Privacy by Design by Regulation: The Case Study of Ontario
A study of two cases in which Ontario organizations, the Toronto Transit Commission (TTC) and the Ontario Lottery and Gaming Commission (OLG), attempted, with the support of the Information and Privacy Commissioner at the time, Ann Cavoukian, to design privacy into their use of closed circuit surveillance cameras (CCTV). The study examines the role of the regulator in facilitating Privacy by Design (“PbD”) solutions. With the introduction of PbD into the European Union General Data Protection Regulation (GDPR), it is important to understand the conditions under which PbD can succeed and the role which regulators can play (if at all) in promoting such success. The findings are organized into three overarching themes: PbD-focused findings, leadership and organizational findings, and regulator-focused findings. The article argues that privacy continues to persist as an engineering problem despite PbD, that (related to that) there is growing recognition of privacy as an issue of organizational change and leadership, and consequently, that the role of the regulator must evolve if PbD is to become a meaningful regulatory tool, an evolution that carries with it both risks and opportunities for privacy.