29 June 2014

Privacy By Design

‘Privacy by Design’: Nice-to-Have or a Necessary Principle of Data Protection Law?' by David Krebs in (2013) 4(1) Journal of Intellectual Property, Information Technology and Electronic Commerce Law comments
'Privacy by Design' is a term that was coined in 1997 by the Canadian privacy expert and Commissioner for Ontario, Dr Ann Cavoukian, but one that has recently been receiving more attention in terms of its inclusion as a positive requirement into EU, US and Canadian data protection frameworks. This paper argues that the right to personal privacy is a fundamental right that deserves utmost protection by society and law. Taking privacy into consideration at the design stage of a system may today be an implicit requirement of Canadian federal and EU legislation, but any such mention is not sufficiently concrete to protect privacy rights with respect to contemporary technology. Effective privacy legislation ought to include an explicit privacy-by-design requirement, including mandating specific technological requirements for those technologies that have the most privacy-intrusive potential. This paper discusses three such applications and how privacy considerations were applied at the design stages. The recent proposal to amend the EU data protection framework includes an explicit privacy-by- design requirement and presents a viable benchmark that Canadian lawmakers would be well-advised to take into consideration.
Krebs states
The threats to the individual right to privacy – or what is sometimes referred to as the right to ‘informational self-determination’ or simply the ‘right to be let alone’ – are currently being widely discussed, debated and analysed. This is particularly so where this right is impacted by new technologies or the incremental move of our daily activities online. New technologies that impact the way in which information about people,(‘PII’), is used, collected, stored and disseminated are appearing at a frequent and rapid pace. These may be ‘apps’, facial recognition technologies, smart electricity grids, Radio Frequency Technologies (RFID), cloud computing, mass and surreptitious surveillance, biometrics and private sector Internet marketing initiatives. Currently, for the most part at least, technology is being adjusted after the fact to patch privacy-related issues as they arise or after they have already had a negative impact.
To address these concerns and to move from a reactive to a proactive approach, Dr Ann Cavoukian, current Privacy Commissioner for Ontario, in 1997 had already developed the principles behind – and coined the phrase – ‘privacy by design’ (PbD). PbD recognizes that the deployment of technologies designed to achieve a certain commercial or public sector goal without having considered the privacy implications at the design stage of the technology being used or disclosed in ways that harm privacy rights permanently. PbD embodies the merger of two objectives: the protection and control of PII and privacy, and the advancement of the commercial application of technologies in a sustainable but competitive manner. The Protection of Information and Electronics Documents Act (‘PIPEDA’) (as well as the European Data Protection Directive) contains provisions relating to the adequacy of protective security measures and also, implicitly, privacy ‘by design’ requirements. At present, however, PbD is not an explicit part of the legislative scheme in Canada, the European Union (EU) or the United States of America (US), even though it is often cited as a best practice and perhaps even as the ‘gold standard’ in privacy protection.
Calls for an introduction of PbD into legislative frameworks have been receiving more attention recently, for example, within the proposal for an EU privacy framework, in proposed legislation in the US, as well as a resolution at the 32nd International Conference of Data Protection and Privacy Commissioners in Jerusalem. In Canada, there have been no such concrete proposals, only the vocal views of the Federal and Ontario Commissioners.
This paper argues that legislated PbD is the necessary next step in privacy law to protect a right that is fundamental to liberty, personal integrity and democracy. For this reason, PbD deserves explicit mention as a tenet of privacy and data protection law. However, the view that laws based on PbD principles alone would be sufficient in this regard is not tenable in a world of ubiquitous computing and transformative technologies in this regard is not tenable in a world of ubiquitous computing and transformative technologies. A broad, principled approach relies on organizations adopting appropriate measures without providing the necessary guidance necessary to prevent actions injurious to personal privacy such as data breaches, unwanted tracking or uncontrolled collection of ever-increasing amounts of PII. PbD needs to be incorporated into the privacy law framework in Canada (and elsewhere) as a general organizational requirement and, in appropriate circumstances, mandate specific technological solutions, such as ‘privacy enhancing technologies’ PETs), as well as the corresponding ability for the regulator to prevent a system or application from being initiated.
The first part of this paper will briefly describe the legal right to privacy in order to set the stage for why the design of systems that conform to this right is of such primal importance to its ultimate protection. The second part will turn to the current legislative framework to canvass the extent to which current provisions would satisfy the needs intended to be addressed by PbD. In this section, I will include examples from the EU framework because of its relevance to Canadian privacy laws. Canadian policy discussions often run in parallel and Canada and Europe share many relevant socio-cultural aspects. I will also be looking to the US, where there have been some significant developments in this regard. The third part will look at pertinent examples of systems to which PbD principles were applied, and without which the resulting systems would likely have been much more privacy-intrusive. The last part of the analysis will focus on the views of data protection authorities relating to incorporating PbD into legislative frameworks, including a close look at the legislative proposal from the Ontario Commissioner, Dr Ann Cavoukian, which was included as part of a very recent publication [in fact 2011] from her office. The final part of this article will make some recommendations and suggested points for future research in this regard.
'Privacy in the Post-NSA Era: Time for a Fundamental Revision?' by Bart van der Sloot in (2014) 5(1) Journal of Intellectual Property, Information Technology and Electronic Commerce Law comments 
Big Brother Watch and others have filed a complaint against the United Kingdom under the European Convention on Human Rights about a violation of Article 8, the right to privacy. It regards the NSA affair and UK-based surveillance activities operated by secret services. The question is whether it will be declared admissible and, if so, whether the European Court of Human Rights will find a violation. This article discusses three possible challenges for these types of complaints and analyses whether the current privacy paradigm is still adequate in view of the development known as Big Data.
Van der Sloot argues
The data collection by the NSA and other secret service organizations is part of a broader trend also known as Big Data, in which large amounts of personal data are being collected by means of cameras, telephone taps, GPS systems and Internet monitoring, stored in large databases and analysed by computer algorithms. These data are then aggregated, used to create group profiles and analysed on the basis of statistical relationships and mathematical patterns. Subsequently, the profiles are used to individualize persons that meet a certain pattern or group profile. This technique, called profiling, is used for a growing number of purposes, such as in the fight against terrorism, in which a person may be monitored or followed when he (in whole or in part) meets a certain profile (for example, male, Muslim, Arab origin and frequent trips to Yemen). Similarly, banks and insurance companies rely on risk profiles of customers to take certain decisions, and Internet companies like Google and Facebook use such profiles for advertising purposes. For example, if a person fits the profile “man, university degree, living in London”, he might get an advertisement for the latest Umberto Eco book or for an apartment in one of the richer suburbs.
In such processes, there is basically no demarcation in person, time and space, as simply everyone could be subjected to them. Data collection and processing do not start after a particular ground or reason has arisen, but the value and use of the information will only become apparent at a later stage. The gathered data are often meta-data – regarding the length of and participants to a telephone call, for example – but this often does not regard the content of the communication. Meta-data can be compared to the information visible on an envelope in the ordinary mail, such as the addressee, the size and the weight and possibly the sender. These data traditionally do not fall within the realm of privacy and the secrecy of communication. Still, through the use of modern techniques, these data can be used to generate increasingly detailed profiles.  Thus although they are not privacy-sensitive data initially, they may become identifying data at a later stage. In addition, the collected data are not linked directly to one person, but they are used to generate general group profiles and statistical correlations. These profiles may be applied to an individual if he meets one or several of the elements contained in the group profile. Finally, in these processes, no reasonable suspicion is needed to individualize someone. Even a 1% chance that someone will buy an expensive luxury product or will engage in terrorist activities may provide sufficient grounds to do so. Consequently, the individual element and the interests of specific persons are moved to the background in such systems.
Although it is clear that European citizens cannot challenge the activities of the US National Security Agency (NSA) as unveiled by Edward Snowden, Big Brother Watch and others have filed a complaint against the United Kingdom for similar practices by its secret services under the European Convention on Human Rights (ECHR),  specifically Article 8, which holds as follows:
Everyone has the right to respect for his private and family life, his home and his correspondence.
There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
In a reaction, the European Court for Human Rights has asked the parties to respond to three questions:
(1) Can the applicants claim to be victims of a violation of their rights under Article 8 ECHR?
(2) Have the applicants done all that is required of them to exhaust domestic remedies?
(3) If so, are the acts of the United Kingdom intelligence services in relation to the collection and processing of data in accordance with the law and necessary in a democratic society?
This article will try to answer questions (1) and (3) by assessing three general points. Does the complaint fall under the scope of Article 8 ECHR ratione personae, meaning have the applicants suffered from any personal damage? Does the complaint fall under the scope of Article 8 ECHR ratione materiae, meaning do the practices complained of constitute an infringement with the right to privacy? And if so, what would the likely outcome be in relation to whether the infringement was necessary in a democratic society; that is, how will the Court balance the right to privacy with the need for security? Not discussed are the questions related to the exhaustion of domestic remedies and to the matter of whether the governmental practices are “in accordance with the law”.
Although this complaint functions as the central theme, the findings will be extrapolated to the current development of Big Data. The general conclusion will be that, currently, the right to privacy is based on the individual and his interests in a threefold manner: (1) It provides the individual with a right to submit a complaint about a violation of his privacy. (2) It provides him with protection of his personal interests, related to human dignity and personal autonomy. (3) In concrete circumstances, a privacy infringement will be judged on its legitimacy by balancing the individual with the societal interest, for example related to security.
Subsequently, it will be argued that the new developments of Big Data, of which the NSA affair is a shining example, bring the following results: (1) it is increasingly difficult to demonstrate personal damage and to claim an individual right, (2) the value at stake in this type of process is a societal rather than an individual one and (3) the balance of different interests no longer provides an adequate test to determine the outcome of cases. Finally, some modest alterations of the current paradigm will be proposed.