I have just come from a morning session on Privacy by Design (PbD) where the ideas, first presented by Dr Ann Cavoukian in 1995, are set to become tomorrow’s data protection orthodoxy (if the Regulation sees the light of day). The session started with a quotation from Newton, ostensible made when he published his ground breaking Principia in 1687: “if I have seen further, it is by standing on the shoulders of giants”.
In the context of PbD, I immediately thought that Newton’s Third Law of Motion was perhaps far more relevant: “for every action there is an equal and opposite reaction”. This blog explains why I suspect the issue of “reaction” has not been considered.
Let’s be honest. Since 1995, PbD ideas have not taken off and it is easy to see why. Suppose you went to your marketing manager and said “Hey, I have had a brainwave! Why not collect the minimum amount of personal data so we limit our use of the database and seek data subject consent if we want to do something different. Shall we give it a go?”.
I think most managers would give you short shrift because they would start from the position that technology is there to arrange business matters to enhance the data controller’s profit and not the data subject’s privacy.
You find this “data controller focus” elsewhere; for example in most security risk methodologies. These assessments start from the position of protecting the data controller’s assets and considering the business impact on the data controller. One needs to include Privacy Impact Assessment ideas if such risk assessments are to consider the impact on, or risks to, data subjects.
However, change the regulatory framework and PbD begins makes more sense for data controllers. So, for example, if you have £500,000 penalties for a data loss, then data minimisation makes sense as one cannot loose what one does not hold. The more personal data held, the greater the chance that the data controller will have a mishap. Add to this mix, a Regulator that is an “enforcer” (as per Regulation), then the consequences for the data controller of a breach a duty of care towards personal data becomes significant.
In other words, for PbD ideas to advance, they have needed legislative changes to “up the ante” for data controllers.
However, this does not explain why is PbD is an obligation in the Regulation?
Essentially, I think that PbD is an attempt to control the privacy threats arising from the implementation of modern technologies that now collect thousands of fine details about data subjects. For instance, a familiar electricity bill often used to be calculated over three months; now new smart meters record when you have a cup of tea, watch TV or have a shower. A phone company used to send a bill that is paid quarterly; now phone companies log who you called, for how long, and from what location. Is your mobile phone, therefore, a self-inflicted self-surveillance device? I will leave you to answer that one!
If PdB is “the action” (as per Newton) to reduce the privacy risks, “the reaction” will come from the law enforcement agencies. There is very little evidence that these agencies have considered the impact of a wider take up of PbD on their activities, mainly because there has been little take up of PbD ideas by data controllers.
However, make PbD a statutory requirement on all data controllers (as per the Regulation), then this position changes; such agencies will have to consider its impact on them. So, for example, if data minimisation is the norm and if law enforcement agencies see such data as being useful, then they will demand legislative changes for their retention. If the law enforcement agencies see that "useful" personal data could be collected, then as night follows day, they will ask for the law to require their collection.
So as more PbD techniques are adopted, I predict that there will be more data collection and retention demands from the authorities. These demands, if accepted by Government, then undermines the reasons for implementation of PbD in the first place.
As Newton Third Law states: every action has an equal and opposite reaction.
References
I have done previous blogs on Privacy by Design before:
PbD can accelerate the decline of privacy (see discussion as well)(http://amberhawk.typepad.com/amberhawk/2010/01/privacy-by-design-can-accelerate-the-decline-of-privacy.html)
Canadian Commissioner promotes the principles of privacy by design (http://amberhawk.typepad.com/amberhawk/2009/09/canadian-commissioner-promotes-the-principles-of-privacy-by-design.html)
Privacy by Design: A view from the Commissioner’s office (http://amberhawk.typepad.com/amberhawk/2010/01/hawktalk-privacy-by-design-a-view-from-the-commissioners-office.html)
I see it instead that PbD will force police to make a case-by-case argument about the proportionality of mandated retention of certain specific data, rather than just be overwhelmed by a digital tsunami of personal data they can now access.
Posted by: Ian Brown | 11/10/2012 at 11:25 PM