Entries submitted

B1: Office of the Privacy Commissioner of Canada [shortlisted]
B2: Office of the Privacy Commissioner of Canada
B3: Office of the Privacy Commissioner, New Zealand [shortlisted]
B4: The Information Commissioner’s Office (ICO), UK
B5: CNIL, France [winner]
B6: Superintendence of Industry and Commerce, Colombia [shortlisted]


B1 – Entry by:  Office of the Privacy Commissioner of Canada [shortlisted]

Description of the initiative:

The OPC provides specific compliance advice to businesses subject to the federal privacy law. Seeing higher engagement levels and very positive uptake by small and medium-sized enterprises (SMEs), and recognizing their guidance needs and resource constraints, our Business Advisory (BA) service developed a virtual engagement platform to make it easier for SMEs to seek regulatory advice on their significant programs and initiatives, and for the OPC to expand its advisory reach into this vital segment of economy.

Why the initiative deserves to be recognised by an award?

There is a wealth of reasons recommending this initiative, most of which have been noted above.

For ease of reference they are reiterated hereunder:

  • Privacy Clinics enable businesses, particularly SMEs to more easily and affordably (i.e. without incurring time, travel and accommodation costs, to name a few) engage with the OPC to get timely and specific regulatory advice to ensure that they remain compliant with the privacy law and are able to innovate and grow with confidence.
  • Privacy Clinics afford the OPC a flexible platform to economically (leverage technology to effectively engage and not incur typical program delivery costs) and effectively expand the reach of its business advisory services to help businesses, particularly SMEs, to better 3 assess and address privacy risks early as they innovate, adopt new technologies and business practices.
  • Privacy Clinics enable the OPC to better leverage its time, expertise and other resources, and to achieve more privacy-positive outcomes across a broader spectrum of businesses across various sectors and in different geographical areas of the country.
  • Recognizing this initiatives will encourage similar practical service delivery innovations that realize much better bang for the proverbial buck and realize privacy promotional outcomes at an exponentially multiplied scale while working with a limited capacity base.

View more information.


B2 – Entry by: Office of the Privacy Commissioner of Canada

Description of the initiative:

The Office of the Privacy Commissioner of Canada (OPC) published recommendations on a regulatory approach for artificial intelligence (AI) to ensure the protection of privacy rights in light of new and disruptive forms of processing.

Why the initiative deserves to be recognised by an award?

The OPC’s AI recommendations seek to fill a gap in how privacy rights are protected in light of the new risks and challenges presented by AI on traditional privacy principles.

They reflect careful analysis of the various viewpoints we observed throughout our multi-stakeholder public consultation, as well as our own research into this developing area, drawing on our involvement in the GPA’s AI working group. Our goal was to provide a realistic and workable framework, which both fosters responsible innovation and provides enhanced protection for individuals, and we believe we struck an appropriate balance to that end.

Since publication, our AI recommendations have formed part of our submissions to the Parliament of Canada and the Department of Justice on the privacy law reform initiatives currently underway in Canada, namely Bill C-11, the Consumer Privacy Protection Act. We also submitted our AI recommendations to the UN Office of the High Commissioner for Human Rights in response to their consultation on privacy in the digital age.

Our public consultation and final recommendations have ignited important discussions in Canada on how to regulate AI, both within and beyond the perimeters of privacy law. It has been raised in provinces across the country.

View more information.


B3 – Entry by: Office of the Privacy Commissioner, New Zealand [shortlisted]

Description of the initiative:

NotifyUs is an innovative online tool we built to:

  • Assist organisations to self-assess if a privacy breach has caused or is likely to cause serious harm to affected individuals, and therefore must be formally notified to us;
  • Enable organisations to securely report a privacy breach to us online with the information we require;
  • Allow us to easily analyse and report on common causes, systemic issues and trends, to inform our education and compliance initiatives.

Why the initiative deserves to be recognised by an award?

NotifyUs is an example of innovation in the use of technology to meet regulatory requirements. It has it made it easier, especially for small and medium organisations, to understand and respond to their privacy breach obligations under our new Act. The self-assessment of whether their privacy breach is notifiable is both anonymous and very user-friendly and they can securely report a breach to us through a guided, step-by-step online process. NotifyUs has also made it administratively easier for us to implement and manage the new mandatory regime, and provided us with a richness of data that allows us to better target our resources for the maximum public good. This is exemplified in this infographic about the top issues and trends we have identified four months in.

The success of the tool is also exemplified in a recent instance where an organisation reported a privacy breach to us with immediate risk of serious harm, just as our offices were closing for a long holiday weekend. Someone had taken a video of a mental health patient being restrained by law enforcement officers under our Mental Health Act and had posted the video online. The NotifyUs tool automatically alerted us to the notification as soon as we received it due to the risk of serious harm being immediate; we were able to respond to the organisation immediately with the advice they needed; and the online post was taken down not long after. NotifyUs works for organisations and works for us 24/7.

View more information.


B4 – Entry by: The Information Commissioner’s Office (ICO), UK

Description of the initiative:

The ICO’s Regulatory Sandbox is a service which provides support for organisations who are creating products and services which utilise personal data in innovative and publicly beneficial ways.

Participants have the opportunity to engage with our Sandbox team, to draw upon our wider ICO expertise and advice on mitigating risks and embedding ‘data protection by design’.

The Sandbox provides a free, professional, fully functioning service for organisations, of varying sizes, across a number of sectors.

Why the initiative deserves to be recognised by an award?

ICO’s Sandbox was the world’s first data protection Sandbox which has worked effectively since its inception in collaboration with industry to help them create innovative products and services in the public interest in a way that is compliant with UK data protection legislation.

ICO’s Sandbox takes an innovative approach to governance and management of risk providing ‘regulatory comfort’ from enforcement to participants, clear and transparent Exit Reports from which wider learnings are distilled.

ICO worked transparently and collaboratively with industry to design the Sandbox, inviting them to provide feedback through consultations and workshops. We continue to seek feedback about the Sandbox and have consistently recorded satisfaction levels of 90% from participants. Our willingness to manage the risks that come with working in challenging areas has allowed us to deliver great public interest outcomes and demonstrated the value of upstream compliance work to industry.

Since inception the ICO sandbox has assisted with key public interest projects such as the successful Covid-19 vaccine trial registry, supporting young people’s mental health, combating violent crime, helping remove algorithmic bias, enhancing safety transport network, and the use of voice recognition in healthcare settings.

The Sandbox has gone to help inspire the adoption of Sandboxes to support innovation elsewhere (e.g. France and Norway) and acted as a model of good practice, demonstrating how regulators can work flexibly and proactively while navigating complexity and innovation.

View more information.


B5 – Entry by: CNIL, France [shortlisted]

Description of the initiative:

CookieViz 2.0 is a stand-alone, open-source and license free software developed in-house by the CNIL to raise general public awareness about unsolicited cookie tracking. It also offers to publishers a tool to audit their sites and identify potential incompliances to the RGPD and ePrivacy regulations. Finally, it has been used by CNIL to observe practices in France before the revision of its guideline and recommendation on tracker become enforceable.

Why the initiative deserves to be recognised by an award?

A decade ago, several browser extensions have been developed to illustrate the extend of web tracking. From the very first release, CookieViz was designed to be browser independent and to run on the main computer operating systems.

Almost ten years later, CookieViz 2.0 is the last tool freely available to end-users to observe the extent of web tracking. Browser extensions like Lightbeam are no longer maintained and the available tools mostly allow users to identify tracker on each page they visit but do not provide a clear view of how much they are tracked on the web.3

Moreover, this tool has been the cornerstone of the CNIL initiative to explore new practices and enables publisher to monitor the presence of third parties on their websites. By releasing publicly the results of the study and the tool used in open-source, it provides an efficient way to raise attention on the extent of cookie tracking and the practical impact on citizen.

The licence opens way to contribute/derive new tools that could assist data controllers toward compliancy.

View more information.


B6 – Entry by: Superintendence of Industry and Commerce, Colombia [shortlisted]

Description of the initiative:

The SANDBOX ON PRIVACY BY DESIGN AND BY DEFAULT IN ARTIFICIAL INTELLIGENCE PROJECTS is a preventive, supervised and temporary experimentation space, so that those interested in developing artificial intelligence (AI) projects, from the design stage of said initiatives create collaborative compliance solutions to personal data protection regulations.


Why the initiative deserves to be recognised by an award?

The Superintendence of Industry and Commerce has led since 2019 in areas such as data processing and artificial intelligence. The sandbox is another project to promote privacy by design in artificial intelligence projects that have massive impact.

Privacy by design and by default is not incorporated in Statutory Law 1581 of 2012. Therefore, the sandbox is a tool to verify in practice the importance of this principle being incorporated into our regulation.

Additionally, on the international scenario, the Superintendence of Industry and Commerce (SIC) has led and contributed to the drafting of documents on artificial intelligence, such as, for example, the one approved on June 21, 2019 by the Ibero-American Network for the Protection of Personal Data entitled “General recommendations for the Processing of Personal Data in Artificial Intelligence”. Finally, the SIC has also participated in the drafting and promotion of the following document, approved in October 2020 by the GPA (Global Privacy Assembly): “Adopted resolution on account- ability in the development and use of artificial intelligence”

View more information (in English).

View more information (in Spanish).