2. Who are you?
Austin Chambers
Attorney at Lewis, Bess, Williams & Weese
CIPP/US, CIPP/E, CIPP/C
Data Privacy, Security and Intellectual Property
Practice focused on US and international
privacy issues, and technology transactions.
GDPR & International privacy;
Privacy Shield certification;
EU-US and other cross-border data transfer
agreements;
international and intercompany data licensing;
website and mobile app agreements;
marketing, email and advertising compliance;
information security programs;
data breach response; software licensing and
development
2
3. What will we cover?
PbD
Fundamentals
Key legal
considerations
Practical
Application
3
4. Part I
Privacy by Design Fundamentals
LEGAL FRAMEWORKS AND CONSUMER EXPECTATIONS
4
5. What is Privacy by Design?
An approach to systems engineering that accounts for privacy at
each stage of the product and information lifecycle
System that integrates core privacy considerations into existing
project management and risk management methodologies and
policies.
Engineering that takes human values into account throughout the
system design process
USER CENTRIC
5
6. Benefits of Privacy by Design
Key Goals: build trust, mitigate risk, and comply with the law
The UK Information Commissioner’s Office describes the benefits as follows:
Designing projects, processes, products or systems with privacy in mind
at the outset can lead to benefits which include:
Potential problems are identified at an early stage, when addressing them
will often be simpler and less costly.
Increased awareness of privacy and data protection across an
organisation.
Organisations are more likely to meet their legal obligations and less likely to
breach the data protection law.
Actions are less likely to be privacy intrusive and have a negative impact
on individuals.
6
https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-by-design/
7. 7 Principles of Privacy by Design
Proactive, not reactive; preventative, not remedial
Privacy as default setting
Privacy embedded into design
Full functionality (positive sum, not zero sum)
End-to-end security (full lifecycle protection)
Visibility and Transparency (keep it open)
Respect user privacy (keep it user centric)
7
https://www.ipc.on.ca/wp-content/uploads/2013/09/pbd-primer.pdf
8. Privacy by Design and the
Information lifecycle
PbD is key in various essential phases of the information lifecycle
For example, PbD is essential when:
building new IT systems for storing or accessing personal data;
developing policies or strategies that have privacy implications;
embarking on a data sharing initiative; or
using data for new purposes.
8
9. Part II
Legal and Practical Considerations
LEGAL FRAMEWORKS AND CONSUMER EXPECTATIONS
9
11. Core Principles: PII & Personal Data
“PII” – A person’s first or last name in combination with another
piece of identifying information, such as an address, driver’s license
number, etc.
“personal data” (EU) – any information relating to a
identified/identifiable natural person
“sensitive information” – SSN, PHI, CC#, Financial
“sensitive information” (EU) – personal data relating to race,
religious/philosophical beliefs, health/sex life, political
affiliation/opinions, union membership
BUT, most laws usually exclude publically available info, at least to
some degree (CAN/EU = more limits)
11
12. Core Principles: PII & Personal Data
Any information relating to an
identified/identifiable person
Identifying information relating to private
individual
Unencrypted identifying information re:
private individual
Sensitive information OR 2+ linked elements
of identifying info
12
13. Core Principles: Overview
Notice + Consent
At primary collection
Legitimizes collection, disclosure
Establishes purpose of use
Must be non-deceptive
Purpose of Use
legitimate basis/unanticipated
uses
Unauthorized disclosures
Automated decision-making
Contractual (price discrimination)
Statutory (discrimination against
protected class)
Individual rights
Access
Modification
Choice
Retention/Deletion
Security/Risk Mitigation Measures
Administrative
Procedural
Technical
Systems design
Use of Crypto
Anonymization
13
14. Core Principles: Notice +
Consent
Consent is the cornerstone of
privacy law
US Law/§5
PIPEDA (CAN)
GDPR (EU)
Data rights established w/ notice
by first party + user consent
Notice must describe use,
collection, sharing, choices
Laws/contracts/standards may
require specific degree of consent
14
15. Core Principles: Notice +
Consent
What is consent?
Notice + Use
Consumers must
be notified of
analytics in PP,
but use = agree
Implied opt-in
Implied right to
collect/use for
business reasons
Notice + opt out
To use email to
send a newsletter,
must give opt-out
choice
Notice + opt in
To collect
geolocation,
users must choose
to allow
15
16. Core Principles: Notice + Consent
GDPR Ar. 13 – Notice
Must provide notice of:
Categories of data collected
The purposes of the processing
The legal (legitimate) basis for
processing
The recipients or categories of
recipients of the data,
Int’l transfer and basis
Any automated decision
making or profiling + logic and
significance or consequences
Additional notice obligations if data
provided by third party
Requires improvements in notice
plain language
“layered” notice
“just in time disclosures”
Standardized icons
16
17. Core Principles: Notice + Consent
GDPR Ar. 6-7
Consent generally required, unless
exception:
Contractual necessity,
emergencies/vital interests,
legitimate interest
legal requirements
Consent must be:
Informed
Freely given
”unambiguous” (“explicit” if SI)
revocable
PIPEDA - Principle 3
Notice and consent is the
“Cornerstone” of Canadian privacy
law
Prior express consent preferred, but
sensitivity of info, expectations may
vary
Must set out purposes
Consent is only valid if reasonable to
expect the individual would
understand purpose and means
Consent not required if
use/disclosure if ”reasonable person
would find appropriate in
circumstances”
Balance! Think about users
17
18. Core Principles: Notice + Consent
Section 5 – FTC
Companies encouraged to take “privacy by
design” approach
Say what you do, do what you say!
FTC focuses more on “harm” model – similar
to ‘reasonable expectations’
Certain “commonly accepted” practices
don’t require consent (fulfillment, compliance,
fraud prevention, first party marketing)
For other requires “informed, meaningful
choices”
Notice and choice should be:
Provided in context of decision to agree
Concise, understandable
Encourage improving privacy notices
See “Protecting Consumers in an Era of
Rapid Change”
E-Privacy Regulation
Users have rights under ePrivacy
Regulation (online communications)
Right to opt-out of “automated decision-
making” under GDPR
Opt-in consent required for behavioral
advertising, analytics
Cookies
Online ads
Facebook pixels
Must be prior to collection!
Must provide choice (does system
support?)
UX and documentation challenge
18
19. Core Principles: Purpose of Use
The purposes you may process information are generally limited
Scope of notice, consent sets limits right to share, use
PIPEDA, for example, requires that use/disclosure must be limited to what is
“appropriate in circumstances”
Consent generally required for uses beyond predictable/transactional use, such as:
Augmentation/Profiling
Marketing
Advertising/behavioral analytics
New, undisclosed uses
Consent required to disclose data if not obvious part of initial transaction, e.g. to:
Service providers
Marketers
Partners & co-owners
Sale of business
19
20. Core Principles: Purpose of Use
Ar 5 – Processing Principles
Personal Data must be processed :
Lawfully, Fairly and Transparently
For specific, explicit, and
legitimate purposes
Adequate, relevant, limited to
purpose
“Proportionate”
Data minimization is key
Accurate
Stored for limited time
Securely
PIPEDA
Principles of PIPEDA :
Identification of purpose (Prin. 2)
Identify, document, notify of
changes
Limiting collection (Prin. 4)
Collect only what is necessary for
purpose
Limiting use, disclosure and
retention (Prin. 5)
Don’t disclose/use in ways not
expected
Don’t retain data forever
20
21. Core Principles: Individual Rights
Personal data is about people—they often retain rights in that data
Access
PIPEDA principle 9
Must provide all personal data, account for disclosures, demonstrate compliance with
consent.
30 days!
Right Does not exist in US law (but suggested)
Retention
Organization, consumer optics, storage cost
Liability & Litigation
Cost of Processing and analytics
Destruction
Data must be securely destroyed/wiped
21
22. Core Principles: Individual Rights
Ar. 15-21: Individual’s rights with respect to processing
Access (right to know all info req’d under notice)
Rectification (correct inaccuracies)
Erasure (RTBF -- if irrelevant/dated, consent withdrawn, unlawful,
overriding individual right)
Limit use (inaccurate, not fit for purpose, unnecessary, overriding
individual right)
Portability (NEW! – if based on consent or necessity, or if automated
processing, right to receive data in exportable, open format.)
Object (to direct marketing, “solely automated decision-making
with significant legal effects” unless necessary or consented)
22
24. Application: Privacy by Design
Article 25: Privacy & Security by Design
Given state of the art, cost of implementation, and nature, scope,
context, purpose and risks of processing
Privacy measures to consider:
Anonymization
Pseudonoymization
Data minimization
Security measures to consider
Confidentiality & encryption (at rest, in transit)
Access (Least privilege, need to know)
Update and vulnerability management
Balancing security and usability
24
25. Application: Privacy Impact
Assessment
Article 35: DPIA
If high risk to rights and freedom, must carry out assessment of impact
on individual privacy
Required if:
Systematic and extensive evaluation of personal aspects, e.g. profiling
where decisions produce legal or similar effects
Large scale processing of sensitive data
Systematic monitoring of public area (cctv)
Must produce:
Description of system and processing ops
Assessment of necessity and proportionality of processing
Description of risk mitigation measures
25
26. Conducting a DPIA
PRODUCT DESIGN
Notice
Short form/icons, etc.
Just in time disclosure
Unambiguousness/Explicitness
Third party notice req’s
Consent
Language and means
Business issues
Data Minimization
SYSTEMS DESIGN
Managing consents
documentation
revocation
Process limitation
Fair & lawful
Restricted to identified purposes
Ensuring individual rights
Portability
Access
Anonymization
Retention
26
27. ‘Classic’ Notice and Consent
GOOGLE’S PRIVACY UX DURING ACCOUNT CREATION
ACCOUNTS.GOOGLE.COM/SIGNUP
27
28. Can’t get acc’t without agreement
(href: summary for each item)
28
36. Notice how you get clarifying
examples when you hover over
sections with dotted lines… This is a
‘layered’ notice
36
37. ‘Supplemental’ Notice and
Consent
SOLVING THE EXISTING USER DILEMMA (WHEN THINGS CHANGE) – AN EXAMPLE OF
GOOGLE’S GDPR EFFORTS
GOOGLE.COM SEARCH QUERY OF THEN-CURRENT IP ADDRESS FROM GERMAN IP
37
38. GDPR & Google – New Privacy
Notice/Consent
An example of implementing GDPR notice to existing users
Notice & consent typically occurs at registration/service activation/initial config etc.
This creates an issue should data practices and/or legal requirements change
(especially given how many people already use Google)
The following examples show how Google attempts to address that problem
Note that this notice:
Appears ONLY in EU (I accessed Google via VPN using German IP address)
Is annoyingly placed at the top of search results so that you see it
Persists until you make it go away
Recurs if you log out of your account or tell it to go away temporarily
Is easy to read
Has handy links throughout
Not sure, but I’d venture a guess that if you click OK when logged in, Google logs
date/time/IP to prove you agreed
38
45. Group Problem: IOT
You’re developing a new home wifi
speaker. You’d like to integrate
voice control, access Spotify, stream
from phone to speaker seamlessly.
To compete in the saturated market,
marketing is key, especially online
ads
Botnets are an increasing risk, and
have been known to hijack IOT
devices in attacks
Consumers increasingly wary of IOT
decisions breaking devices
Meet someone, talk, ask questions
think through a problem & solution
to one of the following issues:
Limited UI
Broad range, ages of users (risk
profile?)
Diagnostics/QA/QI and broad
definition of personal data
Marketing information vs device
information
Security limitations (e.g. updates)
Access/individual rights requests
Device ownership concerns
Third party integrations (e.g. AI)
Trust & branding
45