Ira Rubinstein, Regulating Privacy by Design

Ira Rubinstein, Regulating Privacy by Design

Comment by: Marilyn Prosch & Ken Anderson

PLSC 2011

Published version available here:

Workshop draft abstract:

Privacy officials in Europe and North America are embracing Privacy by Design (PbD) as never before. PbD is the idea that “building in” privacy throughout the design and development of products and services achieves better results than “bolting it on” as an afterthought. However enticing this idea may be, what does it mean? In the US, a very recent FTC Staff Report makes PbD one of three main components of a new privacy framework. According to the FTC, firms should adopt PbD by incorporating substantive protections into their development practices (such as data security, reasonable collection limitations, sound retention practices, and data accuracy) and implementing comprehensive data management procedures; the latter may also require a privacy impact assessment (PIA) where appropriate. In contrast, European privacy officials view PbD as also requiring the broad adoption of Privacy Enhancing Technologies (PETs), especially PETs that shield or reduce identification or minimize the collection of personal data. Despite the enthusiasm of privacy regulators, neither PbD nor PIAs nor PETs have yet to achieve widespread acceptance in the marketplace.

There are many reasons for this, not the least of which is a lack of clarity over the meaning of these terms, how they relate to one another, or what rules apply when a firm undertakes the PbD approach. In addition, Internet firms derive much of their profit from the collection and use of PII and therefore PbD may disrupt profitable activities or new business ventures. Although the European Commission sponsored a study of the economic costs and benefits of PETs, and the UK is looking at how to improve the business case for investing in PbD, the available evidence does not support the view that PbD pays for itself (except for a small group of firms who must protect privacy to maintain highly valued brands and avoid reputational damage). In the meantime, the regulatory implications of PbD are murky at best, not only for firms that might adopt this approach but for free riders as well. Indeed, discussion of the economic or regulatory incentives for PbD is sorely lacking in the FTC report.

This Article seeks to clarify the meaning of PbD and thereby suggest how privacy officials might develop appropriate regulatory incentives that offset the certain economic costs and uncertain privacy benefits of this new approach. It begins by developing an analytic framework around two sets of distinctions. First, it classifies PETs as substitutes or complements depending on their interaction with data protection or privacy law.  Substitute PETs aim for zero-disclosure of PII, whereas complementary PETs enable greater user control over personal data through enhanced notice and choice. Second, it distinguishes two forms of PbD, one in which firms seek to build-in privacy protections either by using PETs or by relying on engineering approaches and related tools that implement FIPPs throughout both the product development and the data management lifecycles.  Building on these distinctions, and using targeted advertising as its primary illustration, it then suggests how regulators might achieve better success in promoting the use of PbD by 1) identifying best practices in privacy design and development, including prohibited practices, required practices, and recommended practices; and 2) situating best practices within an innovative regulatory framework that a) promotes experimentation with new technologies and engineering practices; b) encourages regulatory agreements through stakeholder representation, face-to-face negotiations, and consensus-based decision making; and c) supports flexible, incentive-driven safe harbor mechanisms as defined by (newly enacted) privacy legislation.

Larry Ponemon, How Global Organizations Approach the Challenge of Protecting Personal Data

Larry Ponemon, How Global Organizations Approach the Challenge of Protecting Personal Data

Comment by: Ken Anderson

PLSC 2010

Workshop draft abstract:

Public and private sector organizations need to understand how cultural and regulatory issues in various countries affect their ability to achieve privacy and data security goals. Dr. Ponemon, chairman and founder of Ponemon Institute will discuss the challenges of creating a global privacy and data protection strategy for business concerns.

In this session, the speaker will share their real world experiences, successes, failures and lessons learned. An integral part of the discussion will be the findings of the “Global Data Privacy & Protection Survey” conducted by Accenture Ponemon Institute. This is the first truly “global” study that attempts to compare and contrast how individuals in different nations view or deal with privacy and data protection challenges.

The Survey asked more than 5,500 business and IT practitioners in 19 countries to respond to the following issues:

  • Consumer privacy rights vs. organizational control over citizens’ information
  • Organizations’ obligations to secure personal information
  • Government regulations for privacy and data protection
  • Organization vs. consumer ownership of personal information
  • Importance of safeguarding children’s personal information
  • Awareness about data breaches
  • Limitations on the collection and sharing of individuals’ sensitive information
  • Protection of citizens’ privacy rights
  • Protection of cross-border data transfers
  • Disclosure of privacy practices and obtaining citizens’ consent
  • Sharing consumers’ information with the government
  • Openness to identity management tools such as biometrics

What the research determined is that there is not one universal or shared global perspective about the protection of personal information, consumer privacy rights and the need for strict data security safeguards. Rather, perceptions about privacy and the safeguarding of personal information vary significantly by national or regional cultures. The challenge for organizations is creating a strategy that addresses cultural and regulatory differences yet is effective in keeping sensitive data secure. The overall objective will be to provide guidance on how to implement a data security strategy that enhances and not hinders the organization’s ability to operate globally.