A Collaboration with the University of Pittsburgh

The Imperative of Incorporating Privacy Protections at the Design Stage

JURIST Special Guest Columnist Daniel Caron, Legal Council for the Office of the Privacy Commissioner of Canada says the privacy concerns raised by the launch of Google Buzz illustrates the need for companies to integrate privacy protections before implementing new technologies....

New innovative technologies that raise privacy issues seem to proliferate on an ever increasing basis. While such developments can bring about certain benefits, all too often new technologies are rolled out with privacy as an afterthought: launch now, deal with privacy concerns as they arise. But the failure to incorporate privacy at the design stages not only offends basic privacy principles; it can be costly.

Consider the launch of Google Buzz this past year. When Google launched Buzz, it effectively turned Google's private e-mail service into a social networking service, raising concern among users that their personal information was being disclosed. Google automatically assigned users a network of "followers" from among people with whom they corresponded most often on Gmail, without adequately informing Gmail users about how this new service would work or providing sufficient information to permit informed consent decisions. In an open letter to Google, a number of data protection authorities around the world expressed concerns about privacy issues related to Google Buzz and that its launch violated the fundamental principle that individuals should be able to control how their personal information is used.

But Google is certainly not alone. Too often, we see new services that fail to take sufficient account of privacy considerations prior to being launched. As our understanding of privacy evolves and new technologies pose novel threats to individual privacy, the debate about how to best protect privacy persists. In Canada, our federal private-sector privacy legislation is grounded in the fair information practices, and by being technology-neutral, has thus far been able to meet the challenges posed by evolving technology and business models. However, more could be done to prevent privacy problems, or to mitigate the effects on privacy protection posed by new technologies, by making the protection of privacy an integral part of the development of new technologies.

Despite the varying approaches to protecting privacy found around the world, one unifying tendency seems to be that the protection of privacy need not be left solely to the regulatory sphere. Instead, it has to start with those entities that use personal information themselves. We need organizations in the public and private sectors to be on board, to think about what they do, how they do it, what they plan to do next and how privacy fits into it all. Our Office, the Office of the Privacy Commissioner of Canada, promotes a more inclusive, systematic and proactive path to privacy. Privacy considerations should be a critical component of the design stage of any new technology or use of technology.

For instance, in our July 2010 submission to the Government of Canada's consultation on a Digital Economy Strategy [PDF], we called for a holistic view that fosters a privacy culture in both business and government, from the design of an initiative through to its implementation. Proactive privacy does more than ensuring the respect of fundamental privacy principles; where the private sector is concerned, it instils customer confidence. Confidence in a key ingredient in ensuring innovation, and businesses are starting to understand that they need to earn their customer's confidence in order to offer new innovative products.

Other data protection authorities in other parts of Canada and the world are calling for "privacy by design" to be required in data protection legislation. The Information and Privacy Commissioner of Ontario, Ann Cavoukian, has been a long-time proponent of the concept of privacy by design. Indeed, at an international meeting of data protection authorities in Jerusalem in October, she put forward a resolution that called on organizations to embed privacy considerations as the default into the design, operation and management of information technologies and systems. The European Commission recently published its plans [PDF] for revising the European Union Data Protection Directive, which, among other objectives, proposes that privacy impact assessments be carried out where appropriate, that privacy enhancing technologies be favoured and that "privacy by design" be an utmost consideration. Privacy needs to be an integral part of business models that rely on technology through a careful analysis of a business' activities.

Privacy impact assessments are a useful tool that private sector organisations should use since such assessments can prevent problems from arising in the first place. In essence, privacy impact assessments help ensure that the protection of privacy is a core consideration when a project is planned and implemented. Integrating such an analysis as part of an organization's risk mitigation strategy helps build a culture of proactive privacy.

Building a privacy culture, however, needs strategies and support. Governments do have a role to play in that respect, and national consultations and round-tables are a great starting point. Indeed, the U.S. Commerce Department has created an Internet Policy Task Force to conduct a comprehensive review of the nexus between privacy policy, copyright, global free flow of information, cybersecurity, and innovation in the Internet economy. Earlier this year, the U.S. Federal Trade Commission hosted a series of public roundtable discussions to explore the privacy challenges posed by new technology and business practices collecting and using personal data. Here in Canada, our Office launched a consultation process on online tracking, profiling and targeting, and cloud computing, to highlight evolving technological trends and the privacy implications of the online world. Hopefully such public outreach will help spread the message of the imperative of incorporating privacy protections prior to the launch of a new product.

Opinions expressed in JURIST Commentary are the sole responsibility of the author and do not necessarily reflect the views of JURIST's editors, staff, donors or the University of Pittsburgh.

Support JURIST

We rely on our readers to keep JURIST running

 Donate now!

About Professional Commentary

Professional Commentary is JURIST's platform for newsmakers, activists and legal experts to comment on national and international legal developments.

Hotline welcomes submissions, inquiries and comments at professionalcommentary@jurist.org.

© Copyright JURIST Legal News and Research Services, Inc., 2013.