Privacy by Design: The global privacy standard

| Ann Cavoukian

May 25, 2018 marked a significant milestone for Privacy by Design. This is the first time it has appeared in a regulatory framework, known as Europe’s General Data Protection Regulation (GDPR). But we shouldn’t let this overshadow earlier developments in this long road travelled. Allow me to start from the beginning.

Over the last two decades, we have witnessed how the growth of technology has brought exceedingly new challenges to the protection of privacy. Individuals are now constantly subjected to new forms of intrusion and connectivity. Information technology is compact, mobile, and everywhere. You cannot walk down the street without seeing someone using some sort of mobile device that has more computing power than an office floor full of computers, just a generation ago. There is almost no aspect of our lives left that remains untouched by information and communications technology.

Continually evolving and increasingly complex privacy-invasive technologies such as biometrics and sensors have intensified the need to remain vigilant and continually evolve new methods to protect our privacy. Unlike some critics, however, who strictly see technology as eroding privacy, I have always taken the view that technology is inherently neutral. I have always maintained, technology–which has resulted in many challenges–can also be tapped for innovative solutions, particularly for privacy and access. While technology has the ability to diminish privacy, its support can also be enlisted to protect privacy through Privacy by Design which emphasizes a positive-sum approach to privacy and technology innovation. I felt it was necessary to counter the prevailing zero-sum model, where privacy must be sacrificed for the sake of security, innovation or business interests; a view that is both false and misleading. If we change the paradigm to an inclusive positive-sum model, which allows the growth of both privacy and other functionalities, in tandem, then the future of privacy and freedom grows more certain.

It was in 2009, during my third term as Ontario’s Information Commissioner, where I advanced Privacy by Design on the world stage by formally launching the 7 Foundational Principles of Privacy by Design. To ensure that Privacy by Design continued to gain strong global momentum, the principles have been translated into over 40 languages. A year later, in 2010, a landmark resolution was unanimously passed in Jerusalem by the International Assembly of Privacy Commissioners and Data Protection Regulators, recognizing Privacy by Design as an essential component of fundamental privacy protection–transforming it overnight into an international standard.

To further raise awareness, 2011 became the “Year of the Engineer,” and this included reaching out to those who design and build the systems and technologies upon which we rely. This was to challenge every innovator and engineer to operationalize Privacy by Design and make it an everyday reality.

There are times when I still cannot believe the journey to make Privacy by Design the global standard for privacy. During my 16 years (three terms) as Commissioner, it was a unique historical period when the advent of the Internet would fundamentally change the very concepts of privacy and data protection. In a perfect world, we would not need privacy regulators. However, we do not live in a perfect world–far from it, and despite the advances we have made in privacy and data protection, our efforts are needed now, more than ever.

There was always a looming, yet common misconception–that privacy stifles innovation. The message is simple: Building privacy into the business ecosystem yields many benefits, ranging from cost-savings, to strengthening business/consumer relationships, to enhancing much-needed trust. This in turn creates a significant competitive advantage.

With the recognition as an international standard by international privacy and data protection commissioners in 2010, Privacy by Design Foundational Principles have since been embraced by public policy-makers, legislators, industry groups and associations as integral to their efforts to update 21st century information privacy governance systems. Alongside these gains in global recognition, these same market and technology leaders, academics, and regulators started looking at ways of translating the principles of Privacy by Design into technical and business requirements, specifications, standards, best practices, and operational performance criteria. This began as the next stage of Privacy by Design’s evolution. The central challenge in producing this work over such a wide area of applications, is that there is no apparent “one-size-fits-all” response to specific privacy requirements.

For this task, there was an acknowledgement that specialized help was needed. The rise of the Chief Privacy Officer (CPO) role in organizations is a testament to the strategic importance of good information management and the demand for such skill sets. Privacy risk management as a distinct discipline is becoming more standardized and professionalized, and there is a new discipline of skilled privacy engineers and architects, if not an increased awareness of Privacy by Design amongst software developers and the like.

On the industry standards stage, such a goal was laudable and progress was made through the work of a Technical Committee of an industry standards body, the Organization for the Advancement of Structured Information Standards (OASIS), whose purpose was to develop and promote a standard for Privacy by Design in software engineering. As co-chairs, the author, in cooperation with Dr. Dawn Jutla, established the OASIS Privacy by Design Documentation for Software Engineers (PbD-SE) Technical Committee in October 2012. The OASIS PbD-SE TC provides privacy governance and documentation standards for software engineers. It enables software organizations to embed privacy into the design and architecture of IT systems, without diminishing system functionality.

The PbD-SE TC work follows the 7 Foundational Principles of Privacy by Design:

  1. Proactive not Reactive; Preventative Not Remedial
  2. Privacy as the Default Setting
  3. Privacy Embedded into Design
  4. Full Functionality – Positive-Sum, Not Zero-Sum
  5. End-to-End Security – Full Lifecycle Protection
  6. Visibility and Transparency – Keep It Open
  7. Respect for User Privacy – Keep It User-Centric

PbD-SE offers a privacy extension and complement to the Object Management Group’s (OMG) Unified Modeling Language (UML) and serves as a complement to OASIS’ eXtensible Access Control Mark-up Language (XACML) and Privacy Management Reference Model (PMRM).

Privacy by Design principles are internationally recognized and aligned to Fair Information Principles (FIPs), Generally Accepted Privacy Principles (GAPP) and NIST 800-53 Appendix J controls. As a draft OASIS standard, it helps stakeholders to visualize privacy requirements and design from software conception to requirement. PbD-SE is a specification of a methodology, mappings, and guidance to help software engineers to : i) model and translate Privacy by Design (PbD) principles to conformance requirements within software engineering tasks, ii) produce privacy-aware software, and document artefacts as evidence of PbD-principle compliance; and iii) collaborate with management and auditors to simplify demonstration of compliance/audits.

With the advent of the Internet of Things, cyber-security professionals have long been lamenting the lack of standards in consumer goods accessing the Internet, bringing vulnerabilities that undermine data security and privacy. This year, a team of privacy experts was assembled by the International Standards Organisation (ISO) to develop the first set of preventative international guidelines that ensures consumer privacy is embedded into the design of a product or service, with protection throughout the whole life cycle. The new ISO project committee, ISO/PC 317, Consumer protection: privacy by design for consumer goods and services, will develop guidelines that are intended to both enforce compliance with regulations and generate greater consumer trust.

This recent standardization effort that complements the GDPR encapsulating all of the merits of Privacy by Design has been a long time coming. The majority of privacy breaches remain unchallenged, unregulated and unknown because there are far too many. Regulatory compliance alone is unsustainable as the sole model for ensuring the future of privacy. Prevention is needed.

I frame privacy as being essential to freedom, revolving around personal control and freedom of choice – the need to maintain user control over the collection, use and disclosure of one’s personal information. This view of privacy is perhaps best reflected in the right of “informational self-determination,” enshrined in the German Constitution in 1983–that the individual should be the one to determine the fate of his or her personal information. Recognizing privacy as an exercise in personal control has always been important, but it is especially critical today in an age characterized by far-reaching, ubiquitous computing, and invasive surveillance by the state.

We are experiencing an era of near-exponential growth in the creation, dissemination, use and retention of personal information. Whether applied at the level of information technology, business practices, or systems, it is more critical now than ever to embrace Privacy by Design if privacy, as we know it, is to survive well into the 21st century. With increasingly savvy and interconnected users, an organization’s approach to privacy may offer precisely the competitive advantage needed to succeed. Privacy is essential to creating an environment that fosters trusting, long-term relationships with existing customers, while attracting opportunity and facilitating the development of new ones. In an ever-changing world of emerging technologies, the right to privacy is more important than ever. We must remain vigilant in the protection of privacy, the bedrock of our freedom and liberty.

Ann Cavoukian Executive Director | Privacy and Big Data Institute, Ryerson University Dr. Ann Cavoukian is recognized as one of the world’s leading privacy experts. She is presently the Executive Director of the Privacy and Big Data Institute at Ryerson University. Appointed as the Information and Privacy Commissioner of Ontario, Canada in 1997, Dr. Cavoukian served an unprecedented three terms as Commissioner. In that time, she elevated the Office of the Information and Privacy Commissioner from a novice regulatory body to a first-class agency, known around the world for its cutting edge innovation and leadership. There she created Privacy by Design, a framework that seeks to proactively embed privacy into the design specifications of information technologies, networked infrastructure and business practices, thereby achieving the strongest protection possible.