The perception that privacy is losing an arms race with technology is a constant source of public anxiety, and regulatory action. Many privacy and data protection laws directly respond to advances in technologyfrom cameras, to large databases, to the Internet, to cellular, to sensors. The paradigm plays out over and over again: technology erodes privacy, regulations are passed to protect it.
Ongoing revelations about the National Security Agency's massive data collection activities, and success at circumventing encryption in consumer products, at times with the cooperationperhaps begrudgingof the corporate sector, suggest that efforts to strengthen the privacy features of technical systems are timely and necessary even in democratic countries.
But today regulators are casting a more hopeful eye at technology. They are looking to harness technical design to advance and protect privacy. Signaling the conviction with which they have embraced this new perspective, "privacy by design"as it is commonly calledis a goal of the current draft European Privacy Regulation4 and features prominently in U.S. privacy proposals.a
Bringing privacy concerns into the design of products and standards is a significant new regulatory approach. It reflects growing recognition of the substantial role that technical systems play in supporting and shaping societal values.
But advancing privacy through design presents several challenges. First, it requires regulatory strategies that encourage organizations to devote technical resources toward advancing a social imperative that is often at loggerheads with corporate interests, and is traditionally viewed as the responsibility of corporate lawyers, not technologists. Embedding privacy in technical design will likely be as expensive as having lawyers draft privacy notices, and, we would argue, more complicated. Infusing privacy into technical design will require firms to adopt new internal strategies and practices. It will also require firms to hire or create more and different kinds of privacy experts, as lawyers seem ill suited on their own to drive design.
Second, while regulators call it "privacy by design" the approaches they have developed and promoted reflect a relatively narrow view of privacyfacilitating control over personal information. This is more aptly described as "fair information practices by design" and reflects the goals of a key promoter: the data protection regulators. Data protection-driven approaches have two important limitations: they are not aimed at system architects, designers, or coders6,7; and, while individual control may be the touchstone of data protection, it is not the sole touchstone of privacy. Building the right "privacy" into design is critical, and today regulators are advancing too cramped a definition. A concept as complex and multifaceted as privacy is not well served by a narrow data protection oriented approach. Regulators must adopt strategies that encourage designers to engage with multiple, context-dependent concepts of privacy. There are some indications this will happen, but ensuring it does is essential to the success of the privacy by design effort.5
Third, the success of this regulatory initiative turns on new privacy professionals. A field traditionally dominated by lawyers, auditors, and human resource professionals must find room for ethicists, social scientists, technical designers, architects, and engineers. Ideally, this new set of privacy professionals will be comfortable working at the intersection of law, ethics, social science, and technical design. Integrated approaches to protecting privacy are necessary if society hopes to reorient technology toward privacy's protection. While there is a growing body of academic research on values in technical design, there must be increased attention to developing curriculum to teach and train design professionals, and fostering the development of a professional community. Both are necessary to bring privacy design strategies into practice.
Over the past few years, we have looked at how corporations understand and manage privacy in different countries.1,2,3 Through our research, involving almost 100 interviews of leading privacy officers, regulators, and other privacy professionals in the U.S., Germany, France, Spain, and the U.K.we have identified a set of corporate approaches that are more aligned with integrating privacy into design, and the regulatory choices that seem to spur corporations to adopt them. Our research provides some insight into regulatory approaches likely to align corporate behavior with the privacy by design agenda.
We found similar and promising approaches to privacy management in leading German and U.S. firms.b The privacy work in these firms goes beyond rote compliance with data protection and privacy rules, more frequently and fully includes technical and design professionals, and is woven into the daily work of business units. Each firm had a high-level and strategic privacy lead overseeing privacy work that was integrated into business and functional units, and product lines. Personnel responsible for privacy, and technologies and processes geared to raising and incorporating privacy concerns, were distributed throughout the firms. Privacy leads stressed the importance of embedding expertise within business units and establishing specific staff personally responsible for privacytypically through indirect reporting mechanismsas essential to institutionalizing privacy. These distributed and decentralized systems positioned privacy as an input into the design of products and processes.
This embedded and decentralized system of organizing privacy aligns with privacy by design. It develops privacy experts knowledgeable about the specific technological and business choices, and situates them within the process of design where they can influence technical choices. This approach moves privacy outside the legal domain and into that of technology design and business processes.
A set of regulatory choices in Germany and the U.S. appear to encourage these sorts of embedded privacy structures and design-oriented approaches. First, in both countries a set of regulatory choices push firms to view privacy as a strategic issue. Regulatory approaches in both countries require firms to interpret and adapt regulatory goals to address firm-specific issues. While German law is more comprehensive and more detailed than the broad "unfair or deceptive practices" mandate that empowers the Federal Trade Commissionthe lead U.S. privacy regulatorfrom the outset, Germany envisioned the private sector playing a crucial role in meeting statutory objectives. This is reflected in the requirement that firms above a certain threshold appoint an independent internal data protection officer. In the U.S., firms employ privacy professionals to interpret and navigate an ambiguous and shifting privacy landscape.
Second, in both countries privacy is connected to other ethical obligations placed on firms. In the U.S., privacy has been positioned as a contextually dependent and changing concept tied to consumer expectations and consumer protection. In Germany, privacy is tied to human and worker rights. Although the broader ethical frames differ, our interviewees credited these connections for corporate privacy responses that are more forward-looking and dynamic, rather than solely compliance focused.
Third, in both countries regulatory choices allow other constituentsprivacy advocates, civil society, laborto participate in defining a firm's privacy obligations. In Germany, our interviewees noted the influence of the independent works councils, which represent workers interests, and the independent Data Protection Officer, who represents societal privacy interests, as important constituents shaping firms' understanding of privacy obligations. In the U.S., the wide range of participatory procedures the FTC provided enabled privacy and consumer advocates to influence how firms and regulators understand privacy goals. Governance strategies that allow third parties to participate in defining the privacy obligations placed on corporations help transform privacy from an issue of legal compliance to one of "social license"a broader constraint on firms' social standing and reputation, this in turn pushes privacy outside the legal counsel's office.
Advancing privacy through design is an important regulatory initiative.
Finally, both countries have chosen regulatory strategies that expose firm privacy activities to outside scrutiny. In particular, security breach notification reporting requirements, benchmarking activities, and public fines are used. Our interviewees claim the external shocks caused by these transparency-forcing regulations and events focus the attention of corporate executives, freeing up political and financial resources to protect privacy. In Germany, news of breaches travels quickly through the works councils and is used to improve corporate privacy management. In the U.S., reported breaches tied privacy to brand protection, increasing the attention to privacy from management, boards, shareholders, and business partners. Our interviewees report the public salience of privacyfed by transparencydrives corporations to view privacy protection as integral to maintaining corporate good standing and therefore to invest in privacy's systematic management.
Our research suggests that collectively these regulatory strategies lead firms to view privacy as a more salient business risk. In turn, privacy professionals are viewed as strategic experts necessary to successfully interpret and mediate an uncertain external environment. Due to their control over important external resourceslegal legitimacy and brand portrayalprivacy professionals gain greater influence and access to resources, and are able to break out of the role of legal compliance. In contrast, we found the regulatory approaches in France and Spain where privacy agencies interpret and fix the meaning of regulatory mandates with little consultation with regulated parties or other stakeholders result in privacy leads who are less powerful and strategic, and privacy management that is focused on compliance and auditing tasks.
Advancing privacy through design is an important regulatory initiative. Achieving it requires organizations to invest in systems to ensure privacy infuses decisions about processes, practices, and technical design. Our comparative analysis of how corporations respond to existing regulatory regimes reveals a set of often overlooked similarities in the regulatory choices in Germany and the U.S. have led firms to view privacy as a strategic issue and to create structures that bring its consideration more fully and regularly into the design phase of products and services. This is a key insight for policymakers considering regulatory reform. Our work underscores the importance of considering both regulatory process and formal law as policymakers seek to shape the mindset and behavior of private firms to advance privacy through design choices.
1. Bamberger, K.A. and Mulligan, D.K. Privacy in Europe: Initial data on governance choices and corporate practices; http://bit.ly/16I7RGk
4. European Commission. Proposal for a regulation of the European parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (general data protection regulation). COM (Jan. 25, 2012).
5. Federal Trade Commission. Protecting consumer privacy in an era of rapid change: A proposed framework for businesses and policymakers. (Dec. 2010); http://www.ftc.gov/os/2010/12/101201privacyreport.pdf.
6. Gürses, S., Troncoso, C. and Diaz, C. Engineering privacy by design. In Proceedings of the International Conference on Privacy and Data Protection (CPDP) (2011); http://www.cosic.esat.kuleuven.be/publications/article-1542.pdf.
a. Executive Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Economy (Feb. 2012), http://www.whitehouse.gov/sites/default/files/privacy-final.pdf; U.S. Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (2012).
b. The privacy leads interviewed, "chief privacy officers" ("CPOs") or "data privacy officers" ("DPOs"), included those identified as field leaders by domain expertsleading privacy thinkers (both lawyers and nonlawyers) drawn from academia, legal practice (in-house and firms), trade groups, advocacy groups, and consultancies, regulators, and journalists focusing on privacy issues. Questionnaires were used to collect biographical data about the interviewees and organizational information about the firm. Additional research involved the review of internal organizational charts, process documentation, and discussions with managers and engineers responsible for policy implementation in the firms.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2013 ACM, Inc.