Privacy Design': Nice-to-have or a Necessary Principle of Data Protection Law?

• Author: David Krebs
• Position: Juris Doctor, LL.M., Member of the Law Society of Alberta (Canada)
• Pages: 2-20

2013

David Krebs

2

4

Abstract: Privacy by Design is a term that was

coined in 1997 by the Canadian privacy expert and

Commissioner for Ontario, Dr Ann Cavoukin, but one

that has recently been receiving more attention in

terms of its inclusion as a positive requirement into

EU, US and Canadian data protection frameworks.

This paper argues that the right to personal privacy is

a fundamental right that deserves utmost protection

by society and law. Taking privacy into consideration

at the design stage of a system may today be an

implicit requirement of Canadian federal and EU

legislation, but any such mention is not sufficiently

concrete to protect privacy rights with respect

to contemporary technology. Effective privacy

legislation ought to include an explicit privacy-by-

design requirement, including mandating specific

technological requirements for those technologies

that have the most privacy-intrusive potential. This

paper discusses three such applications and how

privacy considerations were applied at the design

stages. The recent proposal to amend the EU data

protection framework includes an explicit privacy-by-

design requirement and presents a viable benchmark

that Canadian lawmakers would be well-advised to

take into consideration.

“Privacy by Design”: Nice-to-have or a

Necessary Principle of Data Protection Law?

by David Krebs*

Juris Doctor, LL.M., Member of the Law Society of Alberta (Canada)

© 2013 David Krebs

Everybody may disseminate this ar ticle by electroni c means and make it available for downlo ad under the terms and

conditions of the Digita l Peer Publishing Licence (DPPL). A copy of the license text may be obtaine d at http://nbn-resolving.

de/urn:nbn:de:0009-dppl-v3-en8 .

Recommended citation: David K rebs, “Privacy by Design”: Nice-to-have or a Necessar y Principle of Data Protection Law?, 4

(2013) JIPITEC 2, para. 1.

Keywords: Data Protection, Canadian Privacy Law, Comparative Law, EU Data Protection Regulation, Right to

Privacy

A. Introduction

1

The threats to the individual right to privacy –

or what is sometimes referred to as the right to

‘informational self-determination’1 or simply

the ‘right to be let alone’2 – are currently being

widely discussed, debated and analysed. This is

particularly so where this right is impacted by

new technologies or the incremental move of

our daily activities online. New technologies that

impact the way in which information about people,

3 (‘PII’), is used,

collected, stored and disseminated are appearing

at a frequent and rapid pace. These may be ‘apps’,

facial recognition technologies, smart electricity

grids, Radio Frequency Technologies (RFID), cloud

computing, mass and surreptitious surveillance,

biometrics and private sector Internet marketing

initiatives. Currently, for the most part at least,

technology is being adjusted after the fact to patch

privacy-related issues as they arise or after they have

already had a negative impact.

2

To address these concerns and to move from a

reactive to a proactive approach, Dr Ann Cavoukian,

current Privacy Commissioner for Ontario, in 1997

had already developed the principles behind – and

coined the phrase – ‘privacy by design’ (PbD). PbD

recognizes that the deployment of technologies

designed to achieve a certain commercial or public

sector goal without having considered the privacy

implications at the design stage of the technology4



being used or disclosed in ways that harm privacy

rights permanently. PbD embodies the merger of

“Privacy by Design”: Nice-to-have or a Necessary Principle of Data Protection Law?

2013

3

4

two objectives: the protection and control of PII and

privacy, and the advancement of the commercial

application of technologies in a sustainable but

competitive manner.

5

The Protection of Information

and Electronics Documents Act6 (‘PIPEDA’)7 (as well

as the European Data Protection Directive)8 contains

provisions relating to the adequacy of protective

security measures and also, implicitly, privacy ‘by

design’ requirements. At present, however, PbD

is not an explicit part of the legislative scheme in

Canada, the European Union (EU) or the United

States of America (US), even though it is often cited

as a best practice and perhaps even as the ‘gold

standard’ in privacy protection.9

3

Calls for an introduction of PbD into legislative

frameworks have been receiving more attention

recently, for example, within the proposal for an

EU privacy framework,10 in proposed legislation in

the US,11 as well as a resolution at the 32nd International

Conference of Data Protection and Privacy Commissioners

in Jerusalem. In Canada, there have been no such

concrete proposals, only the vocal views of the

Federal and Ontario Commissioners.

4

This paper argues that legislated PbD is the

necessary next step in privacy law to protect a

right that is fundamental to liberty, personal

integrity and democracy. For this reason, PbD

deserves explicit mention as a tenet of privacy and

data protection law. However, the view that laws

   

in this regard is not tenable in a world of ubiquitous

computing and transformative technologies. A

broad, principled approach relies on organizations

adopting appropriate measures without providing

the necessary guidance necessary to prevent actions

injurious to personal privacy such as data breaches,

unwanted tracking or uncontrolled collection of

ever-increasing amounts of PII. PbD needs to be

incorporated into the privacy law framework in

Canada (and elsewhere) as a general organizational

requirement and, in appropriate circumstances,

  

‘privacy enhancing technologies’

12

(PETs), as well

as the corresponding ability for the regulator to

prevent a system or application from being initiated.

5  

legal right to privacy in order to set the stage for why

the design of systems that conform to this right is of

such primal importance to its ultimate protection.

The second part will turn to the current legislative

framework to canvass the extent to which current

provisions would satisfy the needs intended to be

addressed by PbD. In this section, I will include

examples from the EU framework because of its

relevance to Canadian privacy laws. Canadian policy

discussions often run in parallel13 and Canada and

Europe share many relevant socio-cultural aspects.

14

I will also be looking to the US, where there have



The third part will look at pertinent examples of

systems to which PbD principles were applied, and

without which the resulting systems would likely

have been much more privacy-intrusive. The last

part of the analysis will focus on the views of data

protection authorities relating to incorporating

PbD into legislative frameworks, including a close

look at the legislative proposal from the Ontario

Commissioner, Dr Ann Cavoukian, which was

included as part of a very recent publication from

15  

some recommendations and suggested points for

future research in this regard.16

B. Privacy by Design

I. The Right to Privacy

[Code] will present the greatest threat to both

liberal and libertarian ideals, as well as their

greatest promise. We can build, or architect,

cyberspace to protect values that we believe

are fundamental. Or we can build, or architect,

or code cyberspace to allow those values to

disappear.17

6

This section is not intended to provide an exhaustive

background to or a detailed comparative analysis

of the right to privacy in Canada versus other

Western jurisdictions.18 Rather, it is intended to

set the stage for the discussion of why a legislated

PbD requirement might be a necessary addition to

existing data privacy frameworks in order to protect

the right to privacy as a fundamental personal and

democratic right.

7 In some jurisdictions, privacy is an explicitly stated

constitutional right.19 In the EU, all Member States

are signatories to the Convention for the Protection of

Human Rights and Fundamental Freedoms (ECHR),20

which incorporates privacy as a fundamental right

into EU law. Article 8 of the ECHR protects the “Right

to respect for private and family life’21 and forms

the basis for modern privacy protection in Europe.

8

In Canada, the right to privacy is not a constitutional

right as such; rather, the constitutional right to

privacy is rooted in and protected by the Supreme

Court of Canada’s interpretation22 of Section 8 of

the Charter of Rights and Freedom,23 the right to be

free from unreasonable search and seizure. This

protection is similar to the right afforded by the

American 4

th

Amendment,

24

although one should not

go too far in drawing parallels, as the jurisprudence

in the US and Canada in this regard is certainly

not uniform. Section 8 protects the liberty of the

person but only in so far as the individual has a