Entries submitted
C1- Entry by: Information Commissioner’s Office (UK)
Description of the initiative:
The artificial intelligence (AI) and Data Protection Risk Toolkit helps organisations identify the risks to individual rights and freedoms where personal data is used, which can be caused by AI systems and provides practical steps to help sufficiently mitigate them.
Why the initiative deserves to be recognised by an award?
- We believe the toolkit deserves to be recognised by an award for several reasons:
- It is robust. We have rigorously tested the toolkit via publishing alpha and beta versions for consultation, engaging with experts from multiple fields, including data scientists, security and compliance professionals, and testing the toolkit on live AI projects.
- It is pioneering. This is the first toolkit produced by a data protection regulator that focuses on risks to individual rights and freedoms caused by AI systems.
- It promotes responsible innovation. We recognise the power of AI and the potential benefits it can deliver for individuals and society, but we also understand the risks it can cause. This toolkit helps organisations to identify the greatest risks as well as ways to sufficiently mitigate them. By following the toolkit, organisations can realise the benefits of AI whilst minimising the risks for individuals.
C2 – Entry by: Information Commissioner’s Office – UK
Description of the initiative:
The Information Commissioner’s Office (ICO) and the Competition and Markets Authority (CMA) published the joint statement in May 2021, setting out their shared views on the relationship between competition and data protection in the digital economy. The statement from the UK regulators for competition and data protection – the first of its kind globally – highlights the strong overlap between promoting and protecting competition in digital markets and safeguarding people’s data.
Why the initiative deserves to be recognised by an award?
Different regulatory domains are often presented in opposition or conflict with each other. Such an approach is not only inaccurate but it can create obstacles for meaningful enforcement of data protection and privacy law.
With their joint statement the ICO and CMA affirmed that rather than competition and data protection being in opposition, they are complementary agendas. The regulators committed to working together to find regulatory solutions that achieve both good competition and data protection outcomes.
Following the joint statement the two UK regulators continued to cooperate on projects that put the statement into practice. This was the case with the CMA’s investigation into Google’s Privacy Sandbox that led to Google offering formal commitments in terms of GPS’s development to the CMA and the ICO’s Opinion on data protection and privacy expectations for online advertising proposals.
C3- Entry by: Office of the Privacy Commissioner of Canada
Description of the initiative:
In May 2022, the heads of Canada’s privacy protection authorities released joint guidance for police use of facial recognition technology. The guidance is based on the application of internationally recognized privacy principles, and is intended to help police agencies ensure any use of the technology complies with the law, minimizes risks, and respects privacy rights. It was developed collaboratively across national and sub-national privacy authorities in Canada, in consultation with key stakeholder groups.
Why the initiative deserves to be recognised by an award?
The guidance outlines key measures to help police ensure accountability for any use of FRT. This includes not only organizational mechanisms internal to police agencies (e.g. compliance audits), but also measures to facilitate accountability to the public (e.g. publication of key program documentation) and ensuring accountability among third parties, especially FRT vendors.
Further, the guidance clarifies and explains how key legal obligations and privacy principles apply to police use of FRT, and recommends specific measures to help police comply with these in practice. This also provides stakeholders and oversight bodies with common benchmarks that can be used to hold police agencies accountable for their use of the technology.
These contributions come at a crucial time in the evolution of FRT as a policing technology. While deployment is ongoing, and risks to privacy and other rights can be extremely high, appropriate measures for mitigating risks and ensuring legal compliance are not always apparent on the surface. The guidance is thus particularly commendable for its work in advancing a clear and comprehensive set of expectations, informed by a wide range of stakeholder views and consistent across national and sub-national jurisdictions, for responsible use of this technology.
C4- Entry by: Irish Data Protection Commission
Description of the initiative:
The Data Protection Commission has been actively monitoring and enforcing Article 37 of the GDPR. This project resulted in compliance in the public sector with Article 37 moving from 69% to 100%. One public body was issued a Reprimand follow an Inquiry.
The project has resulted in a rise in compliance in the private health space from 42% to 100% and more than 170 additional organisations becoming compliant with Article 37 of the GDPR.
Why the initiative deserves to be recognised by an award?
This initiative was a monitoring and enforcement exercise across the public sector in Ireland that resulted in 100% compliance with Article 37 of the GDPR.
The Inquiry that was initiated in February 2022 and completed in May 2022 demonstrated that the Data Protection Commission will hold data controllers, including public bodies, to account where non-compliance with GDPR is evident.
The Initiative also resulted in a significant increase in DPO numbers across the private sector. The designation of additional Data Protection Officers can only enhance compliance with data protection law, to the ultimate benefit of data subjects.
C5- Entry by: The Office of the Privacy Commissioner for Bermuda (PrivCom)
Description of the initiative:
Bermuda is at the crossroads of the Atlantic, physically, culturally, and economically.
In the privacy context, two polar ideologies are often presented as in conflict: the protection of individual rights versus business success. Due to the unique characteristics of the island, the Office of the Privacy Commissioner (PrivCom) created a regulatory philosophy using the theme of Mid-Atlantic Privacy to help organisations navigate towards developing privacy practices to protect rights and support business innovate while protecting privacy.
Why the initiative deserves to be recognised by an award?
As a small island, crossroads country, Bermuda’s public policies have historically been influenced by, or discussed in relation to, larger jurisdictions. Bermuda is developing its first precedent for privacy and data protection, so outlining the broad concepts of responsibility, duties, and mutually beneficial goals are critical first steps.
The Mid-Atlantic Privacy Compass is an opportunity to set the narrative for a modern regulatory structure that involves constructive community co-operation and protection of rights in a meaningful way. A clean slate provides an opportunity to describe these issues in novel ways.
It was critical to find language that spoke to the community. Here, we punctuated our stories with local references and culture and drew from common knowledge in the neighbouring regions of North America, Europe, the Caribbean, and Africa.
By embracing our fusion culture, identifying universal privacy best practices, and supporting organisations with navigating the tides of privacy, PrivCom’s Compass empowers both innovation and and the protection of individual rights.
We humbly submit that the creativity and forward thinking applied to design the Mid-Atlantic Privacy Compass should be recognised to empower similar jurisdictions with unique cultural and privacy challenges, as well as jurisdictions seeking to create new rules and regimes.