Entries submitted
D1- Entry by: Information Commissioners Office (ICO)
Description of the initiative:
In August 2023, the ICO and CMA jointly published a position paper on harmful design practices in digital markets. The paper sets out the data protection and competition harms that can arise when certain types of practices are used to present information and choices to consumers about the collection and use of their personal information. It gives examples of concerning design practices, and provides a set of expectations that the ICO and CMA share of firms, and UX and product designers, that will support good practice.
In November 2023, the ICO wrote to 53 of the UK’s top 100 websites, warning that they faced enforcement action if they did not make changes to their cookie banners to remove practices highlighted as being harmful in the position paper. The response to this call to action was overwhelmingly positive, resulting in 45 websites changing their cookie banners to be compliant, an almost 85% success rate in effecting change. Several others also started working on solutions, including contextual advertising and subscription models.
We continue to identify websites that are using non-compliant practices, and are developing digital tools to evaluate website cookie compliance at scale.
Why the initiative deserves to be recognised by an award?
This overall initiative to improve design practices is novel in that it is a joint initiative between the ICO and CMA to tackle practices that are harmful to both data protection and competition. It is an example of the magnified impact that data protection and competition authorities can have by working together, as set out in the 2021 ICO-CMA joint statement on data protection and competition law
The related regulatory activity to improve cookie banner design practices used this position paper to effect positive changes to the cookie banner design practices of many of the UK’s top websites, therefore providing tangible benefits to thousands of citizens with regards to their data protection rights and their ability to freely choose how their personal data is collected and used.
This also embodies regulatory progress supported globally by the GPA and its Digital Citizen and Consumer Working Group regarding deeper collaboration between data protection and competition authorities for better regulatory outcomes set out in the GPA 2019 resolution in view of the growing intersection of privacy, consumer protection, and competition issues.
D2- Entry by: Information and Privacy Commissioner of Ontario (OIPC)
Description of the initiative:
The new regulation introducing AMPs in Ontario’s health sector is intended to give Ontarians confidence that there are effective mechanisms to encourage compliance with PHIPA and deter against threats to their personal health information.
To help Ontarians prepare for this new regulation, the IPC released guidance setting out a comprehensive roadmap for how the IPC intends to exercise these new powers. The guidance explains the types of situations in which we might consider issuing AMPs, where AMPs fit along the spectrum of progressive enforcement options, and the factors that would inform the amount imposed on a case-by-case basis.
We aim to take an approach similar to a “just culture” approach (commonly used in the health sector to deal with medical errors), which emphasizes the value of reporting and learning from errors that occur in complex systems. This approach reserves more severe consequences for cases where stronger responses are necessary.
The IPC’s guidance explains, in clear language:
- What AMPs are
- The kinds of cases where AMPs might be issued
- The factors the IPC will consider in deciding the amount of AMPs to be issued
To further support our outreach efforts, we released an animated video to explain and raise awareness of AMPs in the health sector.
Why the initiative deserves to be recognised by an award?
One of the IPC’s key strategic priorities is to foster Trust in Digital Health. Our goal is to promote confidence in the digital health care system by guiding custodians to respect the privacy and access rights of Ontarians, and supporting the pioneering use of personal health information for research and analytics to the extent it serves the public good.
As a modern and effective regulator, the IPC can help build trust in the health system with flexible and balanced approaches that meaningfully address non-compliant behaviours while promoting and encouraging accountability, learning, and continuous improvement.
Our AMP guidance serves this aim by ensuring that individuals understand there is a strong regulatory framework in place to protect personal health information, and that health information custodians have the tools they need to understand our evolving regulatory mechanisms. Written in accessible language, this document makes it easy for Ontarians to discern key takeaways about AMPs and how they and/or their workplaces may be impacted.
D3- Entry by: Office of the Privacy Commissioner of Canada (OPC)
Description of the initiative:
Early this year, the OPC concluded its investigation into a complaint against Aylo (formerly MindGeek), a global technology company based in Montreal Canada, that owns and operates many of the world’s most popular pornographic websites, including Pornhub and Youporn.
In 2015, the Complainant’s ex-boyfriend uploaded an intimate video depicting the Complainant to various MindGeek websites, without her knowledge and consent. She contacted MindGeek to request takedown of the content, which was subsequently removed. However, the content, which could be easily downloaded by users at the click of a button, continued to be re-uploaded, both on MindGeek and other websites (including sites unrelated to pornography).
This permanent loss of control over her intimate images led the complainant to live in a state of constant fear and anxiety. She filed a complaint with the OPC in relation to MindGeek’s compliance with its privacy obligations under Canada’s private-sector privacy law.
In response to that complaint, the OPC commenced an investigation to determine whether MindGeek had (i) obtained the valid consent of individuals depicted in content uploaded to its websites, (ii) provided individuals with an easily accessible and effective process for having their information removed from its websites, and (iii) was accountable for the personal information under its control.
The OPC’s investigation found that MindGeek had a legal obligation to obtain the complainant’s consent but failed to do so. It also determined that, for individuals who never consented to having their images uploaded to MindGeek’s websites, the company failed to provide an accessible, simple to use and effective process to contest consent and have their content removed from MindGeek’s websites. Finally, the investigation concluded that MindGeek failed to be accountable for the personal information under its control. Consequently, the OPC determined the complaint to be well-founded and made a number of recommendations, including that Aylo stop sharing user-created intimate content until it implements measures to obtain express, meaningful consent directly from each individual who appears in uploaded content.
Why the initiative deserves to be recognised by an award?
The distribution of intimate images and videos without consent is a growing societal problem. With a simple click of a button, someone’s intimate content can be instantly uploaded and made available to millions of people all over the world on the internet. Once uploaded, this content can be extremely difficult to remove and delete, especially if it is made available for download by other users. The often-permanent loss of control over such highly sensitive content can cause devastating harm to the victim’s dignity, reputation, health and well-being.
One of the key recommendations our Office made in its report of findings was that Aylo stop sharing user-created intimate content until it implements measures to obtain express, meaningful consent directly from each individual who appears in uploaded content. These measures would drastically curtail the upload of non-consensual intimate content, in Canada and across the globe. We are currently in discussions with the company with a view to obtaining a commitment to implement our recommendations.
We expect our report to inform the privacy practices of other organizations similarly situated to Aylo, and more specifically the form of consent such organizations must obtain when collecting, using and disclosing user-generated sexually explicit content.
D4- Entry by: Office of the Privacy Commissioner of Canada (OPC)
Description of the initiative:
Unlawful data scraping can result in a broad spectrum of privacy risks to affected individuals, from the receipt of unwanted marketing and identity theft, to unauthorized mass surveillance and cyber-attacks. It is integral to the digital economy and society that individuals feel confident and safe engaging online without fear that the information they post will be used in ways they hadn’t intended and that may cause them harm.
In the face of such risks and reports of numerous incidents of mass data scraping affecting millions of individuals worldwide, the IEWG undertook an initiative to better protect the vast amounts of personal data accessible online.
The IEWG data scraping sub-group drafted and published the joint statement in August 2023, highlighting several key messages:
- publicly accessible personal data is subject to data protection laws in most jurisdictions;
- social media companies and the operators of websites that host publicly accessible personal data have obligations to protect that information from unlawful data scraping (the statement also suggested a non-exhaustive list of potential safeguards);
- mass data scraping incidents can constitute reportable data breaches in many jurisdictions; and
- individuals can also take steps to protect their personal information from data scraping.
The co-signatories forwarded the joint statement to six of the world’s largest social media companies, seeking their feedback. This, in turn, resulted in fruitful dialogue with five of those companies, as well as other key industry players, allowing the group to expand its understanding of data scraping, including in relation to: new and innovative privacy-protective practices to combat ever-evolving data scraping threats; the use of AI against data scraping, as well as the use of data scraping to feed AI; and mechanisms for granting controlled access to publicly accessible personal data for potentially socially beneficial purposes.
The joint statement on data scraping was endorsed by 14 privacy enforcement authorities from all six continents. Ultimately, the IEWG data scraping sub-group looks forward to sharing further takeaways in a final statement to be issued in advance of the upcoming GPA Conference.
The Joint Statement Signatories are as follows:
- Agency for Access to Public Information, Argentina
- Office of the Australian Information Commissioner, Australia
- Office of the Privacy Commissioner of Canada, Canada
- Superintendencia de Industria y Comercio, Colombia
- Office of the Data Protection Authority, Guernsey
- Office of the Privacy Commissioner for Personal Data, Hong Kong, China
- Office of the Information Commissioner, Jersey
- Office of the Privacy Commissioner, New Zealand
- Datatilsynet, Norway
- National Institute for Transparency, Access to Information and Personal Data Protection, Mexico
- Commission Nationale de contrôle de la protection des Données à caractère Personnel, Morocco
- Agencia Española de Protección de Datos, Spain
- Federal Data Protection and Information Commissioner, Switzerland
- Information Commissioner’s Office, United Kingdom
Why the initiative deserves to be recognised by an award?
The Joint statement on data scraping and the protection of privacy is the latest in a series of successful collaborative compliance initiatives of the IEWG, demonstrating that by working together the privacy enforcement authorities can expand their capacity and amplify their impact for protection of privacy and personal data.
The initiative is also an example of how data protection authorities can not only cooperate through formal and thorough joint or coordinated investigations but can also alternatively cooperate on less resource-intensive soft enforcement actions such as this one.
This initiative has served to raise awareness of this important issue, through panel engagements at global privacy events such as the IAPP Global Summit and the Venice Privacy Symposium. It has also allowed co-signatories to amplify their common message that companies must implement appropriate measures to protect the personal data that they make publicly accessible on their platforms, and it has demonstrated the value of informal compliance actions and proactive engagement with industry towards improving privacy protection for global citizens.