privacy by design GDPR Austin Chambers

1. Privacy by Design
CONSIDERATIONS UNDER PRIVACY LAW (& GDPR!)
1

2. Who are you?
Austin Chambers
 Attorney at Lewis, Bess, Williams & Weese
 CIPP/US, CIPP/E, CIPP/C
 Data Privacy, Security and Intellectual Property
 Practice focused on US and international
privacy issues, and technology transactions.
 GDPR & International privacy;
 Privacy Shield certification;
 EU-US and other cross-border data transfer
agreements;
 international and intercompany data licensing;
 website and mobile app agreements;
 marketing, email and advertising compliance;
 information security programs;
 data breach response; software licensing and
development
2

3. What will we cover?
PbD
Fundamentals
Key legal
considerations
Practical
Application
3

4. Part I
Privacy by Design Fundamentals
LEGAL FRAMEWORKS AND CONSUMER EXPECTATIONS
4

5. What is Privacy by Design?
 An approach to systems engineering that accounts for privacy at
each stage of the product and information lifecycle
 System that integrates core privacy considerations into existing
project management and risk management methodologies and
policies.
 Engineering that takes human values into account throughout the
system design process
USER CENTRIC
5

6. Benefits of Privacy by Design
Key Goals: build trust, mitigate risk, and comply with the law
The UK Information Commissioner’s Office describes the benefits as follows:
 Designing projects, processes, products or systems with privacy in mind
at the outset can lead to benefits which include:
 Potential problems are identified at an early stage, when addressing them
will often be simpler and less costly.
 Increased awareness of privacy and data protection across an
organisation.
 Organisations are more likely to meet their legal obligations and less likely to
breach the data protection law.
 Actions are less likely to be privacy intrusive and have a negative impact
on individuals.
6
https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-by-design/

7. 7 Principles of Privacy by Design
 Proactive, not reactive; preventative, not remedial
 Privacy as default setting
 Privacy embedded into design
 Full functionality (positive sum, not zero sum)
 End-to-end security (full lifecycle protection)
 Visibility and Transparency (keep it open)
 Respect user privacy (keep it user centric)
7
https://www.ipc.on.ca/wp-content/uploads/2013/09/pbd-primer.pdf

8. Privacy by Design and the
Information lifecycle
 PbD is key in various essential phases of the information lifecycle
 For example, PbD is essential when:
 building new IT systems for storing or accessing personal data;
 developing policies or strategies that have privacy implications;
 embarking on a data sharing initiative; or
 using data for new purposes.
8

9. Part II
Legal and Practical Considerations
LEGAL FRAMEWORKS AND CONSUMER EXPECTATIONS
9

10. Collection
Use
Disclosure
Access/
Retention
Destruction
Privacy by Design
requires
contemplating each
phase of the
information lifecycle
Core Principles:
Information Lifecycle
10

11. Core Principles: PII & Personal Data
 “PII” – A person’s first or last name in combination with another
piece of identifying information, such as an address, driver’s license
number, etc.
 “personal data” (EU) – any information relating to a
identified/identifiable natural person
 “sensitive information” – SSN, PHI, CC#, Financial
 “sensitive information” (EU) – personal data relating to race,
religious/philosophical beliefs, health/sex life, political
affiliation/opinions, union membership
 BUT, most laws usually exclude publically available info, at least to
some degree (CAN/EU = more limits)
11

12. Core Principles: PII & Personal Data
Any information relating to an
identified/identifiable person
Identifying information relating to private
individual
Unencrypted identifying information re:
private individual
Sensitive information OR 2+ linked elements
of identifying info
12

13. Core Principles: Overview
 Notice + Consent
 At primary collection
 Legitimizes collection, disclosure
 Establishes purpose of use
 Must be non-deceptive
 Purpose of Use
 legitimate basis/unanticipated
uses
 Unauthorized disclosures
 Automated decision-making
 Contractual (price discrimination)
 Statutory (discrimination against
protected class)
 Individual rights
 Access
 Modification
 Choice
 Retention/Deletion
 Security/Risk Mitigation Measures
 Administrative
 Procedural
 Technical
 Systems design
 Use of Crypto
 Anonymization
13

14. Core Principles: Notice +
Consent
 Consent is the cornerstone of
privacy law
 US Law/§5
 PIPEDA (CAN)
 GDPR (EU)
 Data rights established w/ notice
by first party + user consent
 Notice must describe use,
collection, sharing, choices
 Laws/contracts/standards may
require specific degree of consent
14

15. Core Principles: Notice +
Consent
What is consent?
 Notice + Use
 Consumers must
be notified of
analytics in PP,
but use = agree
 Implied opt-in
 Implied right to
collect/use for
business reasons
 Notice + opt out
 To use email to
send a newsletter,
must give opt-out
choice
 Notice + opt in
 To collect
geolocation,
users must choose
to allow
15

16. Core Principles: Notice + Consent
GDPR Ar. 13 – Notice
Must provide notice of:
 Categories of data collected
 The purposes of the processing
 The legal (legitimate) basis for
processing
 The recipients or categories of
recipients of the data,
 Int’l transfer and basis
Any automated decision
making or profiling + logic and
significance or consequences
Additional notice obligations if data
provided by third party
Requires improvements in notice
 plain language
 “layered” notice
 “just in time disclosures”
 Standardized icons
16

17. Core Principles: Notice + Consent
GDPR Ar. 6-7
 Consent generally required, unless
exception:
 Contractual necessity,
 emergencies/vital interests,
 legitimate interest
 legal requirements
 Consent must be:
 Informed
 Freely given
 ”unambiguous” (“explicit” if SI)
 revocable
PIPEDA - Principle 3
 Notice and consent is the
“Cornerstone” of Canadian privacy
law
 Prior express consent preferred, but
sensitivity of info, expectations may
vary
 Must set out purposes
 Consent is only valid if reasonable to
expect the individual would
understand purpose and means
 Consent not required if
use/disclosure if ”reasonable person
would find appropriate in
circumstances”
 Balance! Think about users
17

18. Core Principles: Notice + Consent
Section 5 – FTC
 Companies encouraged to take “privacy by
design” approach
 Say what you do, do what you say!
 FTC focuses more on “harm” model – similar
to ‘reasonable expectations’
 Certain “commonly accepted” practices
don’t require consent (fulfillment, compliance,
fraud prevention, first party marketing)
 For other requires “informed, meaningful
choices”
 Notice and choice should be:
 Provided in context of decision to agree
 Concise, understandable
 Encourage improving privacy notices
 See “Protecting Consumers in an Era of
Rapid Change”
E-Privacy Regulation
 Users have rights under ePrivacy
Regulation (online communications)
 Right to opt-out of “automated decision-
making” under GDPR
 Opt-in consent required for behavioral
advertising, analytics
 Cookies
 Online ads
 Facebook pixels
 Must be prior to collection!
 Must provide choice (does system
support?)
 UX and documentation challenge
18

19. Core Principles: Purpose of Use
The purposes you may process information are generally limited
 Scope of notice, consent sets limits right to share, use
 PIPEDA, for example, requires that use/disclosure must be limited to what is
“appropriate in circumstances”
 Consent generally required for uses beyond predictable/transactional use, such as:
 Augmentation/Profiling
 Marketing
 Advertising/behavioral analytics
 New, undisclosed uses
 Consent required to disclose data if not obvious part of initial transaction, e.g. to:
 Service providers
 Marketers
 Partners & co-owners
 Sale of business
19

20. Core Principles: Purpose of Use
Ar 5 – Processing Principles
Personal Data must be processed :
 Lawfully, Fairly and Transparently
 For specific, explicit, and
legitimate purposes
 Adequate, relevant, limited to
purpose
 “Proportionate”
 Data minimization is key
 Accurate
 Stored for limited time
 Securely
PIPEDA
Principles of PIPEDA :
 Identification of purpose (Prin. 2)
 Identify, document, notify of
changes
 Limiting collection (Prin. 4)
 Collect only what is necessary for
purpose
 Limiting use, disclosure and
retention (Prin. 5)
 Don’t disclose/use in ways not
expected
 Don’t retain data forever
20

21. Core Principles: Individual Rights
Personal data is about people—they often retain rights in that data
 Access
 PIPEDA principle 9
 Must provide all personal data, account for disclosures, demonstrate compliance with
consent.
 30 days!
 Right Does not exist in US law (but suggested)
 Retention
 Organization, consumer optics, storage cost
 Liability & Litigation
 Cost of Processing and analytics
 Destruction
 Data must be securely destroyed/wiped
21

22. Core Principles: Individual Rights
Ar. 15-21: Individual’s rights with respect to processing
 Access (right to know all info req’d under notice)
 Rectification (correct inaccuracies)
 Erasure (RTBF -- if irrelevant/dated, consent withdrawn, unlawful,
overriding individual right)
 Limit use (inaccurate, not fit for purpose, unnecessary, overriding
individual right)
 Portability (NEW! – if based on consent or necessity, or if automated
processing, right to receive data in exportable, open format.)
 Object (to direct marketing, “solely automated decision-making
with significant legal effects” unless necessary or consented)
22

23. Part III
Application
23

24. Application: Privacy by Design
Article 25: Privacy & Security by Design
 Given state of the art, cost of implementation, and nature, scope,
context, purpose and risks of processing
 Privacy measures to consider:
 Anonymization
 Pseudonoymization
 Data minimization
 Security measures to consider
 Confidentiality & encryption (at rest, in transit)
 Access (Least privilege, need to know)
 Update and vulnerability management
 Balancing security and usability
24

25. Application: Privacy Impact
Assessment
Article 35: DPIA
 If high risk to rights and freedom, must carry out assessment of impact
on individual privacy
 Required if:
 Systematic and extensive evaluation of personal aspects, e.g. profiling
where decisions produce legal or similar effects
 Large scale processing of sensitive data
 Systematic monitoring of public area (cctv)
 Must produce:
 Description of system and processing ops
 Assessment of necessity and proportionality of processing
 Description of risk mitigation measures
25

26. Conducting a DPIA
PRODUCT DESIGN
 Notice
 Short form/icons, etc.
 Just in time disclosure
 Unambiguousness/Explicitness
 Third party notice req’s
 Consent
 Language and means
 Business issues
 Data Minimization
SYSTEMS DESIGN
 Managing consents
 documentation
 revocation
 Process limitation
 Fair & lawful
 Restricted to identified purposes
 Ensuring individual rights
 Portability
 Access
 Anonymization
 Retention
26

27. ‘Classic’ Notice and Consent
GOOGLE’S PRIVACY UX DURING ACCOUNT CREATION
ACCOUNTS.GOOGLE.COM/SIGNUP
27

28. Can’t get acc’t without agreement
(href: summary for each item)
28

29. Additional info for account
creation data
ACCOUNTS.GOOGLE.COM/SIGNUP
29

30. 30

31. Summary privacy notice during
account creation
ACCOUNTS.GOOGLE.COM/SIGNUP
31

32. Makes
method of
consent
clear
Get more info
Can’t agree ‘til you read
Practical, easy-to-read summary
32

33. Click here =
consent
33

34. Google’s Full Privacy Notice
GOOGLE.COM/POLICIES/PRIVACY
34

35. Easy
Navigation
Relevant links
Historical record so you can see
what’s changed (1999 was such
an idealistic time)
35

36. Notice how you get clarifying
examples when you hover over
sections with dotted lines… This is a
‘layered’ notice
36

37. ‘Supplemental’ Notice and
Consent
SOLVING THE EXISTING USER DILEMMA (WHEN THINGS CHANGE) – AN EXAMPLE OF
GOOGLE’S GDPR EFFORTS
GOOGLE.COM SEARCH QUERY OF THEN-CURRENT IP ADDRESS FROM GERMAN IP
37

38. GDPR & Google – New Privacy
Notice/Consent
 An example of implementing GDPR notice to existing users
 Notice & consent typically occurs at registration/service activation/initial config etc.
 This creates an issue should data practices and/or legal requirements change
(especially given how many people already use Google)
 The following examples show how Google attempts to address that problem
 Note that this notice:
 Appears ONLY in EU (I accessed Google via VPN using German IP address)
 Is annoyingly placed at the top of search results so that you see it
 Persists until you make it go away
 Recurs if you log out of your account or tell it to go away temporarily
 Is easy to read
 Has handy links throughout
 Not sure, but I’d venture a guess that if you click OK when logged in, Google logs
date/time/IP to prove you agreed
38

39. 39

40. 40

41. 41

42. 42

43. 43

44. Systems Design Considerations
IOT IMPLEMENTATION
44

45. Group Problem: IOT
 You’re developing a new home wifi
speaker. You’d like to integrate
voice control, access Spotify, stream
from phone to speaker seamlessly.
 To compete in the saturated market,
marketing is key, especially online
ads
 Botnets are an increasing risk, and
have been known to hijack IOT
devices in attacks
 Consumers increasingly wary of IOT
decisions breaking devices
 Meet someone, talk, ask questions
think through a problem & solution
to one of the following issues:
 Limited UI
 Broad range, ages of users (risk
profile?)
 Diagnostics/QA/QI and broad
definition of personal data
 Marketing information vs device
information
 Security limitations (e.g. updates)
 Access/individual rights requests
 Device ownership concerns
 Third party integrations (e.g. AI)
 Trust & branding
45

46. “
”
Thanks
everyone!
CONTACT INFO:
Austin T. Chambers
Associate | CIPP/US, CIPP/C, CIPP/E
Lewis, Bess, Williams & Weese, P.C.
O: +1.303.228.2508
achambers@lewisbess.com
46