Privacy Design': Nice-to-have or a Necessary Principle of Data Protection Law?

Author:David Krebs
Position::Juris Doctor, LL.M., Member of the Law Society of Alberta (Canada)
Pages:2-20
SUMMARY

Privacy by Design is a term that was coined in 1997 by the Canadian privacy expert and Commissioner for Ontario, Dr Ann Cavoukin, but one that has recently been receiving more attention in terms of its inclusion as a positive requirement into EU, US and Canadian data protection frameworks. This paper argues that the right to personal privacy is a fundamental right that deserves utmost protection... (see full summary)

 
FREE EXCERPT
2013
David Krebs
2
4
Abstract: Privacy by Design is a term that was
coined in 1997 by the Canadian privacy expert and
Commissioner for Ontario, Dr Ann Cavoukin, but one
that has recently been receiving more attention in
terms of its inclusion as a positive requirement into
EU, US and Canadian data protection frameworks.
This paper argues that the right to personal privacy is
a fundamental right that deserves utmost protection
by society and law. Taking privacy into consideration
at the design stage of a system may today be an
implicit requirement of Canadian federal and EU
legislation, but any such mention is not sufficiently
concrete to protect privacy rights with respect
to contemporary technology. Effective privacy
legislation ought to include an explicit privacy-by-
design requirement, including mandating specific
technological requirements for those technologies
that have the most privacy-intrusive potential. This
paper discusses three such applications and how
privacy considerations were applied at the design
stages. The recent proposal to amend the EU data
protection framework includes an explicit privacy-by-
design requirement and presents a viable benchmark
that Canadian lawmakers would be well-advised to
take into consideration.
“Privacy by Design”: Nice-to-have or a
Necessary Principle of Data Protection Law?
by David Krebs*
Juris Doctor, LL.M., Member of the Law Society of Alberta (Canada)
© 2013 David Krebs
Everybody may disseminate this ar ticle by electroni c means and make it available for downlo ad under the terms and
conditions of the Digita l Peer Publishing Licence (DPPL). A copy of the license text may be obtaine d at http://nbn-resolving.
de/urn:nbn:de:0009-dppl-v3-en8 .
Recommended citation: David K rebs, “Privacy by Design”: Nice-to-have or a Necessar y Principle of Data Protection Law?, 4
(2013) JIPITEC 2, para. 1.
Keywords: Data Protection, Canadian Privacy Law, Comparative Law, EU Data Protection Regulation, Right to
Privacy
A. Introduction
1
The threats to the individual right to privacy –
or what is sometimes referred to as the right to
‘informational self-determination’1 or simply
the ‘right to be let alone’2 – are currently being
widely discussed, debated and analysed. This is
particularly so where this right is impacted by
new technologies or the incremental move of
our daily activities online. New technologies that
impact the way in which information about people,
3 (‘PII’), is used,
collected, stored and disseminated are appearing
at a frequent and rapid pace. These may be ‘apps’,
facial recognition technologies, smart electricity
grids, Radio Frequency Technologies (RFID), cloud
computing, mass and surreptitious surveillance,
biometrics and private sector Internet marketing
initiatives. Currently, for the most part at least,
technology is being adjusted after the fact to patch
privacy-related issues as they arise or after they have
already had a negative impact.
2
To address these concerns and to move from a
reactive to a proactive approach, Dr Ann Cavoukian,
current Privacy Commissioner for Ontario, in 1997
had already developed the principles behind – and
coined the phrase – ‘privacy by design’ (PbD). PbD
recognizes that the deployment of technologies
designed to achieve a certain commercial or public
sector goal without having considered the privacy
implications at the design stage of the technology4

being used or disclosed in ways that harm privacy
rights permanently. PbD embodies the merger of
“Privacy by Design”: Nice-to-have or a Necessary Principle of Data Protection Law?
2013
3
4
two objectives: the protection and control of PII and
privacy, and the advancement of the commercial
application of technologies in a sustainable but
competitive manner.
5
The Protection of Information
and Electronics Documents Act6 (‘PIPEDA’)7 (as well
as the European Data Protection Directive)8 contains
provisions relating to the adequacy of protective
security measures and also, implicitly, privacy ‘by
design’ requirements. At present, however, PbD
is not an explicit part of the legislative scheme in
Canada, the European Union (EU) or the United
States of America (US), even though it is often cited
as a best practice and perhaps even as the ‘gold
standard’ in privacy protection.9
3
Calls for an introduction of PbD into legislative
frameworks have been receiving more attention
recently, for example, within the proposal for an
EU privacy framework,10 in proposed legislation in
the US,11 as well as a resolution at the 32nd International
Conference of Data Protection and Privacy Commissioners
in Jerusalem. In Canada, there have been no such
concrete proposals, only the vocal views of the
Federal and Ontario Commissioners.
4
This paper argues that legislated PbD is the
necessary next step in privacy law to protect a
right that is fundamental to liberty, personal
integrity and democracy. For this reason, PbD
deserves explicit mention as a tenet of privacy and
data protection law. However, the view that laws
   
in this regard is not tenable in a world of ubiquitous
computing and transformative technologies. A
broad, principled approach relies on organizations
adopting appropriate measures without providing
the necessary guidance necessary to prevent actions
injurious to personal privacy such as data breaches,
unwanted tracking or uncontrolled collection of
ever-increasing amounts of PII. PbD needs to be
incorporated into the privacy law framework in
Canada (and elsewhere) as a general organizational
requirement and, in appropriate circumstances,
  
‘privacy enhancing technologies’
12
(PETs), as well
as the corresponding ability for the regulator to
prevent a system or application from being initiated.
5  
legal right to privacy in order to set the stage for why
the design of systems that conform to this right is of
such primal importance to its ultimate protection.
The second part will turn to the current legislative
framework to canvass the extent to which current
provisions would satisfy the needs intended to be
addressed by PbD. In this section, I will include
examples from the EU framework because of its
relevance to Canadian privacy laws. Canadian policy
discussions often run in parallel13 and Canada and
Europe share many relevant socio-cultural aspects.
14
I will also be looking to the US, where there have

The third part will look at pertinent examples of
systems to which PbD principles were applied, and
without which the resulting systems would likely
have been much more privacy-intrusive. The last
part of the analysis will focus on the views of data
protection authorities relating to incorporating
PbD into legislative frameworks, including a close
look at the legislative proposal from the Ontario
Commissioner, Dr Ann Cavoukian, which was
included as part of a very recent publication from
15  
some recommendations and suggested points for
future research in this regard.16
B. Privacy by Design
I. The Right to Privacy
[Code] will present the greatest threat to both
liberal and libertarian ideals, as well as their
greatest promise. We can build, or architect,
cyberspace to protect values that we believe
are fundamental. Or we can build, or architect,
or code cyberspace to allow those values to
disappear.17
6
This section is not intended to provide an exhaustive
background to or a detailed comparative analysis
of the right to privacy in Canada versus other
Western jurisdictions.18 Rather, it is intended to
set the stage for the discussion of why a legislated
PbD requirement might be a necessary addition to
existing data privacy frameworks in order to protect
the right to privacy as a fundamental personal and
democratic right.
7 In some jurisdictions, privacy is an explicitly stated
constitutional right.19 In the EU, all Member States
are signatories to the Convention for the Protection of
Human Rights and Fundamental Freedoms (ECHR),20
which incorporates privacy as a fundamental right
into EU law. Article 8 of the ECHR protects the “Right
to respect for private and family life’21 and forms
the basis for modern privacy protection in Europe.
8
In Canada, the right to privacy is not a constitutional
right as such; rather, the constitutional right to
privacy is rooted in and protected by the Supreme
Court of Canada’s interpretation22 of Section 8 of
the Charter of Rights and Freedom,23 the right to be
free from unreasonable search and seizure. This
protection is similar to the right afforded by the
American 4
th
Amendment,
24
although one should not
go too far in drawing parallels, as the jurisprudence
in the US and Canada in this regard is certainly
not uniform. Section 8 protects the liberty of the
person but only in so far as the individual has a

To continue reading

REQUEST YOUR TRIAL