CANADA—Federal commissioner releases findings

Preliminary Finding In October 2010, the federal privacy commissioner of Canada published a Preliminary Letter of Findings after the Office of the Privacy Commissioner (OPC) conducted an investigation into Google’s collection of payload data from unencrypted WiFi using its Street View cars. The Letter of Findings included a number of recommendations and a requirement that Google respond to the OPC concerning the implementation of those recommendations on or before February 1, 2011. Finding On June 6, 2011, the OPC issued PIPEDA Case Summary #2011-001, which details the OPC’s latest findings and recommendations. In the OPC’s press release accompanying this case summary, the commissioner noted that “Google appears to be well on the way to resolving serious shortcomings in the way in which it addresses privacy issues.” The OPC also said it would continue to monitor how its recommendations would be implemented by Google and it would follow up with Google in 2012 to determine if the recommendations had been fully implemented. The report details some very specific processes and procedures that Google will take, particularly those relating to the management of privacy issues in the design of new applications and engineering projects, namely:

• implementing a system for tracking all projects that collect, use or store personal information and for holding the engineers and managers responsible for those projects accountable for privacy;
• requiring engineering project leaders to draft, maintain, submit and update Privacy Design Documents for all projects in order to help ensure engineering and product teams assess the privacy impact of their products and services from inception through launch;
• assigning an internal audit team to conduct periodic audits to verify the completion of selected Privacy Design Documents and their review by the appropriate managers, and
• piloting a review process whereby members of Google’s Privacy Engineering, Product Counsel and Privacy Counsel teams review proposals involving location-based data as well as the software programs that are to be used for the collection of data.

While these initiatives are specific to Google’s development process, the underlying controls are applicable to any organization as it undertakes the development of new systems or business processes. The need to build privacy into the design of such new programs is gaining global momentum, due in large part to the work done by Ontario Information and Privacy Commissioner Ann Cavoukian, who developed Privacy by Design in the early 1990s. The movement was the subject of a resolution at the International Conference of Data Protection and Privacy Commissioners held in October 2010 in Jerusalem. Third-Party Audit One significantly new development in this finding is the OPC’s request for Google to undertake an independent, third-party audit of its privacy programs within one year and provide the results of this audit to the commissioner’s office. This independent audit request reflects the current global trend toward organizational accountability for privacy programs. Both the U.S. Federal Trade Commission’s December 2010 privacy report and the U.S. Department of Commerce’s Green Paper call for organizations to be transparent about their privacy practices and note that organizations should audit their compliance with their privacy policies and all applicable privacy protection requirements. The trend toward accountability is also evident in Europe, where there have been ongoing deliberations about updating the European Privacy Directive. Organizations would do well to note these developing trends and consider either internal self-assessment—or attestations—or independent, third-party auditing as a core element of their privacy management programs.