In an era of rapid technological advances in which giant social media corporations have access to the data of millions of users and data breaches occur frequently, privacy has become a topic of much discussion and interest.
How can privacy be protected? What principles should organizations follow to protect personal information when developing new digital services and tools? At what point should privacy become a consideration in the lifecycle of a service or product?
One framework, called Privacy by Design (PbD), is widely recognized as an effective means to protect the privacy of individuals. This HillNote examines PbD’s origin and purpose and how it has been recognized at the national and international levels.
History and Foundational Principles
PbD is founded on the view that the future of privacy cannot be assured solely by compliance with regulatory frameworks; privacy assurance should instead become an organization’s default mode of operation. The PbD framework was developed by the former information and privacy commissioner of Ontario, Ann Cavoukian, in the 1990s. In a paper on PbD, Dr. Cavoukian explained the concept as follows:
Privacy must be incorporated into networked data systems and technologies, by default. Privacy must become integral to organizational priorities, project objectives, design processes, and planning operations. Privacy must be embedded into every standard, protocol and process that touches our lives. [Emphasis in the original]
The following table provides the descriptions of the seven foundational principles of PbD as articulated by Dr. Cavoukian.
Table 1 – The Seven Foundational Principles of Privacy by Design
|Principle 1 – Proactive not reactive; preventative not remedial|
|The Privacy by Design (PbD) framework is characterized by the taking of proactive rather than reactive measures. It anticipates risks and prevents privacy invasive events before they occur. PbD does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred; it aims to identify the risks and prevent the harms from arising.|
|Principle 2 – Privacy as the default setting|
|PbD seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice, as the default. If an individual does nothing, their privacy still remains intact. No action is required on the part of the individual in order to protect their privacy – it is already built into the system by default.|
|Principle 3 – Privacy embedded into design|
|Privacy measures are embedded into the design and architecture of IT systems and business practices. These are not bolted on as add-ons after the fact. The result is that privacy becomes an essential component of the core functionality being delivered. Privacy is thus integral to the system without diminishing functionality.|
|Principle 4 – Full functionality: positive-sum, not zero-sum|
|PbD seeks to accommodate all legitimate interests and objectives in a positive-sum, “win-win” manner, not through the dated, zero-sum (either/or) approach, where unnecessary trade-offs are made. PbD avoids the pretense of false dichotomies, such as privacy vs. security, demonstrating that it is indeed possible to have both.|
|Principle 5 – End-to-end security: full lifecycle protection|
|PbD, having been embedded into the system prior to the first element of information being collected, extends securely throughout the entire lifecycle of the data involved – strong security measures are essential to privacy from start to finish. This ensures that all data are securely collected, used, retained, and then securely destroyed at the end of the process, in a timely fashion. Thus, PbD ensures cradle-to-grave, secure lifecycle management of information, end to end.|
|Principle 6 – Visibility and transparency: keep it open|
|PbD seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact operating according to the stated promises and objectives, subject to independent verification. The data subject is made fully aware of the personal data being collected and for what purpose(s). All the component parts and operations remain visible and transparent to users and providers alike.|
|Principle 7 – Respect for user privacy: keep it user-centric|
|Above all, PbD requires architects and operators to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice and empowering user-friendly options. The goal is to ensure user-centred privacy in an increasingly connected world.|
Source: Table prepared by the Library of Parliament using data obtained from Ann Cavoukian, Privacy and Big Data Institute, Privacy by Design: The 7 Foundational Principles, Ryerson University.
International Recognition of Privacy by Design
In 2010, PbD became an international standard when a formal resolution recognizing the framework as an essential component of fundamental privacy protection was adopted at the 32nd International Conference of Data Protection and Privacy Commissioners (since renamed Global Privacy Assembly). Created in 1979, this forum provides international leadership in data protection and privacy.
Since 2010, the principles underpinning PbD have been translated into multiple languages and are being used around the world.
This global recognition is perhaps best illustrated by the incorporation of the international standard into the European Union General Data Protection Regulation (GDPR). The GDPR came into force in May 2018 and is considered by many to be a gold standard in data protection. Article 25 of the GDPR is entitled “Data protection by design and by default” and imposes legal obligations in that regard.
Privacy by Design in Canada
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal data protection law that applies to the use, collection and disclosure of personal information in the course of commercial activities by organizations in the private sector and businesses that fall under federal jurisdiction. However, PIPEDA has not undergone any substantial reform since its adoption in 2000. The only significant amendments in recent years are contained in the Digital Privacy Act, passed in 2015. The Act brought a few amendments to PIPEDA, including the insertion of a mandatory reporting regime for breaches of security safeguards.
In 2016, the House of Commons Standing Committee on Access to Information, Privacy and Ethics (the Committee) published a report entitled Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act. Its recommendations included making PbD a central principle of PIPEDA and incorporating the seven foundational principles into the legislation where possible. The Privacy Commissioner of Canada, Daniel Therrien, has also called for the integration of PbD into Canadian privacy legislation during a 2019 appearance before the Committee as well as in his office’s 2018–2019 annual report on the Privacy Act and PIPEDA, which focused on privacy law reform.
In November 2020, Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts, was presented in the House of Commons. Although the bill sought to reform PIPEDA, it did not explicitly incorporate PbD into the proposed new legislation. In a submission on Bill C-11, the Privacy Commissioner of Canada indicated that “provisions on accountability should explicitly include a requirement that organizations apply Privacy by Design.”
Bill C-11 died on the Order Paper when Parliament was dissolved on 15 August 2021. Whether or not PbD will explicitly be included in future federal privacy legislation remains to be seen.
Charland, Sabrina, Alexandra Savoie, and Ryan van den Berg. Legislative Summary of Bill C-11: An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts. Publication no. 43-2-C11-E. Parliamentary Information, Education and Research Services, Library of Parliament, Ottawa, 10 December 2020.
Author: Alexandra Savoie, Library of Parliament
Categories: Information and Communications