International: Privacy by Design and its current role in promoting trust in technology
The turn of the century has brought with it innovation that relies on technology and the collection and processing of data, including personal information, like we have never seen before. The rise in new technology, in particular artificial intelligence ('AI') and machine learning, and new uses for these technologies has impacted the ways in which public and private sector entities interact with individuals' personal information. Accordingly, a major challenge in data protection has been how to balance the right to privacy with innovation1. Arguably, without such balance, trust in technology cannot be established or maintained. The concept of 'Privacy by Design' ('PbD') attempts to harmonise the right to privacy with the increasing commercial desire for innovation2. It provides a potential tool for governments and organisations who wish to establish trust in technology and innovation.
David Krebs and Amanda Cutinha, from Miller Thomson LLP, explain the concept of PbD as theorised by Dr. Ann Cavoukian, the uptake of PbD concepts in privacy legislation on a global scale, and the utility of PbD principles for organisations and law makers moving forward.
Digital innovation and the need for proactive privacy protection
Digital technology has and is continuing to transform the ways in which we interact with ourselves, each other, and the world at large. However, the benefits of digital technology need to be balanced with the rights of individuals to privacy.
This balancing effort was seen most recently in the adoption of new technology amid the COVID-19 pandemic. Former Privacy Commissioner of Canada, Daniel Therrien, noted that the pandemic had 'accelerated the digital revolution', bringing new technology that fuelled social good but that carried with it risks for the privacy rights of individuals3.
The most clear articulation of the balancing of risks versus rewards during the pandemic involved the adoption of contact tracing and exposure notification applications that had the potential to quell the transmission of COVID-19, but raised alarm bells for privacy scholars given the ramifications of tracking and tracing the movements of individuals. Moreover, the poor uptake of these applications by the public indicated a lack of trust in both governments and the organisations that created these applications.
A recent example of the consequences emanating from a breach of trust by an organization can be found in the report of the Office of the Privacy Commissioner of Canada ('OPC') into a home improvement retailer's practices surrounding the non-consensual disclosure of personal information from customers. Specifically, the retailer was found sharing customer details from e-receipts such as email addresses and in-store purchase information with a social media platform. The OPC commented on this violation noting, 'it is unlikely that […] customers would have expected that their personal information would be shared with a third party social media platform simply because they opted for an electronic receipt'4.
In order to foster trust, adequate privacy protection needs to be top of mind for both governments tasked with protecting individual privacy rights and organisations generating new technology. PbD attempts to deal with this very issue.
What is PbD?
PbD is a 1997 concept coined by former Ontario Information and Privacy Commissioner, Dr. Ann Cavoukian5, and is considered a 'gold standard', proactive approach to privacy protection that advocates for privacy to be embedded in new technologies as opposed to superimposed as an afterthought6.
PbD, as described by Dr. Cavoukian, can be accomplished by practicing seven foundational principles7:
- Proactive not Reactive; Preventative not Remedial: PbD seeks to anticipate privacy risks in the development of new technology and ameliorate them before they materialise.
- Privacy as the Default Setting: PbD requires no action on the part of individuals to receive the utmost privacy protection.
- Privacy Embedded into Design: PbD requires technology to be designed with privacy in mind. Privacy protection should be integral rather than added-on.
- Full Functionality – Positive Sum, not Zero-Sum: The maintenance of individual privacy rights shouldn't come at a cost to the functionality of new technology.
- End-to-End Security – Full Lifecycle Protection: Privacy should also be incorporated into every aspect of the lifecycle of said technology.
- Visibility and Transparency: Users should understand the ways in which their privacy is protected and be able to independently verify that assurances made about the protection of privacy hold true.
- Respect for User Privacy: The user should be able to navigate the technology to meet their individual needs and interests.
There is no hierarchy among these principles. Instead, they form the PbD objective in system design: ensuring privacy, gaining control over one's information, and, for organisations, gaining a sustainable competitive advantage.
In addition, PbD is an organisation-wide responsibility; to be effective, it involves individuals in different sectors to devise privacy-protective technology and establish trust with end-users.
Tensions about PbD
Despite the big promise of proactive privacy protection, PbD is not immune to critique.
In particular, understanding what PbD means from a technical standpoint remains vague and there is an absence of a uniform or universally-agreed-upon methodology that supports the systematic engineering of privacy into systems.
Some might argue that for PbD to be successfully incorporated into the privacy law framework in Canada and elsewhere, there needs to be not just recognition of the general organisational requirement, but the imposition of mandated specific technological solutions such as privacy enhancing technologies ('PETs'). PETs can play an important role in PbD as they allow for good design objectives for any system or technology, but they should not be 'bolted-on' to systems or technologies that are privacy-invasive. A current example of where technology can be a tool in privacy protection is AI-generated synthetic data, which would be an alternative to actual personal information in applications that rely on information that is individualised, not aggregated (health research, for example).
The uptake of PbD in privacy protection legislation
Though originating in Ontario, PbD has expanded globally and made its way into privacy protection around the world.
In October 2010, the International Assembly of Privacy Commissioners and Data Protection Authorities unanimously passed a resolution recognising PbD as an international privacy protection standard and an essential component of fundamental privacy protection8. This was followed by the U.S. Federal Trade Commission's recognition of PbD in 2012 as one of its three recommended practices for protecting online privacy in its report entitled, Protecting Consumer Privacy in an Era of Rapid Change9.
A major development in PbD is its use in data protection legislation. Notably, PbD is an explicit legal obligation under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Article 25 requires organisations to implement technical and organisational measures be used to implement data protection principles effectively and with the necessary safeguards to protect EU citizen rights and fulfill the GDPR requirements10. It places the onus of implementing PbD on controllers of data, however, other actors, such as processors and producers of products, services, and applications, who are not directly addressed in Article 25, may need to consult the GDPR guidelines to create compliant products and services that enable controllers to fulfil their data protection obligations11. Article 30 documentation requirements concerning Privacy by Default are met12. Despite the incorporation of PbD into the GDPR, however, there remains a lack of explicit requirements surrounding the technical standards that need to be met to ensure compliance.
Notwithstanding its status as the gold standard of privacy protection, PbD has not yet become an explicit legal obligation under Canadian privacy law. Quebec's Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, makes significant amendments to Quebec's private sector law, including the introduction of a new section which requires organisations to ensure 'that the parameters of the technological products or services they use to collect personal information provide the highest level of confidentiality by default, without any intervention by the person concerned'13. Moreover, federal private sector privacy legislation has been the subject of reform initiatives, Bill C-11 for the Digital Charter Implementation Act in 2020 and Bill C-27 for the Digital Charter Implementation Act in 2022, which both sought to implement the Consumer Privacy Protection Act to replace the Personal Information and Protection of Electronic Documents Act 2000. While neither have yet passed, in a previous report from the Standing Committee on Access to Information, Privacy and Ethics regarding required changes to Canada's privacy laws, the Committee recommended that PbD become an explicit part of Canadian privacy law14, noting that the Committee 'believes that privacy by design is an effective way to protect the privacy and reputation of Canadians'15. Moreover, the OPC and Innovation, Science and Economic Development Canada have both recommended that PbD be a focus for privacy law reform16.
PbD is an effective tool in defending privacy rights while fostering digital innovation. Its use is important now more than ever before given the acceleration of the digital revolution due to the necessary shift to digital society amid the COVID-19 pandemic.
In an era of privacy reform, PbD is a helpful concept to ensure privacy protection is balanced with innovation. Following the lead of the GDPR, Canadian privacy law reform can benefit from PbD being entrenched in data protection legislation.
As well, PbD's foundational principles can go a long way in ensuring consumer trust. At a time when consumers are more aware of their privacy rights and, simultaneously, consumer trust is at a historic low, PbD can foster a positive reputation for organisations that follow its foundational principles.
1. See: https://www.aclu.org/other/human-right-privacy-digital-age; and: https://www.ohchr.org/en/stories/2013/10/right-privacy-digital-age
2. See: https://www.journals.uchicago.edu/doi/full/10.1086/663156
3. See: https://www.priv.gc.ca/en/opc-actions-and-decisions/ar_index/201920/ar_201920/
4. See: https://www.priv.gc.ca/en/opc-news/news-and-announcements/2023/nr-c_230126/
5. See: https://www.ipc.on.ca/wp-content/uploads/Resources/PrivacybyDesignBook.pdf
7. See: https://www.ipc.on.ca/wp-content/uploads/resources/7foundationalprinciples.pdf
8. See: https://edps.europa.eu/sites/edp/files/publication/10-10-27_jerusalem_resolutionon_privacybydesign_en.pdf
9. See: https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf
10. See: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201904_dataprotection_by_design_and_by_default_v2.0_en.pdf
12. See: https://www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/report-12
14. See: https://ised-isde.canada.ca/site/innovation-better-canada/en/canadas-digital-charter/strengthening-privacy-digital-age