As we previously reported, Covington was selected from thousands of applicants to host a Privacy by Design bootcamp and workshop during last week’s South by Southwest (“SXSW”) Interactive festival, which featured five days of compelling presentations and panels from industry leaders in emerging technology. SXSW designs workshops in particular to provide in-depth, hands-on education taught by innovative leaders. To close out our coverage of SXSW, below is a workshop recap for those who couldn’t make it to Austin this year.
With the premise that businesses are eager to build privacy considerations into all phases of their activities in this new era of “big data,” our Privacy By Design Bootcamp provided a step-by-step guide to develop and integrate Privacy by Design (“PbD”) into any organization. The workshop was well-attended, with audience members representing a diversity of sectors, including tech, financial, health, data, security, and academia, allowing for informative discussion spanning several industries. The workshop started with the history of PbD and then presented examples of real-world PbD, including basic elements of an effective program. We also walked through specific steps to initiate a successful PbD program, including implementing policies and procedures and examining the data lifecycle. The outline below addresses some key topics from our Privacy by Design workshop. If you’re interested in learning more, please contact PbD Bootcamp leaders Libbie Canter and Meena Harris.
WHAT IS PRIVACY BY DESIGN?
- History and Origination
- The EDPS and EU Research and Technological Development. In 2008, EU Data Protection Supervisor (“EDPS”) Peter Hustinx released a policy paper, according to which privacy and data protection requirements should be considered in future EU research and technological development projects, especially those developing information and communication technologies. Hustinx said that PbD should represent an inherent part of the European Commission’s 7th Framework Programme.
- Ontario Information & Privacy Commissioner Ann Cavoukian’s White Paper. Also in 2008, Ann Cavoukian issued a white paper and delivered a presentation outlining a “positive sum” approach to PbD. According to Cavoukian, PbD should seek to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through a zero-sum approach, where unnecessary tradeoffs are made. Cavoukian has stated, “It’s all about embedding privacy, proactively, into everything that you do.”
- 29 Working Party Opinion. The Article 29 Data Protection Working Party has incorporated PbD as a fundamental principle. In a 2009 opinion, the Working Party stated that services and technologies that rely on the processing of personal data should be designed with privacy-by-default settings. The opinion also stated that PbD principles should not only be binding for data controllers, but also for technology designers and producers.
- FTC Privacy Report. The FTC’s 2012 report, “Protecting Consumer Privacy in an Era of Rapid Change,” highlights PbD as a best practice. Specifically, the proposed framework urges companies to adopt PbD as a practice that builds privacy into business operations and at every stage of product development.
- Federal Legislation. The Commercial Privacy Rights Act of 2015, proposed just this month, mentions PbD by name and would require it as a business practice: “Each covered entity shall . . . implement a comprehensive information privacy program by . . . incorporating necessary development processes and practices throughout the product life cycle that are designed to safeguard the personally identifiable information that is covered information of individuals.” The Congressional Privacy Bill directly follows the recent release of the White House’s proposal for a privacy bill, which also mentions PbD, suggesting a clear policy direction incorporating PbD principles.
- Seven Foundational Principles: Dr. Cavoukian, a thought leader in this area, has offered one framework for understanding PbD. She has said PbD is comprised of the following seven principles.
- (1) Proactive not Reactive. Seek to anticipate and prevent privacy-invasive events before they happen. PbD does not wait for privacy risks to materialize – it aims to prevent them from happening.
- (2) Privacy as the Default Setting. Seek to build privacy protections into the system by default.
- (3) Privacy Embedded into Design. Consider privacy at the earliest brainstorming stages, and seek to embed privacy into the design and architecture of systems and practices.
- (4) Full Functionality. According to this principle, there need not be a tradeoff between privacy and other goals; it should be possible to have both privacy and security and both privacy and functionality.
- (5) End-to-End Security. Full lifecycle protection means seeking to secure data throughout the entire data lifecycle, including the secure destruction of data at the end of the data lifecycle.
- (6) Visibility and Transparency. Provide users with appropriate transparency and visibility into the processing of their personal data.
- (7) Respect for User Privacy. Keep it user-centric.
- FTC Approach: FTC Chairwoman Edith Ramirez has said, “The hallmark of privacy by design is a deliberate and systematic approach to privacy and data security.” The FTC framework uses the term Privacy by Design to include the following:
- (1) Embed privacy and security into products and services from the outset.
- (2) Only collect the data needed for a specific business purpose and safely dispose of it when that objective has been accomplished.
- (3) Employ reasonable security to protect consumer data.
- (4) Maintain data management personnel, procedures, and controls to help ensure that substantive privacy by design principles are respected at all stages of the design and development of products and services.
WHY ADOPT PRIVACY BY DESIGN?
- Applicable Laws: Even in the absence of an explicit statutory requirement to adopt PbD principles, implementing of one or more “elements” of PbD may reduce legal risk.
- Companies may be less likely to process personal data in a way that is inconsistent with their representations to users or otherwise in violation of applicable laws if they have a strong PbD program.
- Companies may be better able to avoid the types of privacy breaches that, at least in the United States, have attracted litigation risk in the past.
- Certain statutory and regulatory frameworks may require particular elements of PbD. For example, GLBA expressly requires financial institutions to adopt certain contractual restrictions and to oversee service providers.
- Demonstrate Good Faith to Regulators: If there’s a privacy or security issue that results in a regulatory inquiry, a company will have a better narrative in its discussions with regulators.
- Make Legal Compliance Less Expensive: Addressing compliance issues may be simpler and less costly if the issues are identified at an early stage of product development.
- Market Competition: PbD is a selling point for consumers, and therefore, it is a competitive advantage.
DEPLOYING PRIVACY BY DESIGN
- Data Management: Implementing data management personnel, procedures, and controls will require careful consideration of what is appropriate to a particular organization. It may, however, generally include some or all of the following components.
- Personnel responsible for privacy and security
- Training programs
- Internal privacy policies (e.g., core privacy principles) and/or guidelines
- Procedures and checklists (e.g., data inventories for existing and new products; checklists for product development, product/service termination, material changes to privacy policies, and sharing data with third parties)
- Templates for service provider due diligence and contractual terms
- Cross-border transfer policies and procedures
- Data security policies and procedures (e.g., written information security program, data incident response plan, and retention schedule)
- Risk assessments and audits
- Internal Data Lifecycle: To better build privacy and security into the data lifecycle, it may be helpful for organizations to consider whether they know the answers to the following questions.
- Data and Purpose Specification. What personal data is collected and how it is collected? Is the collection of data consistent with the disclosures made in applicable privacy policies?
- Data Minimization. Is the personal data collected reasonably necessary to fulfill a legitimate business function? Is there a need to collect and/or retain sensitive personal data?
- Data Usage. Will personal information be used in ways that are consistent with privacy disclosures to users and applicable laws (e.g., product/service fulfillment, analytics, marketing, research)? Some uses of personal data may trigger additional obligations in some jurisdictions (e.g., electronic marketing, online behavioral advertising).
- Data Sharing. What service providers or business partners have access to personal data and what are their data handling practices? (E.g., What data will they receive? How will they use the data? Will the data be shared? How will it be protected?) Is it appropriate to employ contractual and technical restrictions to govern the practices of such service providers or business partners?
- Data Protection. Are there reasonable physical, technical, and administrative safeguards in place to protect personal data?
- External Interface: In addition to strong internal data-management procedures, implement an external user interface that: (1) tells users about data handling practices (notice), and (2) gives users the ability to make choices, where appropriate (user control).