Skip to main content
SpringerLink
Log in

Evolving FIPPs: Proactive Approaches to Privacy, Not Privacy Paternalism

  • Chapter
  • First Online:
Reforming European Data Protection Law

Part of the book series: Law, Governance and Technology Series ((ISDP,volume 20))

Abstract

Privacy and data protection are at times contrasted with other legitimate societal values and goals, with the suggestion that one must yield to the other. But is it really necessary to weaken existing privacy measures in the name of pursuing greater efficiencies, innovation and economic growth? The goal of reconciling privacy rights with the free flow of data was reaffirmed by the OECD in a multi-year review of the 1980 OECD Guidelines – all eight of the original principles were left intact. This paper examines proposals to abridge these fundamental FIPPs in order to allow for Big Data and other technological and socially beneficial innovations. This paper suggests that the future of privacy depends on informational self-determination as embodied by taking a holistic approach to the FIPPs. Moreover, the paper suggests that the FIPPs be further enhanced through the application of Privacy by Design, which supplements the FIPPs with new elements such as proactively embedding privacy into information technologies, business practices and network infrastructures. Transparency and accountability are also key features in this framework.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    See specifically Fred H. Cate, Peter Cullen and Viktor Mayer-Schonberger, “Data Protection Principles for the 21st Century, Revising the 1980 OECD Guidelines,” December 2013, http://www.oii.ox.ac.uk/publications/Data_Protection_Principles_for_the_21st_Century.pdf (“Cate et al”); See also, Scott Charney, “Microsoft Trustworthy Computing Next” (V1.01), February 2012, http://www.microsoft.com/en-us/download/details.aspx?id=29084; Fred H. Cate and Viktor Mayer-Schonberger, “Notice and Consent in a World of Big Data: Microsoft Global Privacy Summit Summary Report and Outcomes,” November 2012, http://www.microsoft.com/en-au/download/details.aspx?id=35596; Craig Mundie, “Privacy Pragmatism,” Foreign Affairs, February 12, 2014, http://www.foreignaffairs.com/articles/140741/craig-mundie/privacy-pragmatism.

  2. 2.

    The concept of paternalism refers to: “The attitude or actions of a person, or organization, that protects people and gives them what they need, but does not give them any responsibility or freedom of choice.” Merriam-Webster Online Dictionary, s.v. “paternalism,” http://www.merriam-webster.com/dictionary/paternalism. See also Daniel Solove, “Privacy Self-Management and the Consent Dilemma.” Harvard Law Review. 126 (2013): 1879–2139.

  3. 3.

    Office of the Information and Privacy Commissioner of Ontario, “Landmark Resolution Passed to Preserve the Future of Privacy,” October 29, 2010, http://www.ipc.on.ca/images/Resources/2010-10-29-Resolution-e_1.pdf.

  4. 4.

    OECD, “Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data (2013),” at 6, http://acts.oecd.org/Instruments/ShowInstrumentView.aspx?InstrumentID=114&InstrumentPID=312&Lang=en&Book=False (“OECD Privacy Framework”).

  5. 5.

    Ann Cavoukian, “Identity Theft Revisited: Security Is Not Enough,” September 2005, http://www.ipc.on.ca/images/Resources/idtheft-revisit.pdf; Ann Cavoukian, Martin E. Abrams, and Scott Taylor, “Privacy by Design: Essential for Organizational Accountability and Strong Business Practices,” November 2009, http://www.ipc.on.ca/images/Resources/pbd-accountability_HP_CIPL.pdf; Ann Cavoukian and Terry McQuay, “A Pragmatic Approach to Privacy Risk Optimization: Privacy by Design for Business Practices,” November 2009, http://www.ipc.on.ca/images/Resources/pbd-privacy-risk.pdf; Ann Cavoukian, “Privacy Risk Management: Building Privacy Protection into a Risk Management Framework to Ensure that Privacy Risks Are Managed, By Default,” April 2010, http://www.ipc.on.ca/images/Resources/pbd-priv-risk-mgmt.pdf.

  6. 6.

    Article 29 Data Protection Working Party, “Opinion 03/2013 on purpose limitation,” April 2, 2013, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf, p. 4. (“Opinion 03/2013”)

  7. 7.

    For a brief discussion, see Eduardo Ustarian, “The Privacy Pro’s Guide to the Internet of Things,” IAPP Dashboard, February 12, 2014, http://bit.ly/1lTEo5c.

  8. 8.

    The final FTC Consumer Privacy Report (2012) and the E.U. Article 29 Working Party Opinion 15/2011 discuss the challenges of obtaining consent in more detail. Federal Trade Commission, “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers,” March 2012, http://www.ftc.gov/reports/protecting-consumer-privacy-era-rapid-change-recommendations-businesses-policymakers; Article 29 Data Protection Working Party, “Opinion 15/2011 on the definition of consent,” http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp187_en.pdf.

  9. 9.

    It is important to note that the term “notice and choice” refers to the system of obtaining consent specifically in the U.S., which does not have overarching FIPPs-based privacy legislation found in Europe and Canada. Marc Rotenberg, “Fair Information Practices and the Architecture of Privacy (What Larry Doesn’t Get),” Stanford Technology Law Review, 1 (2001): 1–4.

  10. 10.

    Ann Cavoukian, “Privacy in the Clouds,” May 2008, http://bit.ly/1ka4eQ6.

  11. 11.

    Criticisms include that consent legitimizes any collection, is often collected in a take it or leave it manner, does not offer a way to control downstream uses of data, and does not offer explicitly the right to delete consent. OECD, “Privacy Expert Group Report on the Review of the 1980 OECD Privacy Guidelines”, OECD Digital Economy Papers, No. 229, OECD Publishing (2013) (“OECD Privacy Expert Report”) http://dx.doi.org/10.1787/5k3xz5zmj2mx-en; Bart Custers, Simone van der Hof et al. (2013). “Informed Consent in Social Media Use: The Gap between User Expectation and EU Personal Data Protection Law.” Scripted 10 (4).

  12. 12.

    COM (2012) 11/4 Draft Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), Article 6.

  13. 13.

    See, for example, ISO/IEC, ISO/IEC 29100:2011 Information TechnologySecurity TechniquesPrivacy Framework.

  14. 14.

    Ibid, OECD Privacy Framework, paragraph 7. “As an introductory comment on the principles set out in Paragraphs 7 to 14 of the Guidelines it should be pointed out that these principles are interrelated and partly overlapping. Thus, the distinctions between different activities and stages involved in the processing of data which are assumed in the principles, are somewhat artificial and it is essential that the principles are treated together and studied as a whole. The principles in these Guidelines are complementary and should be read as a whole.”

  15. 15.

    Gerrit Hornung, and Christoph Schnabel. (2009). Computer Law & Security Report (Vol. 25), pg. 84–88, http://dx.doi.org/10.1016/j.clsr.2008.11.002.

  16. 16.

    Ryan Calo, “Against Notice Skepticism in Privacy (and Elsewhere),” Notre Dame Law Review 87:3 (2012): 1027–72.

  17. 17.

    “Purpose Specification,” OECD Privacy Principles, http://oecdprivacy.org/#purpose.

  18. 18.

    Ibid, Opinion 03/2013, p. 45–46. See also discussion in Omer Tene & Jules Polonetsky, “Big Data for All: Privacy and User Control in the Age of Analytics,” New Jersey Journal of Technology and Intellectual Property, 239:11 (2013).

  19. 19.

    Ann Cavoukian, “Privacy by Design: Leadership, Methods, and Results,” in European Data Protection: Coming of Age, ed. S. Gutwirth et al. (New York: Springer, 2013), 175 (“Leadership”).

  20. 20.

    Ibid, Opinion 03/2013, p. 3.

  21. 21.

    Ibid, p. 4.

  22. 22.

    Ibid, p. 3.

  23. 23.

    Specifically, section 41(1)(b) of FIPPA and section 31(b) of MFIPPA state that: “An institution shall not use personal information in its custody or under its control except, (b) for the purpose for which it was obtained or compiled or for a consistent purpose.” In determining whether a use is “consistent” with the primary purpose, section 43 of FIPPA and section 33 of MFIPPA provide that a use or disclosure will be considered consistent only if “the individual might reasonably have expected such a use or disclosure.”

  24. 24.

    Section 41(1)(a) of FIPPA. Please note that section 41(1) of FIPPA and 31 of MFIPPA specify other purposes for which an institution may use personal information, most of which are beyond the scope of this paper.

  25. 25.

    Ibid, Cate et al. p. 15–16.

  26. 26.

    Ibid.

  27. 27.

    See Dana Post, “Plaintiffs Alleging Only ‘Future Harm’ Following a Data Breach Continue to Face a High Bar,” IAPP Privacy Advisor, January 29, 2014, http://bit.ly/1qj1ilS.

  28. 28.

    Indeed, important work has been carried out in this area in recent years by the OECD, the E.U. Commission, the FTC in the United States, and many other public and private sector industry associations, standards-setting bodies and advocacy groups.

  29. 29.

    See discussion by Ryan Calo, “The Boundaries of Privacy Harm,” Indiana Law Journal 86:3 (2011). See also “FTC, Exploring Privacy – A Roundtable Series,” 1st Roundtable Series, Remarks of Marc Rotenberg, Electronic Privacy Information Center, at 301; 1st Roundtable, Remarks of Leslie Harris, Center for Democracy & Technology, at 36–38; 1st Roundtable, Remarks of Susan Grant, Consumer Federation of America, at 38–39: http://www.ftc.gov/bcp/workshops/privacyroundtables/index.shtml

  30. 30.

    Stuart Shapiro, “The Risk of the ‘Risk-Based Approach’” The IAPP Daily Dashboard, March 31, 2014, http://bit.ly/1hBUokp.

  31. 31.

    Khaled El Emam. Guide to the De-Identification of Personal Health Information (CRC Press, 2013); Khaled El Emam, and Luk Arbuckle. Anonymizing Health Data: Case Studies and Methods to Get You Started (O’Reilly Media, Inc., 2013).

  32. 32.

    Article 29 Data Protection Working Party, “Opinion 06/2013 on Open Data and Public Sector Information (‘PSI’) Reuse.”

  33. 33.

    Ann Cavoukian, “Access by Design: The 7 Fundamental Principles,” April 2010, http://bit.ly/1hhJKUQ.

  34. 34.

    These include, inter alia, the U.S. White House, Federal Trade Commission, Department of Homeland Security, Government Accountability Office, European Commission, European Parliament and the Article 29 Working Party, among other public bodies around the world who have passed new privacy laws based upon the FIPPs. In addition, international privacy and data protection authorities unanimously endorsed Privacy by Design as an international standard for privacy.

  35. 35.

    Ibid, Custers et al; Paula Bruening, “Data Privacy Day 2014,” January 28, 2014, Intel Corporation, http://blogs.intel.com/policy/2014/01/28/today-day-rethink-privacy.

  36. 36.

    Ann Cavoukian, “The 7 Foundational Principles of Privacy by Design,” January 2009, http://bit.ly/1gcDTMd.

  37. 37.

    These include, inter alia, the U.S. White House, Federal Trade Commission, Department of Homeland Security, Government Accountability Office, European Commission, European Parliament and the Article 29 Working Party, among other public bodies around the world who have passed new privacy laws based upon the FIPPs. In addition, international privacy and data protection authorities unanimously endorsed Privacy by Design as an international standard for privacy.

  38. 38.

    For examples of positive sum see Ibid, Cavoukian, “Leadership,” p. 190.

  39. 39.

    Ibid, OECD, Paper No. 229.

  40. 40.

    “User” here refers to the data subject.

  41. 41.

    See generally IPSI Smart Data International Symposium, http://www.ipsi.utoronto.ca/sdis/.

  42. 42.

    Ibid, Cavoukian, “Privacy in the Clouds.”

  43. 43.

    See, for example, Carnegie-Mellon University CyLab Usable Privacy and Security Laboratory (CUPS), http://cups.cs.cmu.edu, “Future of Identity in the Information Society (FIDIS),” http://www.fidis.net, “Privacy and Identity Management for Europe (Prime),” http://www.prime-project.eu, “Trustworthy Clouds Privacy and Resilience for Internet-Scale Critical Infrastructure (TClouds),” http://www.tclouds-project.eu, “Privacy and Identity Management for Community Services (PICOS),” http://www.picos-project.eu, Ann Cavoukian & Drummond Reed, “Big Privacy: Bridging Big Data and the Personal Data Ecosystem through Privacy by Design,” December 2013, http://www.ipc.on.ca/english/Resources/Discussion-Papers/Discussion-Papers-Summary/?id=1352, Ibid, Cavoukian. “Privacy in the Clouds,” Ann Cavoukian & Justin Weiss, “Privacy by Design and User Interfaces: Emerging Design Criteria – Keep It User-Centric,” June 2012, http://ww.ipc.on.ca/English/Resources/Discussion-Papers/Discussion-Papers-Summary/?id = 1201.

  44. 44.

    Neelie Kroes, “Online privacy – reinforcing trust and confidence,” (speech, Brussels, June 22, 2011), European Union, http://europa.eu/rapid/press-release_SPEECH-11-461_en.htm.

  45. 45.

    See, for example, the list of member companies at Personal Data Ecosystem Consortium, http://pde.cc/startup-circle.

  46. 46.

    Ann Cavoukian, “Personal Data Ecosystem (PDE) – A Privacy by Design Approach to an Individual’s Pursuit of Radical Control,” in Digital Enlightenment Forum Yearbook 2013: The Value of Personal Data. M. Hilldebrandt, K. O’Hara and M. Waidner (eds). IOS Press. (“PDE”).

  47. 47.

    “Monetize”: “to utilize (something of value) as a source of profit,” Merriam Webster Online, http://www.merriam-webster.com/dictionary/monetize.

  48. 48.

    Ibid, Cavoukian, “PDE.”

  49. 49.

    Information and Privacy Commissioner of Ontario (Producer). January 24, 2014. “Big Data Calls for Big Privacy – Not Big Promises” [Video webcast]. Retrieved from http://www.privacybydesign.ca/index.php/webinar-big-data-calls-big-privacy-big-promises/.

Bibliography

Download references

Author information

Authors and Affiliations

  1. Information and Privacy Commissioner, Toronto, ON, Canada

    Ann Cavoukian

Authors
  1. Ann Cavoukian
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ann Cavoukian .

Editor information

Editors and Affiliations

  1. Law, Science, Technology & Society (LSTS), Faculty of Law and Criminology at the Vrije Universiteit Brussel, Brussels, Belgium

    Serge Gutwirth

  2. Tilburg Institute for Law, Technology, and Society (TILT), Tilburg University, Tilburg, The Netherlands

    Ronald Leenes

  3. Law, Science, Technology & Society (LSTS), Faculty of Law and Criminology at the Vrije Universiteit Brussel, Brussels, Belgium

    Paul de Hert

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer Science+Business Media Dordrecht

About this chapter

Cite this chapter

Cavoukian, A. (2015). Evolving FIPPs: Proactive Approaches to Privacy, Not Privacy Paternalism. In: Gutwirth, S., Leenes, R., de Hert, P. (eds) Reforming European Data Protection Law. Law, Governance and Technology Series(), vol 20. Springer, Dordrecht. https://doi.org/10.1007/978-94-017-9385-8_12

Download citation

Publish with us

Policies and ethics

Search

Navigation