2. Who are you?
Austin Chambers
Attorney at Lewis, Bess, Williams & Weese
CIPP/US, CIPP/E, CIPP/C
Data Privacy, Security and Intellectual Property
Practice focused on US and international privacy
issues, and technology transactions.
GDPR & International privacy;
Privacy Shield certification;
EU-US and other cross-border data transfer
agreements;
international and intercompany data licensing;
website and mobile app agreements;
marketing, email and advertising compliance;
information security programs;
data breach response; software licensing and
development
2
3. What will we cover?
PbD
Fundamentals
Key legal
considerations
Practical
Application
3
4. Part I
Privacy by Design Fundamentals
LEGAL FRAMEWORKS AND CONSUMER EXPECTATIONS
4
5. What is Privacy by Design?
An approach to systems engineering that accounts for privacy at each
stage of the product and information lifecycle
System that integrates core privacy considerations into existing project
management and risk management methodologies and policies.
Engineering that takes human values into account throughout the system
design process
USER CENTRIC
5
6. Benefits of Privacy by Design
Key Goals: build trust, mitigate risk, and comply with the law
The UK Information Commissioner’s Office describes the benefits as follows:
Designing projects, processes, products or systems with privacy in mind at the
outset can lead to benefits which include:
Potential problems are identified at an early stage, when addressing them will
often be simpler and less costly.
Increased awareness of privacy and data protection across an organisation.
Organisations are more likely to meet their legal obligations and less likely to
breach the data protection law.
Actions are less likely to be privacy intrusive and have a negative impact on
individuals.
6
https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-by-design/
7. 7 Principles of Privacy by Design
Proactive, not reactive; preventative, not remedial
Privacy as default setting
Privacy embedded into design
Full functionality (positive sum, not zero sum)
End-to-end security (full lifecycle protection)
Visibility and Transparency (keep it open)
Respect user privacy (keep it user centric)
7
https://www.ipc.on.ca/wp-content/uploads/2013/09/pbd-primer.pdf
8. Privacy by Design and the Information
lifecycle
PbD is key in various essential phases of the information lifecycle
For example, PbD is essential when:
building new IT systems for storing or accessing personal data;
developing policies or strategies that have privacy implications;
embarking on a data sharing initiative; or
using data for new purposes.
8
9. Part II
Legal and Practical Considerations
LEGAL FRAMEWORKS AND CONSUMER EXPECTATIONS
9
11. Core Principles: PII & Personal Data
“PII” – A person’s first or last name in combination with another piece of
identifying information, such as an address, driver’s license number, etc.
“personal data” (EU) – any information relating to a identified/identifiable
natural person
“sensitive information” – SSN, PHI, CC#, Financial
“sensitive information” (EU) – personal data relating to race,
religious/philosophical beliefs, health/sex life, political affiliation/opinions,
union membership
BUT, most laws usually exclude publically available info, at least to some
degree (CAN/EU = more limits)
11
12. Core Principles: PII & Personal Data
Any information relating to an identified/identifiable person
Identifying information relating to private individual
Unencrypted identifying information re: private individual
Sensitive information OR 2+ linked elements of identifying info
12
13. Core Principles: Overview
Notice + Consent
At primary collection
Legitimizes collection, disclosure
Establishes purpose of use
Must be non-deceptive
Purpose of Use
legitimate basis/unanticipated uses
Unauthorized disclosures
Automated decision-making
Contractual (price discrimination)
Statutory (discrimination against
protected class)
Individual rights
Access
Modification
Choice
Retention/Deletion
Security/Risk Mitigation Measures
Administrative
Procedural
Technical
Systems design
Use of Crypto
Anonymization
13
14. Core Principles: Notice + Consent
Consent is the cornerstone of privacy
law
US Law/§5
PIPEDA (CAN)
GDPR (EU)
Data rights established w/ notice by
first party + user consent
Notice must describe use, collection,
sharing, choices
Laws/contracts/standards may require
specific degree of consent
14
15. Core Principles: Notice + Consent
What is consent?
Notice + Use
Consumers must be
notified of analytics
in PP, but use =
agree
Implied opt-in
Implied right to
collect/use for
business reasons
Notice + opt out
To use email to
send a newsletter,
must give opt-out
choice
Notice + opt in
To collect
geolocation, users
must choose to
allow
15
16. Core Principles: Notice + Consent
GDPR Ar. 13 – Notice
Must provide notice of:
Categories of data collected
The purposes of the processing
The legal (legitimate) basis for
processing
The recipients or categories of
recipients of the data,
Int’l transfer and basis
Any automated decision making
or profiling + logic and
significance or consequences
Additional notice obligations if data
provided by third party
Requires improvements in notice
plain language
“layered” notice
“just in time disclosures”
Standardized icons
16
17. Core Principles: Notice + Consent
GDPR Ar. 6-7
Consent generally required, unless
exception:
Contractual necessity,
emergencies/vital interests,
legitimate interest
legal requirements
Consent must be:
Informed
Freely given
”unambiguous” (“explicit” if SI)
revocable
PIPEDA - Principle 3
Notice and consent is the “Cornerstone”
of Canadian privacy law
Prior express consent preferred, but
sensitivity of info, expectations may vary
Must set out purposes
Consent is only valid if reasonable to
expect the individual would understand
purpose and means
Consent not required if use/disclosure if
”reasonable person would find
appropriate in circumstances”
Balance! Think about users
17
18. Core Principles: Notice + Consent
Section 5 – FTC
Companies encouraged to take “privacy by
design” approach
Say what you do, do what you say!
FTC focuses more on “harm” model – similar to
‘reasonable expectations’
Certain “commonly accepted” practices don’t
require consent (fulfillment, compliance, fraud
prevention, first party marketing)
For other requires “informed, meaningful choices”
Notice and choice should be:
Provided in context of decision to agree
Concise, understandable
Encourage improving privacy notices
See “Protecting Consumers in an Era of Rapid
Change”
E-Privacy Regulation
Users have rights under ePrivacy Regulation
(online communications)
Right to opt-out of “automated decision-
making” under GDPR
Opt-in consent required for behavioral
advertising, analytics
Cookies
Online ads
Facebook pixels
Must be prior to collection!
Must provide choice (does system support?)
UX and documentation challenge
18
19. Core Principles: Purpose of Use
The purposes you may process information are generally limited
Scope of notice, consent sets limits right to share, use
PIPEDA, for example, requires that use/disclosure must be limited to what is “appropriate in
circumstances”
Consent generally required for uses beyond predictable/transactional use, such as:
Augmentation/Profiling
Marketing
Advertising/behavioral analytics
New, undisclosed uses
Consent required to disclose data if not obvious part of initial transaction, e.g. to:
Service providers
Marketers
Partners & co-owners
Sale of business
19
20. Core Principles: Purpose of Use
Ar 5 – Processing Principles
Personal Data must be processed :
Lawfully, Fairly and Transparently
For specific, explicit, and legitimate
purposes
Adequate, relevant, limited to
purpose
“Proportionate”
Data minimization is key
Accurate
Stored for limited time
Securely
PIPEDA
Principles of PIPEDA :
Identification of purpose (Prin. 2)
Identify, document, notify of changes
Limiting collection (Prin. 4)
Collect only what is necessary for
purpose
Limiting use, disclosure and retention
(Prin. 5)
Don’t disclose/use in ways not
expected
Don’t retain data forever
20
21. Core Principles: Individual Rights
Personal data is about people—they often retain rights in that data
Access
PIPEDA principle 9
Must provide all personal data, account for disclosures, demonstrate compliance with consent.
30 days!
Right Does not exist in US law (but suggested)
Retention
Organization, consumer optics, storage cost
Liability & Litigation
Cost of Processing and analytics
Destruction
Data must be securely destroyed/wiped
21
22. Core Principles: Individual Rights
Ar. 15-21: Individual’s rights with respect to processing
Access (right to know all info req’d under notice)
Rectification (correct inaccuracies)
Erasure (RTBF -- if irrelevant/dated, consent withdrawn, unlawful,
overriding individual right)
Limit use (inaccurate, not fit for purpose, unnecessary, overriding
individual right)
Portability (NEW! – if based on consent or necessity, or if automated
processing, right to receive data in exportable, open format.)
Object (to direct marketing, “solely automated decision-making with
significant legal effects” unless necessary or consented)
22
24. Application: Privacy by Design
Article 25: Privacy & Security by Design
Given state of the art, cost of implementation, and nature, scope, context,
purpose and risks of processing
Privacy measures to consider:
Anonymization
Pseudonoymization
Data minimization
Security measures to consider
Confidentiality & encryption (at rest, in transit)
Access (Least privilege, need to know)
Update and vulnerability management
Balancing security and usability
24
25. Application: Privacy Impact
Assessment
Article 35: DPIA
If high risk to rights and freedom, must carry out assessment of impact on
individual privacy
Required if:
Systematic and extensive evaluation of personal aspects, e.g. profiling where
decisions produce legal or similar effects
Large scale processing of sensitive data
Systematic monitoring of public area (cctv)
Must produce:
Description of system and processing ops
Assessment of necessity and proportionality of processing
Description of risk mitigation measures
25
26. Conducting a DPIA
PRODUCT DESIGN
Notice
Short form/icons, etc.
Just in time disclosure
Unambiguousness/Explicitness
Third party notice req’s
Consent
Language and means
Business issues
Data Minimization
SYSTEMS DESIGN
Managing consents
documentation
revocation
Process limitation
Fair & lawful
Restricted to identified purposes
Ensuring individual rights
Portability
Access
Anonymization
Retention
26
27. ‘Classic’ Notice and Consent
GOOGLE’S PRIVACY UX DURING ACCOUNT CREATION
ACCOUNTS.GOOGLE.COM/SIGNUP
27
28. Can’t get acc’t without agreement
(href: summary for each item)
28
36. Notice how you get clarifying examples
when you hover over sections with dotted
lines… This is a ‘layered’ notice
36
37. ‘Supplemental’ Notice and Consent
SOLVING THE EXISTING USER DILEMMA (WHEN THINGS CHANGE) – AN EXAMPLE OF
GOOGLE’S GDPR EFFORTS
GOOGLE.COM SEARCH QUERY OF THEN-CURRENT IP ADDRESS FROM GERMAN IP
37
38. GDPR & Google – New Privacy
Notice/Consent
An example of implementing GDPR notice to existing users
Notice & consent typically occurs at registration/service activation/initial config etc.
This creates an issue should data practices and/or legal requirements change (especially given
how many people already use Google)
The following examples show how Google attempts to address that problem
Note that this notice:
Appears ONLY in EU (I accessed Google via VPN using German IP address)
Is annoyingly placed at the top of search results so that you see it
Persists until you make it go away
Recurs if you log out of your account or tell it to go away temporarily
Is easy to read
Has handy links throughout
Not sure, but I’d venture a guess that if you click OK when logged in, Google logs
date/time/IP to prove you agreed
38
45. Group Problem: IOT
You’re developing a new home wifi
speaker. You’d like to integrate voice
control, access Spotify, stream from
phone to speaker seamlessly.
To compete in the saturated market,
marketing is key, especially online ads
Botnets are an increasing risk, and have
been known to hijack IOT devices in
attacks
Consumers increasingly wary of IOT
decisions breaking devices
Meet someone, talk, ask questions think
through a problem & solution to one of
the following issues:
Limited UI
Broad range, ages of users (risk profile?)
Diagnostics/QA/QI and broad definition
of personal data
Marketing information vs device
information
Security limitations (e.g. updates)
Access/individual rights requests
Device ownership concerns
Third party integrations (e.g. AI)
Trust & branding
45