Entries submitted

D1: Office of the Privacy Commissioner of Canada (on behalf of the Privacy/Data protection authorities listed below) [shortlisted]
D2: Office of the Privacy Commissioner of Canada (on behalf of the Privacy/Data protection authorities listed below) [shortlisted]
D3: Office of the Privacy Commissioner, New Zealand
D4: Information Commissioners Office, ICO UK
D5: Superintendence of Industry and Commerce, Colombia

D1 – Entry by: Office of the Privacy Commissioner of Canada (on behalf of the Privacy/Data protection authorities listed below) [shortlisted]

Description of the initiative:

Submission on the Video teleconferencing (VTC) Global Compliance Initiative.

By:

  • The U.K. Information Commissioner’s Office
  • The Office of the Australian Information Commissioner
  • The Gibraltar Regulatory Authority
  • The Office of the Privacy Commissioner for Personal Data, Hong Kong, China
  • The Federal Data Protection and Information Commissioner of Switzerland
  • The Office of the Privacy Commissioner of Canada

This submission relates to a cooperative compliance initiative on global privacy expectations of Video Teleconferencing companies (VTC).

Why the initiative deserves to be recognised by an award?

Efficient

Participant authorities demonstrated agility and efficiency in addressing an important and emerging privacy issue in the context of the pandemic. They reached consensus on the implemented compliance approach during a one-hour safe space meeting!

The non-formal compliance approach allowed us to gather substantial intelligence on the VTC industry without duplicative, resource-intensive investigations. Extremely high returns on collaborative enforcement investment.

Collaborative

We leveraged cooperation to:

  • achieve high-level engagement from four key global players;
  • benefit from the expertise of six authorities in developing communications, questions and analysis;
  • carry out scalable enforcement action allowing regulators of various sizes and resource limitations to benefit from a global coordinated action for promoting an industry-wide compliance effect;
  • allocate tasks (e.g., dividing interviews with VTCs according to time zones) to minimize the load on each authority; and
  • amplify compliance messaging through unified communications.

Impactful

We generated powerful communications to share compliance expectations vis-à-vis VTC platforms (open letter), and then identify best practices (in upcoming release) to encourage broad-based compliance and improve industry-wide privacy protection on a global scale. Given the growing number of digital services that operate across the word, this initiative will have a significant impact on the protection of VTC consumer’s privacy worldwide

View more information.

 

D2 – Entry by: Office of the Privacy Commissioner of Canada (on behalf of the Privacy/Data protection authorities listed below) [shortlisted]

Description of the initiative:

This past year, the Office of the Privacy Commissioner of Canada, the Office of the Information and Privacy Commissioner of Alberta, the Office of the Information and Privacy Commissioner for British Columbia, and la Commission d’accès à l’information du Quebec (The Canadian Authorities) worked in concert to address the global privacy concern of Facial Recognition Technology (FRT) using a variety of compliance tools. Specifically, they carried out a series of enforcement actions in both commercial and law enforcement contexts of FRT, examining both purveyors and users. We amplified the impact of this enforcement through the concurrent release of joint draft guidance for consultation – on the use of facial recognition technology by police forces.

Why the initiative deserves to be recognised by an award?

This is an example of regulators working together strategically in enforcement to address an important emerging global privacy risk from multiple angles – promoting broad-based compliance. It represents an expedient, effective, and resource efficient approach that produced holistically superior results for the privacy protection of individuals. Of specific note:

  • the coordinated investigations of commercial use of FRT achieved complementary positive results without duplication of effort.
  • the Canadian Authorities combined resources (as well as different enforcement powers) to complete a joint investigation of Clearview – issuing meaningful findings and securing Clearview’s exit from Canada in less than a year.
  • the Authorities strategically issued enforcement decisions relating to both the purveyor-side (Clearview) and user-side (national police, mall operators) – ensuring awareness of obligations across the board.
  • the collaborative enforcement actions amplified our messaging with: nation-wide and international coverage, engagement of our federal Parliament, and media coverage reaching an estimated 33 million people globally.

These enforcement actions provided invaluable support as our Offices advocate for stronger privacy laws – bringing emphasis and attention to concurrently released joint draft guidance for consultation on police use of FRT – highlighted with the enforcement actions in a special report to Canada’s federal parliament.

Finally, these investigations are helping inform the work of other international authorities and networks, as we are sharing lessons learned with the GPA’s FRT working group, GPEN, APPA and the IEWG.

View more information.

 

D3 – Entry by: Office of the Privacy Commissioner, New Zealand

Description of the initiative:

NotifyUs is an innovative online tool we built to:

  • Assist organisations to self-assess if a privacy breach has caused or is likely to cause serious harm to affected individuals, and therefore must be formally notified to us;
  • Enable organisations to securely report a privacy breach to us online with the information we require;
  • Allow us to easily analyse and report on common causes, systemic issues and trends, to inform our education and compliance initiatives.

Why the initiative deserves to be recognised by an award?

NotifyUs is an example of innovation in the use of technology to meet regulatory requirements. It has it made it easier, especially for small and medium organisations, to understand and respond to their privacy breach obligations under our new Act. The self-assessment of whether their privacy breach is notifiable is both anonymous and very user-friendly and they can securely report a breach to us through a guided, step-by-step online process. NotifyUs has also made it administratively easier for us to implement and manage the new mandatory regime, and provided us with a richness of data that allows us to better target our resources for the maximum public good. This is exemplified in this infographic about the top issues and trends we have identifiedfour months in.

The success of the tool is also exemplified in a recent instance where an organisation reported a privacy breach to us with immediate risk of serious harm, just as our offices were closing for a long holiday weekend. Someone had taken a video of a mental health patient being restrained by law enforcement officers under our Mental Health Act and had posted the video online. The NotifyUs tool automatically alerted us to the notification as soon as we received it due to the risk of serious harm being immediate; we were able to respond to the organisation immediately with the advice they needed; and the online post was taken down not long after. NotifyUs works for organisations and works for us 24/7.

View more information.

 

D4 – Entry by: Information Commissioner’s Office, ICO, UK

Description of the initiative:

Operation Tycho commenced due to the potential of direct marketing aimed at exploiting the pandemic of Covid-19 affecting the UK. The ICO witnessed an increase in scams pertaining to various products relating to the pandemic and sought to identify organisations sending direct marketing material to advertise their products/services in a bid to exploit the pandemic situation which were not consented to or were in direct contravention of the Privacy and Electronic Communication Regulations (PECR).

Why the initiative deserves to be recognised by an award?

  • The team worked hard to ensure that cases were concluded quickly and a fast turnaround of enforcement action in exceptional circumstances.
  • The results of which lead to disruption to those acting in breach of the law and acted as a deterrent for other organisations thinking of adopting similar methods.
  • The operation demonstrates an up to date and relevant regulator in tune with the publics concerns.

View more information.

 

D5 – Entry by: Superintendence of Industry and Commerce, Colombia

Description of the initiative:

SICFACILITA is a virtual tool where the Superintendence of Industry and Commerce (hereinafter SIC) acts as a facilitator so that Data subjects and Controllers reach agreements on claims the first one has. Controllers and Data subjects will meet through a chat directed by the SIC, with the aim of solving problems derived from the Processing of their Personal Data, seeking to achieve a quick and effective solution without the need to go to court.

Why the initiative deserves to be recognised by an award?

SICFACILITA has worked very well in practice. It has proven to be useful for the citizen (Data subject) since it has served to positively solve 80.79% of citizen requests. In other words, SICFACILITA served to resolve 4,785 citizen requests regarding violations of their rights as Data subjects of personal data.

Additionally, the response time to solve the case is 20 days on average. This is a much shorter time than the average (7 months) to resolve the case when an administrative process is initiated before the data protection authority (DPA).

In conclusion, SICFACILITA has been a fast (20 days) and effective (80.79%) conflict resolution mechanism to demand respect for the rights of the holders of personal data.

View more information (in English).

View more information (in Spanish).