‘Privacy by Design’: Nice-to-Have or a Necessary Principle of Data Protection Law?' by David Krebs in (2013) 4(1)
Journal of Intellectual Property, Information Technology and Electronic Commerce Law comments
'Privacy by Design' is a term that was coined in 1997 by the Canadian
privacy expert and Commissioner for Ontario, Dr Ann Cavoukian, but one
that has recently been receiving more attention in terms of its
inclusion as a positive requirement into EU, US and Canadian data
protection frameworks. This paper argues that the right to personal
privacy is a fundamental right that deserves utmost protection by
society and law. Taking privacy into consideration at the design stage
of a system may today be an implicit requirement of Canadian federal and
EU legislation, but any such mention is not sufficiently concrete to
protect privacy rights with respect to contemporary technology.
Effective privacy legislation ought to include an explicit
privacy-by-design requirement, including mandating specific
technological requirements for those technologies that have the most
privacy-intrusive potential. This paper discusses three such
applications and how privacy considerations were applied at the design
stages. The recent proposal to amend the EU data protection framework
includes an explicit privacy-by- design requirement and presents a
viable benchmark that Canadian lawmakers would be well-advised to take
into consideration.
Krebs states
The threats to the individual right to privacy –
or what is sometimes referred to as the right to
‘informational self-determination’ or simply
the ‘right to be let alone’ – are currently being
widely discussed, debated and analysed. This is
particularly so where this right is impacted by
new technologies or the incremental move of
our daily activities online. New technologies that
impact the way in which information about people,(‘PII’), is used,
collected, stored and disseminated are appearing
at a frequent and rapid pace. These may be ‘apps’,
facial recognition technologies, smart electricity
grids, Radio Frequency Technologies (RFID), cloud
computing, mass and surreptitious surveillance,
biometrics and private sector Internet marketing
initiatives. Currently, for the most part at least,
technology is being adjusted after the fact to patch
privacy-related issues as they arise or after they have
already had a negative impact.
To address these concerns and to move from a
reactive to a proactive approach, Dr Ann Cavoukian,
current Privacy Commissioner for Ontario, in 1997
had already developed the principles behind – and
coined the phrase – ‘privacy by design’ (PbD). PbD
recognizes that the deployment of technologies
designed to achieve a certain commercial or public
sector goal without having considered the privacy
implications at the design stage of the technology
being used or disclosed in ways that harm privacy
rights permanently. PbD embodies the merger of two objectives: the protection and control of PII and
privacy, and the advancement of the commercial
application of technologies in a sustainable but
competitive manner. The Protection of Information
and Electronics Documents Act (‘PIPEDA’) (as well
as the European Data Protection Directive) contains
provisions relating to the adequacy of protective
security measures and also, implicitly, privacy ‘by
design’ requirements. At present, however, PbD
is not an explicit part of the legislative scheme in
Canada, the European Union (EU) or the United
States of America (US), even though it is often cited
as a best practice and perhaps even as the ‘gold
standard’ in privacy protection.
Calls for an introduction of PbD into legislative
frameworks have been receiving more attention
recently, for example, within the proposal for an
EU privacy framework, in proposed legislation in
the US, as well as a resolution at the 32nd International
Conference of Data Protection and Privacy Commissioners
in Jerusalem. In Canada, there have been no such
concrete proposals, only the vocal views of the
Federal and Ontario Commissioners.
This paper argues that legislated PbD is the
necessary next step in privacy law to protect a
right that is fundamental to liberty, personal
integrity and democracy. For this reason, PbD
deserves explicit mention as a tenet of privacy and
data protection law. However, the view that laws based on PbD principles alone would be sufficient
in this regard is not tenable in a world of ubiquitous
computing and transformative technologies
in this regard is not tenable in a world of ubiquitous
computing and transformative technologies. A
broad, principled approach relies on organizations
adopting appropriate measures without providing
the necessary guidance necessary to prevent actions
injurious to personal privacy such as data breaches,
unwanted tracking or uncontrolled collection of
ever-increasing amounts of PII. PbD needs to be
incorporated into the privacy law framework in
Canada (and elsewhere) as a general organizational
requirement and, in appropriate circumstances, mandate specific technological solutions, such as
‘privacy enhancing technologies’ PETs), as well
as the corresponding ability for the regulator to
prevent a system or application from being initiated.
The first part of this paper will briefly describe the
legal right to privacy in order to set the stage for why
the design of systems that conform to this right is of
such primal importance to its ultimate protection.
The second part will turn to the current legislative
framework to canvass the extent to which current
provisions would satisfy the needs intended to be
addressed by PbD. In this section, I will include
examples from the EU framework because of its
relevance to Canadian privacy laws. Canadian policy
discussions often run in parallel and Canada and
Europe share many relevant socio-cultural aspects.
I will also be looking to the US, where there have been some significant developments in this regard.
The third part will look at pertinent examples of
systems to which PbD principles were applied, and
without which the resulting systems would likely
have been much more privacy-intrusive. The last
part of the analysis will focus on the views of data
protection authorities relating to incorporating
PbD into legislative frameworks, including a close
look at the legislative proposal from the Ontario
Commissioner, Dr Ann Cavoukian, which was
included as part of a very recent publication [in fact 2011] from her office. The final part of this article will make
some recommendations and suggested points for
future research in this regard.
'Privacy in the Post-NSA Era: Time for a Fundamental Revision?' by Bart van der Sloot in (2014) 5(1)
Journal of Intellectual Property, Information Technology and Electronic Commerce Law comments
Big Brother Watch and others have filed a complaint against the United Kingdom under the European Convention on Human Rights about a violation of Article 8, the right to privacy. It regards the NSA affair and UK-based surveillance activities operated by secret services. The question is whether it will be declared admissible and, if so, whether the European Court of Human Rights will find a violation. This article discusses three possible challenges for these types of complaints and analyses whether the current privacy paradigm is still adequate in view of the development known as Big Data.
Van der Sloot argues
The data collection by the NSA and other secret service organizations is part of a broader trend also known as Big Data, in which large amounts of personal data are being collected by means of cameras, telephone taps, GPS systems and Internet monitoring, stored in large databases and analysed by computer algorithms. These data are then aggregated, used to create group profiles and analysed on the basis of statistical relationships and mathematical patterns. Subsequently, the profiles are used to individualize persons that meet a certain pattern or group profile. This technique, called profiling, is used for a growing number of purposes, such as in the fight against terrorism, in which a person may be monitored or followed when he (in whole or in part) meets a certain profile (for example, male, Muslim, Arab origin and frequent trips to Yemen). Similarly, banks and insurance companies rely on risk profiles of customers to take certain decisions, and Internet companies like Google and Facebook use such profiles for advertising purposes. For example, if a person fits the profile “man, university degree, living in London”, he might get an advertisement for the latest Umberto Eco book or for an apartment in one of the richer suburbs.
In such processes, there is basically no demarcation in person, time and space, as simply everyone could be subjected to them. Data collection and processing do not start after a particular ground or reason has arisen, but the value and use of the information will only become apparent at a later stage. The gathered data are often meta-data – regarding the length of and participants to a telephone call, for example – but this often does not regard the content of the communication. Meta-data can be compared to the information visible on an envelope in the ordinary mail, such as the addressee, the size and the weight and possibly the sender. These data traditionally do not fall within the realm of privacy and the secrecy of communication. Still, through the use of modern techniques, these data can be used to generate increasingly detailed profiles. Thus although they are not privacy-sensitive data initially, they may become identifying data at a later stage. In addition, the collected data are not linked directly to one person, but they are used to generate general group profiles and statistical correlations. These profiles may be applied to an individual if he meets one or several of the elements contained in the group profile. Finally, in these processes, no reasonable suspicion is needed to individualize someone. Even a 1% chance that someone will buy an expensive luxury product or will engage in terrorist activities may provide sufficient grounds to do so. Consequently, the individual element and the interests of specific persons are moved to the background in such systems.
Although it is clear that European citizens cannot challenge the activities of the US National Security Agency (NSA) as unveiled by Edward Snowden, Big Brother Watch and others have filed a complaint against the United Kingdom for similar practices by its secret services under the European Convention on Human Rights (ECHR), specifically Article 8, which holds as follows:
Everyone has the right to respect for his private and family life, his home and his correspondence.
There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
In a reaction, the European Court for Human Rights has asked the parties to respond to three questions:
(1) Can the applicants claim to be victims of a violation of their rights under Article 8 ECHR?
(2) Have the applicants done all that is required of them to exhaust domestic remedies?
(3) If so, are the acts of the United Kingdom intelligence services in relation to the collection and processing of data in accordance with the law and necessary in a democratic society?
This article will try to answer questions (1) and (3) by assessing three general points. Does the complaint fall under the scope of Article 8 ECHR ratione personae, meaning have the applicants suffered from any personal damage? Does the complaint fall under the scope of Article 8 ECHR ratione materiae, meaning do the practices complained of constitute an infringement with the right to privacy? And if so, what would the likely outcome be in relation to whether the infringement was necessary in a democratic society; that is, how will the Court balance the right to privacy with the need for security? Not discussed are the questions related to the exhaustion of domestic remedies and to the matter of whether the governmental practices are “in accordance with the law”.
Although this complaint functions as the central theme, the findings will be extrapolated to the current development of Big Data. The general conclusion will be that, currently, the right to privacy is based on the individual and his interests in a threefold manner: (1) It provides the individual with a right to submit a complaint about a violation of his privacy. (2) It provides him with protection of his personal interests, related to human dignity and personal autonomy. (3) In concrete circumstances, a privacy infringement will be judged on its legitimacy by balancing the individual with the societal interest, for example related to security.
Subsequently, it will be argued that the new developments of Big Data, of which the NSA affair is a shining example, bring the following results: (1) it is increasingly difficult to demonstrate personal damage and to claim an individual right, (2) the value at stake in this type of process is a societal rather than an individual one and (3) the balance of different interests no longer provides an adequate test to determine the outcome of cases. Finally, some modest alterations of the current paradigm will be proposed.
