Privacy by Design by Regulation: The Case Study of Ontario
This article presents the findings of a case study examining the role of the regulator in facilitating Privacy by Design (“PbD”) solutions. With the introduction of PbD into the new European Union General Data Protection Regulation, it is important to understand the conditions under which PbD can succeed and the role which regulators can play (if at all) in promoting such success. Two initiatives with similar technology are examined: first, a PbD success, the introduction of facial recognition technology into existing cameras in casinos in Ontario, and second, a PbD failure, the expanded deployment of cameras within the public transit system of Toronto. The findings are organized into three overarching themes: PbD-focused findings, leadership and organizational findings, and regulator-focused findings. The article argues that privacy continues to persist as an engineering problem despite PbD, that (related to that) there is growing recognition of privacy as an issue of organizational change and leadership, and consequently, that the role of the regulator must evolve if PbD is to become a meaningful regulatory tool, an evolution that carries with it both risks and opportunities for privacy.