Skip to main content
SpringerLink
Log in

Conclusions and Policy Implications

  • Chapter
  • First Online:
Privacy-Invading Technologies and Privacy by Design

Part of the book series: Information Technology and Law Series ((ITLS,volume 25))

  • 2336 Accesses

Abstract

This chapter sums up the book’s overall research findings and conclusions; outlines the policy implications of the conclusions; explains how PBD is a critical combination of law and technology; clarifies that PBD is not a substitute for law; provides an overview of the major changes needed in the privacy/data protection legal frameworks; outlines how PBD can and should be implemented and enforced; explains how PBD can play an important role in safeguarding, privacy, liberty and security; and clarifies how and why PBD is a potentially effective solution, but not a panacea for all privacy issues or threats.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 89.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    See, for further discussion, Agre and Rotenberg 1997.

  2. 2.

    Article 29 Working Party, WP 173, Opinion 3/2010 on the principle of accountability, 13 July 2010, p. 3.

  3. 3.

    Reidenberg 2000.

  4. 4.

    Floerkemeier et al. 2005.

  5. 5.

    See Langheinrich 2001.

  6. 6.

    The white paper from the Future of Privacy Forum, SmartPrivacy for Smart Grids: Embedding Privacy into the Design of Electricity Conservation (November 2009), argues in favour of implementing PBD for smart grids and warns about the threats to privacy posed by smart grids. For example, as the white paper points out, by revealing what appliances and devices a household uses, how much and when, the electricity provider can determine personal habits, behaviours and lifestyles. There are indeed legitimate privacy concerns surrounding smart grids that should not be simply overlooked, but the full privacy implications of smart grids are unknown and, therefore, PBD here is a preventive measure.

  7. 7.

    See Article 29 Working Party, The Future of Privacy, WP 168, 1 Dec 2009.

  8. 8.

    See Cave et al., p. 19.

  9. 9.

    Ibid.

  10. 10.

    Reidenberg 2000.

  11. 11.

    Ibid.

  12. 12.

    See Online consultation comments on the European Commission staff paper “Early Challenges to the Internet of Things”, Comments submitted by CA, Inc., p. 6.

  13. 13.

    Borking 2010.

  14. 14.

    van Blarkom et al. 2003, p. 8.

  15. 15.

    Ibid.

  16. 16.

    The potential lack of privacy considerations when developing Google Street View has also likely brought about the claim that Google’s Street View vehicles have also reportedly collected data transmitted on private, non-secure Wi-Fi networks.

  17. 17.

    Lahlou, Jegou 2003, p. 4.

  18. 18.

    Reidenberg 2000.

  19. 19.

    Ibid.

  20. 20.

    Schneier 2007 “Strong Laws, Smart Tech Can Stop Abusive ‘Data Reuse’ (Wired News, 28 June 2007), available at: http://www.schneier.com/essay-175.html. Accessed 17 February 2014.

  21. 21.

    Dommering 2006.

  22. 22.

    Schwartz 2000, p. 759.

  23. 23.

    See Hildebrandt and Koops 2010.

  24. 24.

    See, for further discussion, e.g. Cave et al. 2009, p. 17.

  25. 25.

    Reidenberg 2000.

  26. 26.

    RISEPTIS 2009, p. 31.

  27. 27.

    See the prepared text of the speech (former) US Secretary of State Hillary Clinton delivered at the Newseum in Washington DC on the topic of Internet Freedom (21 January 2010), available at: http://www.state.gov/secretary/rm/2010/01/135519.htm. Accessed 17 February 2014. Similarly, European Commissioner Viviane Reding, formerly of DG Information Society & Media (DG INFSO), and now responsible for DG Justice, Fundamental Rights and Citizenship, stated, during a DG INFSO staff general assembly on 12 February 2010, “although I am not going to be your commissioner anymore, I am going to be still your policy maker”. This could possibly mean European Commissioner Reding believes that ICT research and technological development, an area she was previously responsible for, should be aligned with the principles of justice and fundamental rights, an area she is now be responsible for.

  28. 28.

    Cave et al. 2009, p. 16.

  29. 29.

    Importantly, this is consistent with the EC’s Proposal for a Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data, COM(2012) 10 final, Brussels, 25.1.2012. Article 19 requires Member States to ensure that data controllers are complying with obligations arising from data protection by design and privacy by default.

  30. 30.

    See Agre and Rotenberg 1997, p. 25.

  31. 31.

    Consumer Product Safety Act of 1972; Consumer Product Safety Improvement Act of 2008; Directive 1999/34/EC of the European Parliament and of the Council of 10 May 1999 amending Council Directive 85/374/EEC on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products.

  32. 32.

    See Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM (2012) 11/4 draft.

  33. 33.

    Article 23, para 3, could potentially have an indirect effect on the manufacturers/developers, since the specification of appropriate measures/mechanisms for implementing PBD for product and services would likely put pressure on the manufacturers/developers of those services/products to conform.

  34. 34.

    Seminar of the 33rd International Conference of Data Protection and Privacy Commissioners, Privacy by ReDesign Workshop, Mexico City, Mexico, 1 November 2011.

  35. 35.

    Regulation (EC) No 1907/2006 of the European Parliament and of the Council of 18 December 2006 concerning the Registration, Evaluation, Authorisation and Restriction of Chemicals (REACH), establishing a European Chemicals Agency, amending Directive 1999/45/EC and repealing Council Regulation (EEC) No 793/93 and Commission Regulation (EC) No 1488/94 as well as Council Directive 76/769/EEC and Commission Directives 91/155/EEC, 93/67/EEC, 93/105/EC and 2000/21/EC.

  36. 36.

    For further discussion, see, e.g. Black 2008.

  37. 37.

    For further discussion on possible explanations for the convergences in data protection policies/laws between the US and Europe, see Bennett 1992.

  38. 38.

    Cannataci 2011, p. 185.

  39. 39.

    Though ‘consumers/citizens’ trust in public institutions to handle their personal data appropriately and their level of confidence in privacy policies is not perfect, according to a Eurobarometer survey in 2008, more than a majority of EU citizens do have this trust and confidence in different types of public institutions. However, considerably less than a majority of EU citizens have this trust and confidence in companies, such as credit card companies, travel companies, market research companies and mail order companies. See Flash Eurobarometer Series #225, Data Protection in the European Union—Citizens’ Perceptions Survey, conducted by the Gallup Organization upon the request of the Directorate-General Justice, Freedom and Security of the European Commission, Analytical Report, February 2008.

  40. 40.

    See Commission Staff Working Document, Impact Assessment, Accompanying document to the Commission Recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification “RFID Privacy, Data Protection and Security Recommendation”, C(2009) 3200 final.

  41. 41.

    Reidenberg 2000.

  42. 42.

    For instance, Senator Patrick Leahy previously introduced S.1490, titled “The Personal Data Privacy and Security Act of 2009”, which aims to hold software companies liable for security flaws or vulnerabilities and mandates that business entities implement data privacy and security technical and physical safeguards in the system’s design and imposes civil penalties on entities that fail to do so. While the legislation essentially covers ‘information privacy’, as opposed to the protection of privacy overall, this proposal has some similarities to the proposed PBD legislation.

  43. 43.

    A perfect example of a privacy defective device/service includes certain models of the Trendnet home security cameras that were discovered to have flawed firmware allowing anyone to access online live feed without requiring a password.

  44. 44.

    For example, Article 7 of the EU Directive 1999/34/EC explains the “state of the art defense” exemption. Manufacturers can be exempted from liability, if they can prove “that the state of scientific and technical knowledge at the time when the product was put into circulation was not such as to enable the defect to be discovered”.

  45. 45.

    This is similar to the approach used in the EU for the certification of organic products.

  46. 46.

    A similar approach is also used in the EU for implementing “eco-design” requirements for energy-using appliances.

  47. 47.

    Article 29 Data Protection Working Party, WP 173, Opinion 3/2010 on the principle of accountability, Adopted on 13 July 2010, p. 17.

  48. 48.

    See http://www.privacyscore.com.

  49. 49.

    Cannataci 2011, p. 182.

  50. 50.

    See, e.g. the ICO PIA Handbook for guidelines on conducting PIAs; Privacy and Data Protection Impact Assessment Framework for RFID Applications, 12 January 2011.

  51. 51.

    See JTC 1/SC 27/WG 5: Identity management and privacy technologies.

  52. 52.

    COM (2009) 262 final, Communication from the Commission to the European Parliament and the Council—An area of freedom, security and justice serving the citizen.

  53. 53.

    See Pasic 2011.

  54. 54.

    Van Blarkom et al. 2003.

  55. 55.

    Sollie and Düwell 2009.

  56. 56.

    Hirsch 2006, p. 33.

  57. 57.

    Ibid.

  58. 58.

    Ibid., p. 35.

  59. 59.

    Ibid., p. 34.

  60. 60.

    Ibid., p. 35.

  61. 61.

    Ibid.

  62. 62.

    Council Directive 96/61/EC of 24 September 1996 concerning integrated pollution prevention and control defines BATs as “the most effective and advanced stage in the development of activities and their methods of operation which indicate the practical suitability of particular techniques for providing in principle the basis for emission limit values designed to prevent and, where that is not practicable, generally to reduce emissions and the impact on the environment as a whole” (Article 2.11).

  63. 63.

    See European Data Protection Supervisor Opinion on the Communication from the Commission on an Action Plan for the Deployment of Intelligent Transport Systems in Europe and the accompanying Proposal for a Directive of the European Parliament and of the Council laying down the framework for the deployment of Intelligent Transport Systems in the field of road transport and for interfaces with other transport modes, 22 July 2009, available at: http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2009/09-07-22_Intelligent_Transport_Systems_EN.pdf. Accessed 17 February 2014.

  64. 64.

    Hirsch 2006, p. 35.

  65. 65.

    See US Department of Commerce, Informal Comment on the Draft General Data Protection Regulation and Draft Directive on Data Protection in Law Enforcement Investigations, 16 January 2012.

  66. 66.

    Ibid.

  67. 67.

    Hirsch 2006, p. 36.

  68. 68.

    Ibid.

  69. 69.

    Ibid.

  70. 70.

    Ibid.

  71. 71.

    US Department of Commerce, Informal Comment on the Draft General Data Protection Regulation and Draft Directive on Data Protection in Law Enforcement Investigations, 16 January 2012.

  72. 72.

    Ibid.

  73. 73.

    Hirsch 2006.

  74. 74.

    See Porter and van der Linde 1995.

  75. 75.

    See Hirsch 2006, pp. 38–40.

  76. 76.

    Ibid., pp. 60–63.

  77. 77.

    Cave et al. 2009, p. 17.

  78. 78.

    Cave et al. 2009.

  79. 79.

    Williams 2009, p. 78.

  80. 80.

    RISEPTIS 2009, p. 14.

  81. 81.

    Cavoukian 2009.

  82. 82.

    Forgive the analogy—but, the purpose is to show that even the most morally questionable technologies or objects could be potentially designed to be “value sensitive”.

  83. 83.

    Cavoukian 2009.

  84. 84.

    Cavoukian 2009. See also Ann Cavoukian’s “7 Foundational Principles of Privacy by Design”, Originally Published: August 2009, Revised: January 2011, available at: http://www.ipc.on.ca/images/Resources/7foundationalprinciples.pdf. Accessed 17 February 2014.

  85. 85.

    U-Prove cryptographic technology, the ‘anonymous credential system’ Identity Mixer, the Prime/PrimeLife FP7 research project and Cynthia Dwork’s Differential Privacy scheme, for example, may also bring to light or demonstrate the non-zero-sum properties of PBD and PETs.

  86. 86.

    Schwartz 2000, p. 787.

  87. 87.

    Grimmelmann 2005.

  88. 88.

    For further discussion, see Pasic 2011.

  89. 89.

    Ibid.

  90. 90.

    Indeed, at a networking session at the ICT Event 2010 in Brussels, European Commission staff from the Trust & Security unit expressed their preference or intention to fund a “Coordination Action” project that brings together stakeholders for the purpose of facilitating PBD.

  91. 91.

    Reidenberg 2000.

  92. 92.

    Cavoukian 2009.

  93. 93.

    Albrechtslund 2007, p. 72.

  94. 94.

    See RISEPTIS Advisory Board 2009, p. 13 (RISEPTIS was composed of more than 30 experts and was supported by an EC-financed ‘Coordination Action’ project, THINKTRUST, whose objective was to develop a research agenda for Trustworthy ICT).

  95. 95.

    See Cannataci 2011.

  96. 96.

    Albrechtslund 2007.

  97. 97.

    See Hirsch 2006, pp. 60–63.

  98. 98.

    Grimmelmann 2005, p. 1742.

  99. 99.

    Ibid., p. 1731.

  100. 100.

    van Blarkom et al. 2003, p. 50.

  101. 101.

    Borking 2010, p. 260.

  102. 102.

    Gaudin S. “Facebook CEO Zuckerberg causes stir over privacy” (Computerworld, 11 January 2010), available at: http://www.computerworld.com/s/article/9143859/Facebook_CEO_Zuckerberg_causes_stir_over_privacy?taxonomyId=16. Accessed 17 February 2014.

  103. 103.

    A recent poll has perhaps contradicted Zuckerberg’s statement. The Pew Research Center's Internet & American Life Project found that young adults (ages 18–29) in fact are not indifferent about their online reputation. For example, 71 % of young adults who are social networking users have changed their account privacy settings in order to limit what they share online. The results were based on data from telephone interviews conducted, between August and September 2009, among a sample of 2,253 young adults in the US. See Reputation Management and Social Media, Pew Internet and American Life Project, May 2010. But, the survey targeted young adults (ages 18–29) and not teenagers. Moreover, there is still relatively little empirical data on society’s overall perceptions of privacy and how, why and when it is most valued.

References

  • Agre PE, Rotenberg M (eds) (1997) Technology and privacy: the new landscape. MIT Press, Cambridge

    Google Scholar 

  • Albrechtslund A (2007) Ethics and technology design. Ethics Inf Technol 9:63–72

    Article  Google Scholar 

  • Article 29 Working Party, WP 173, Opinion 3/2010 on the principle of accountability, 13 July 2010

    Google Scholar 

  • Article 29 Working Party, WP 168, The future of privacy, 1 Dec 2009

    Google Scholar 

  • Bennett C (1992) Regulating privacy: data protection and public policy in Europe and the United States. Cornell University Press, New York

    Google Scholar 

  • Black H (2008) Chemical reaction: the U.S. response to REACH. Environ Health Perspect 116:A124–A127

    Google Scholar 

  • Borking J (2010) Assessing investments mitigating privacy risks. In: Mommers L, Franken H, van den Herik J, van der Klaauw F, and Zwenne, G-J (eds) Het binnenste buiten; Liber amicorum ter gelegenheid van het emeritaat van Prof.dr. Aernout HJ Schmidt, Hoogleraar Recht en Informatica te Leiden, eLaw@Leiden, pp 255–273

    Google Scholar 

  • Cannataci JA (2011) Recent developments in privacy and healthcare: different paths for RFID in Europe and North America? Int J RF Technol 2:173–187

    Google Scholar 

  • Cave J, van Oranje C, Schindler R, Ahehabi A, Brutscher PH-B, Robinson N (2009) Trends in connectivity technologies and their socio-economic impacts. Final report of the study: Policy Options for the Ubiquitous Internet Society. RAND Europe

    Google Scholar 

  • Cavoukian A (2009) Privacy by design

    Google Scholar 

  • Dommering EJ (2006) Regulating technology: code is not law. In: Dommering EJ, Asscher LF (eds) Coding regulation: essays on the normative role of information technology, T.M.C. Asser Press, pp 1–17

    Google Scholar 

  • Floerkemeier C, Schneider R, Langheinrich M (2005) Scanning with a purpose—supporting the fair information principles in RFID Protocols. In: Murakami H, Nakashima H, Tokuda H, Yasumura M (eds) Ubiquitious computing systems. Revised selected papers from the 2nd international symposium on ubiquitous computing systems (UCS 2004), Vol 3598, pp 214–231

    Google Scholar 

  • Grimmelmann J (2005) Regulation by Software. Yale Law J 114:1719–1758

    Google Scholar 

  • Hildebrandt M, Koops B-J (2010) The challenges of ambient law and legal protection in the profiling era. Mod Law Rev 73(3):428–460

    Article  Google Scholar 

  • Hirsch D (2006) Protecting the inner environment: What privacy reregulation can learn from environmental law. Georgia Law Rev 41:1–64

    Google Scholar 

  • Lahlou S, Jegou F (2003) European disappearing computer privacy design guidelines, version 1, Ambient Agoras Report D15.4, Disappearing Computer Initiative

    Google Scholar 

  • Langheinrich M (2001) Privacy by design—principles of privacy-aware ubiquitous systems. In: Abowd GD, Brumitt B, Shafer SA (eds) Proceedings of the third international conference on ubiquitous computing, ubicomp 2001, Springer, Berlin pp 273–291

    Google Scholar 

  • Pasic A (2011) Privacy by design: an industry perspective on the challenges and opportunities of privacy

    Google Scholar 

  • Porter M, van der Linde C (1995) Green and Competitive. Harvard Bus Rev 73(5):120–134

    Google Scholar 

  • Reidenberg J (2000) Privacy protection and the interdependence of law, technology and self-regulation

    Google Scholar 

  • RISEPTIS Advisory Board (2009) Trust in the information society: research and innovation on security, privacy and trustworthiness in the information society

    Google Scholar 

  • Schwartz PM (2000) Beyond Lessig’s code for internet privacy: cyberspace filters, privacy-control, and fair information practices. Wisconsin Law Rev 2000(4):743–787

    Google Scholar 

  • Sollie P, Düwell M (eds) (2009) Evaluating new technologies: methodological problems for the ethical assessment of technology developments. Springer

    Google Scholar 

  • US Department of Commerce, Informal Comment on the Draft General Data Protection Regulation and Draft Directive on Data Protection in Law Enforcement Investigations, 16 January 2012

    Google Scholar 

  • van Blarkom GW, Borking JJ, Olk JGE (eds) (2003) The handbook of privacy and privacy-enhancing technologies: the case of intelligent software agents

    Google Scholar 

  • Williams M-A (2009) Privacy management, the law and global business strategies: a case for privacy driven design. Innovation and enterprise research laboratory, University of Technology, Sydney

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Leiden University, Leiden, The Netherlands

    Demetrius Klitou

Authors
  1. Demetrius Klitou
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Demetrius Klitou .

Rights and permissions

Reprints and permissions

Copyright information

© 2014 T.M.C. Asser Press and the author(s)

About this chapter

Cite this chapter

Klitou, D. (2014). Conclusions and Policy Implications. In: Privacy-Invading Technologies and Privacy by Design. Information Technology and Law Series, vol 25. T.M.C. Asser Press, The Hague. https://doi.org/10.1007/978-94-6265-026-8_10

Download citation

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation