 million companies, of which 99.8% are SMEs and professionals and 94% micro-enterprises of 9 workers or less and self-employed. Adaptation to the GDPR entails special difficulties for these companies, which need specific support given their limited resources.
– Its ease of use and the fact that it’s free for users.
-Its focus on the real needs of users. The tool was originally launched in 2017. The version whose candidacy is submitted was published in March 2019 and contains numerous improvements based on the lessons learned after more than one year of implementation of the first version.
– It’s been fully designed and developed within the Spanish Agency, using its own resources and considering the specific needs of the potential users.
– Its easy replicability.
– Its sustainability.
– Its real impact: 180.000 users have completed the questionnaire and obtained the documentation in the two versions of the tool.
– Its impact on the protection and guarantee of citizens’ rights.

Complete entry available here

C9 – Entry by: Federal Trade Commission, US

Description of the initiative:

In a historic settlement, the FTC imposed upon Facebook an unprecedented $5 Billion fine, a new privacy structure for accountability at Facebook, and new tools for FTC monitoring of Facebook. The order requires Facebook to restructure its approach to privacy from the corporate board-level down, and establishes strong new mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy, and that those decisions are subject to meaningful oversight.

Why the initiative deserves to be recognised by an award?

The $5 billion penalty against Facebook is the largest ever imposed on any company for violating consumers’ privacy and almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide. It is one of the largest penalties ever assessed by the U.S. government for any violation.

The settlement order also imposes unprecedented new restrictions on Facebook’s business operations and creates multiple channels of compliance.

“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” said FTC Chairman Joe Simons. “The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations.”

Complete entry available here