Ira Rubinstein
Information Law Institute, NYU School of Law
Berkeley Technology Law Journal, Forthcoming
Berkeley Technology Law Journal, Forthcoming
Abstract:
Privacy regulators are embracing privacy by design as never before. This is the idea that “building in” privacy throughout the design and development of products and services achieves better results than “bolting it on” as an afterthought. In the US, a very recent FTC Staff Report makes privacy by design one of three main components of a new privacy framework.
According to the FTC, firms should adopt privacy by design by incorporating substantive protections into their development practices and implementing comprehensive data management procedures; the latter may also require a privacy impact assessment (PIA) where appropriate. In contrast, European privacy officials view privacy by design as also requiring the broad adoption of Privacy Enhancing Technologies (PETs), especially PETs that shield or reduce identification or minimize the collection of personal data.
Despite the enthusiasm of privacy regulators, privacy by design and PETs have yet to achieve widespread acceptance in the marketplace. One reason is that Internet firms derive much of their profit from the collection and use of personal data and may be unwilling to build in privacy if it disrupts profitable activities or new business ventures. Nor does the available evidence support the view that privacy by design pays for itself (except perhaps for a small group of firms who must protect privacy to maintain highly valued brands and avoid reputational damage). At the same time, the regulatory implications of privacy by design remain murky at best, not only for adopters but also for free riders.
This Article seeks to clarify the meaning of privacy by design and thereby suggest how privacy regulators might develop appropriate incentives to offset the certain economic costs and uncertain privacy benefits of this new approach. It begins by developing a taxonomy of PETs, classifying them as substitutes or complements depending on how they interact with data protection or privacy laws. Substitute PETs aim for zero-disclosure of PII, whereas complementary PETs enable greater user control over personal data through enhanced user controls. Next, it explores the meanings of privacy by design in the specific context of the FTC’s emerging concept of “comprehensive information privacy programs.” It also examines the activities of a few industry leaders, who rely on engineering approaches and related tools to implement privacy principles throughout the product development and the data management lifecycles.
Building on this analysis and using targeted advertising as its primary illustration, the Article then suggests how regulators might achieve better success in promoting the adoption of privacy by design by 1) identifying best practices in privacy design and development, including prohibited practices, required practices, and recommended practices; and 2) situating best practices within an innovative regulatory framework that a) promotes experimentation with new technologies and engineering practices; b) encourages regulatory agreements through stakeholder representation, face-to-face negotiations, and consensus-based decision making; and c) supports flexible, incentive driven safe harbor mechanisms as defined by (newly enacted) privacy legislation.
Despite the enthusiasm of privacy regulators, privacy by design and PETs have yet to achieve widespread acceptance in the marketplace. One reason is that Internet firms derive much of their profit from the collection and use of personal data and may be unwilling to build in privacy if it disrupts profitable activities or new business ventures. Nor does the available evidence support the view that privacy by design pays for itself (except perhaps for a small group of firms who must protect privacy to maintain highly valued brands and avoid reputational damage). At the same time, the regulatory implications of privacy by design remain murky at best, not only for adopters but also for free riders.
This Article seeks to clarify the meaning of privacy by design and thereby suggest how privacy regulators might develop appropriate incentives to offset the certain economic costs and uncertain privacy benefits of this new approach. It begins by developing a taxonomy of PETs, classifying them as substitutes or complements depending on how they interact with data protection or privacy laws. Substitute PETs aim for zero-disclosure of PII, whereas complementary PETs enable greater user control over personal data through enhanced user controls. Next, it explores the meanings of privacy by design in the specific context of the FTC’s emerging concept of “comprehensive information privacy programs.” It also examines the activities of a few industry leaders, who rely on engineering approaches and related tools to implement privacy principles throughout the product development and the data management lifecycles.
Building on this analysis and using targeted advertising as its primary illustration, the Article then suggests how regulators might achieve better success in promoting the adoption of privacy by design by 1) identifying best practices in privacy design and development, including prohibited practices, required practices, and recommended practices; and 2) situating best practices within an innovative regulatory framework that a) promotes experimentation with new technologies and engineering practices; b) encourages regulatory agreements through stakeholder representation, face-to-face negotiations, and consensus-based decision making; and c) supports flexible, incentive driven safe harbor mechanisms as defined by (newly enacted) privacy legislation.
No comments:
Post a Comment