By Dr. Ann Cavoukian
Editor’s Note: Because tomorrow is Data Privacy Day, we are marking the occasion by profiling Microsoft’s Chief Privacy Officer and digging deeper into the privacy implications of location-based services. We’ve also asked Dr. Ann Cavoukian, the Information and Privacy Commissioner of Ontario, Canada, to share her latest thoughts on “Privacy by Design.” Dr. Cavoukian is widely credited with originating the concept of Privacy by Design, which is a major focus of the Federal Trade Commission’s recent report on online privacy.
The U.S. Federal Trade Commission’s recent Do Not Track proposal has been attracting a great deal of attention in business circles.
While supporters and detractors debate whether the proposal addresses the mounting concerns about online behavioural tracking, industry leaders – including Microsoft, Google, and Mozilla – are rising to the challenge, announcing Do Not Track features in upcoming browser releases.
Embedding privacy into browser software reflects the type of proactive approach that I’ve advocated for many years. Recently, Privacy by Design (PbD) – a solution based on engineering privacy directly into the design of new technologies, business processes and networked infrastructure as a core functionality – has been steadily gaining momentum, and is starting to be implemented around the world.
Privacy by Design rests on the 7 Foundational Principles, of which Privacy as the Default Setting is the second. Conceptually, this principle requires that personal data be automatically protected. Individuals should not be required to take additional steps to protect their privacy — it should be built into the system, ideally by default. Recently, Peter Cullen, Microsoft’s Chief Privacy Strategist, queried me as to how this principle could be applied in the context of “Do Not Track,” which is inherently “opt-out.”
In Privacy by Design, Privacy as the Default is the ideal condition to strive for. However, currently, the industry standard of practice for online consumer marketing is opt-out. Privacy as the Default would require a shift to “opt-in.” But an immediate shift to an opt-in model (which is the standard of practice for sensitive information, such as personal health information) could be both impractical and, perhaps, harmful to industry.
As one of the 7 Foundational Principles, Privacy as the Default must be read alongside with the remaining principles. The fourth principle of Full Functionality (Positive-Sum, not Zero-Sum), requires that PbD achieve a doubly-enabling, “positive-sum” solution that provides a win/win result for both consumers and businesses – not one at the expense of the other.
Taking into account the context involved – and context is key – I have developed a two-step process for achieving the spirit of Privacy as the Default in situations where the existing industry standard of practice presents a barrier to achieving the principle directly, right from the outset. I call this the “Ontario Two-Step.”
In limited circumstances, where the existing industry standard of practice is opt-out, the Ontario Two-Step Process may be followed as an interim step toward achieving privacy as the default condition.
The “Ontario Two-Step” Process:
Step 1: Present a clear and “in process” option (i.e. in the course of normal use and operation) for the consumer to opt-out of subsequent online tracking and marketing communications.
Step 2: Once an individual has chosen to “opt-out” of future tracking or receipt of marketing information, then their choice must remain persistent over time and be global in nature (with respect to that organization).
The Ontario Two-Step achieves a defacto default condition, in a manner that recognizes legitimate business practices as reflected in industry standards, but is driven by the consumer and is persistent in its effect – positive sum, not zero-sum.
Already, industry innovation is moving in the direction of giving consumers this type of strengthened control. And while critics will no doubt suggest that a two-step process is less than perfect, my own view is that we must never let the pursuit of perfection deter us from making steady progress. The Two-Step Process, indeed, represents solid progress, as it allows the user to reach a permanent state of privacy as the default condition – one step removed. A persistent and global opt out will put newfound power into the hands of consumers, and thus represents a major step forward toward achieving meaningful privacy protection online. Accordingly, it is a significant improvement over current day practices.
Ultimately, the success of Privacy by Design – the gold standard in privacy and data protection – rests upon implementing it in a way that proactively recognizes the existence of multiple functionalities, operating in a positive-sum manner – not one at the expense of the other, but rather both, operating in a doubly-enabling, synergistic relationship. Take the challenge, and embed Privacy, by Design.