Language selection



International privacy regulators endorse resolutions on cybersecurity and facial recognition

October 28, 2022

Senior officials from the Office of the Privacy Commissioner of Canada (OPC) joined regulators and other stakeholders from around the world this week to discuss the impact of technology on privacy during the 44th Global Privacy Assembly (GPA) in Istanbul, Türkiye.

The theme of the public portion of the four-day event was A matter of balance – Privacy in the era of rapid technological advancement. Participants discussed privacy matters of international interest and concern such as facial recognition technology, artificial intelligence, big data, mass surveillance on the web, blockchain and the metaverse and cross-border data transfers.

“The privacy concerns raised by new and emerging technologies are not exclusive to Canada. Privacy regulators around the world are grappling with the same issues,” Commissioner Philippe Dufresne said.

“In an age in which data flows transcend borders, cross-jurisdictional and cross-regulatory collaboration has never been more important. By working together, we can streamline our investigative processes, promote greater harmony in the application of laws, expand our capacity to take enforcement action and amplify the compliance impact of those actions.

“The Global Privacy Assembly is a tremendous forum for cultivating these critical connections which are vital to ensuring that the personal information and privacy rights of Canadians are protected no matter where they or their data may travel.”

Resolutions adopted by the GPA

During the conference, the OPC and more than 120 data protection authorities from across Canada, Europe and beyond adopted a resolution on the appropriate use of personal information in facial recognition technology. In it, authorities outlined six principles and expectations for organizations seeking to use the technology. They include:

  • Lawful basis: Organizations using facial recognition should have a clear lawful basis for the collection and use of biometrics;
  • Reasonableness, necessity and proportionality: Organizations should establish, and be able to demonstrate, the reasonableness, necessity, and proportionality of their use of facial recognition technology;
  • Protection of human rights: Organizations should in particular assess and protect against unlawful or arbitrary interference with privacy and other human rights;
  • Transparency: The use of facial recognition should be transparent to affected individuals and groups;
  • Accountability: The use of facial recognition should include clear and effective accountability mechanisms; and
  • Data protection principles: The use of facial recognition should respect all data protection principles, including those referenced above.

Authorities committed to working together to promote the principles to external stakeholder groups, to assess the real-world application of the principles by developers and users and to report back on their progress.

In a second resolution adopted by GPA members, including the OPC, a commitment was made to build capacity to improve cybersecurity regulation and to improve their collective understanding of the harms that may result from a cyber incident.

Data protection authorities resolved to explore possibilities for international cooperation, knowledge, and information sharing, including technical expertise and best practices, amongst members to avoid duplication in investigations or other regulatory activities regarding cybersecurity issues and regulatory approaches as they relate to data protection and privacy.

GPA awards

During the Global Privacy Assembly, the OPC also won an award for innovation for a tool the office developed to offer organizations an automated solution to assess if a privacy breach presents a real risk of significant harm (RROSH) to affected individuals.

“Many breaches go unreported because organizations are not sure whether they meet the legal reporting threshold. This tool will help them determine the severity of the breach with greater accuracy,” Commissioner Dufresne said.

“I have been struck by the innovative spirit espoused at the OPC and the RROSH tool is a fine example of that. I look forward to watching the ongoing evolution of the tool.”

Under Canada’s federal private sector privacy law, organizations are required to report breaches of security safeguards to the regulator and to notify affected individuals if it is reasonable in the circumstances to believe that the breach has created a real risk of significant harm for those affected. Criteria to consider include the sensitivity of the personal information involved in the breach and the probability that the information has been, is being, or will be misused.

Date modified: