The case for more rigorous cybersecurity and the protection of personally identifiable information is compelling. Consider the following facts:
These troubling trends have prompted regulators to bolster data security and privacy legislation to impose stricter obligations on businesses and data controllers.
In the US, regulatory agencies have added more teeth to privacy enforcement actions. This can be seen in the Federal Communications Commission levying a fine of $25 million against AT&T for the unauthorized disclosure of 280,000 customer records.
In the EU, which has a historically high bar for privacy protection, the General Data Protection Regulation (GDPR) further strengthens and expands privacy rights. It spans data anonymization, the right to be forgotten, and breach notification, with fines for non-compliance that may be as high as 2% of annual revenues.
Equally, data subjects face daunting challenges in providing informed consent to data processors who are collecting their personal information. A report by the World Economic Forum has found that, on average, data subjects have to invest 250 working hours, or 30 working days each year, just to read privacy notices in order to provide informed consent.
Privacy law attempts to strike a balance between privacy rights, social and economic utility, and security interests. Universally accepted privacy principles, based on the OECD Guidelines for the Protection of Privacy, include purpose specification associated with the collection of personally identifiable information, informed consent, limiting use for the specific purposes to which data subjects consented transparency, data quality, security, auditing, and accountability.
The OECD Guidelines have been codified in various Privacy legislations across the developed world, including the US. The exponential growth of the volume, variety, and velocity of electronic data represents challenges for data processors and data subjects. Sophisticated technologies such as machine learning, robotics, big data, and IOT may potentially expose consumers to infringement of their privacy rights. They may unwittingly consent to using their personal information, or their personal information may be appropriated for nefarious purposes.
Can these vexing problems be solved through the application of technology? Can privacy rights be embedded within these sophisticated applications?
Privacy by Design is one such effort that attempts to embed privacy principles within systems and software. Formulated by the Privacy Commissioner for the Province Ontario, Privacy by Design encompasses seven foundational principles for embedding privacy within systems and software. Its overarching objective is to make privacy the default condition. It means that the application software by default minimizes the collection and use of personal information, includes de-identification, biometric encryption for secondary uses of personal information, end to end security, destruction of personal information and provide an intuitive user experience that empowers consumers with privacy empowering options to exercise control over their personal information.
In an 1890 Harvard Law Review article, the authors coined the phrase “the right to be left alone” which is the key tenet of privacy law. Today, consumers are subject to unprecedented incursions to their privacy. Privacy by Design can bridge the gap between the social utility of technology and the right to be “left alone."