Cynthia O’Donoghue, Nick Tyler and Katalina Chin report on the SCL Privacy and Data Protection Group Meeting held on 16 March at Reed Smith LLP
Set against dramatic views of the London night skyline from the 32nd floor of Broadgate Tower, Reed Smith LLP hosted the first event of 2011 for the Privacy and Data Protection Group of SCL on Wednesday 16th March. 40 delegates joined the Chair, Reed Smith's Nick Tyler, and speakers Steve Wood of the Information Commissioner's Office (ICO) and Michael Colao, an information security and privacy expert, for a lively discussion on a key 'hot topic' of the data protection world: 'Privacy by Design: 'Grand Design' or 'Pipe Dream'?
As Head of the ICO's new Policy Delivery department, Steve's role gives him responsibility for overseeing policy lines, advice and guidance relating to both data protection and freedom of information legislation. Michael is a director of Downtown Associates, an information security and privacy consultancy. He is currently advising in the Lloyds' insurance market, having worked in the financial services sector in London for the last 15 years, and lectures globally on security technology issues.
'Privacy by Design' is a concept originally conceived and developed by Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, more than 10 years ago. At the end of October last year, the International Conference of Data Protection and Privacy Commissioners passed a resolution recognising and endorsing the adoption of 'Privacy by Design' as a guiding legal principle of data protection worldwide. A month later the European Commission set out its strategy to modernise the EU Data Protection Directive. As part of its review, the Commission announced they would examine promoting the use of privacy enhancing technologies (PETs) as well as the 'concrete implementation' of 'Privacy by Design'. In the UK, the Information Commissioner has promoted an explicit 'Privacy by Design' requirement in the next generation of data protection laws to ensure compliance measures are built in at each stage of the information lifecycle as opposed to remedial measures being 'bolted on' in a piecemeal fashion to redress issues of non-compliance.
The Regulator's View
The ICO's latest Annual Track Research has highlighted that public concern on the issue of protecting personal information is second only to 'preventing crime'. This perhaps surprising statistic emphasises the importance of a pro-active 'Privacy by Design' approach to protecting personal data. Steve gave an informative talk on the respective roles of Privacy Impact Assessments (PIAs) and PETs in that approach. The ICO would be the first to acknowledge that its guidance in the area is becoming outdated in light of the continuing pace of technological change and emerging new risks. However, the ICO has high hopes that the addition of Simon Rice to their team, as the ICO's first in-house Technology Adviser, together with the creation of a Technology Adviser Panel for the ICO, will help the regulator to produce relevant and up-to-date guidance on technical innovation and emerging issues.
Steve's presentation shed light on the persistent challenges around pseudonymisation and anonymisation, as well as the emerging challenges presented by mass market uses of facial recognition and location-based, technologies. In terms of Privacy by Design making a difference, Steve highlighted the benefits of building in a framework for considering data protection at an early stage of a project—the key being a strong business case which considers the value of the personal data held and the consequences of failing to protect personal information, including the potential loss of return and negative impact on brand and reputation in the event of a breach. This type of thought process should serve to highlight the importance of 'Privacy by Design' as part of any organisation's data protection strategy. Steve accepted, however, that with PETs they will need to deliver real value in order to justify investment in such technology.
The onus also lies on individuals to act to protect their own personal data and Steve informed the SCL delegates of the ICO's plans to continue educating the public about the risks and benefits of putting their personal information in the public domain, including how the ICO is looking at ways of embedding data protection and information rights awareness from an early age by including it in the educational curriculum.
The Information Security Expert's View
The title of Michael's presentation left no one in the dark as to his opinion, in particular on the limitations of PETs in the context of Privacy by Design: 'Privacy Enhancing Technologies, The Tooth Fairy, The Easter Bunny and Other Good Things'! Explaining the distinction between passive and active loss of data (for example, a disc being left on a train (passive) as opposed to an active infiltration by a hacker looking to steal data (active)), Michael accepted that 'Privacy by Design' can work provided it is aimed at passive loss, but warned that it is useless for preventing active loss. Both UK data protection legislation and the ICO's guidance fail to draw this key distinction between passive and active threats – each requiring different approaches to address them and prevent breaches.
Michael exposed the underlying weakness of attempts to regulate 'the bad guys' capable of perpetrating active loss events through blagging, social engineering and hacking. He also explained that while technology to track internet users is not confined to cookies and can be done through 'browser fingerprinting', cookies appear to be the sole focus of the regulatory community and laws. Michael took particular issue with ICO guidance which encourages the use of PETs, since the technology is both expensive and tends to be ineffective. Michael illustrated the problems arising out of ineffective approaches to anonymisation/de-identification, by using startling examples (AOL and Netflix) of how information 'anonymised' within a large dataset is still capable of exposing personal data, and he warned that almost every public dataset can be broken.
In Michael's view better results could be achieved if data protection budgets were focussed on less innovative and expensive data protection compliance efforts such as training, policies, procedures and incident response. Michaels' blunt summation of PETs was they 'sound great', are 'very expensive' and, 'in most cases, just don't work'.
Michael's entertaining presentation wasn't entirely cynical about the potential for 'Privacy by Design' to achieve 'good things': 'If I have a new project, and I wish to build privacy concerns into it at the very start, then that is a fabulous thing. I will save money compared to trying to retrofit privacy in at the last moment. I will get better privacy, I will ask the right questions: "Do I need to store this at all?", "How quickly should this stuff expire?", "Who needs to see this and how will I validate their identity?"'
Questions and Conclusions
After such animated and thought-provoking presentations and discussion points from Steve and Michael, the Q&A session threw some challenging questions at both speakers. A number of these centred on the ICO's recent press release about cookies and the imminent implementation of the e-Privacy Directive, and the negative reaction from the business community in the absence of any guidance on how the new cookie consent mechanism will be implemented. Steve acknowledged that the situation was unsatisfactory but the regulator is tied to what the law says and the DCMS has yet to publish its views. There was criticism of the regulatory community for not focussing on the right things, such as the importance of data minimisation as the foundation stone of Privacy by Design. All agreed that the emphasis must be on limiting what is processed, and on the need for a wake-up call in the context of anonymisation practices and the common misunderstanding that what companies think and proclaim to be anonymous is not in law or fact anonymous because, for a large dataset, there is no effective way to de-identify data to guarantee protection of personal data.
There was, however, a measure of consensus by the end of the evening that should bode well for the practical development of Privacy by Design. While 'Privacy by Design' may be relatively new, 'Security by Design' is well-established and has proven to be an essential tool in information system security. Businesses need to recognise the usefulness of Privacy by Design rather than attempt to rely on PETs or to assume that use of PETs is equivalent to Privacy by Design. Use of PETs should not be confused with the value and importance of an effective Privacy by Design strategy. Provided it is not seen as a solution in itself, the 'build it in, not bolt it on' approach of Privacy by Design has an important place in the current and future landscape of global data protection compliance.
Cynthia O'Donoghue is a Partner and head of Reed Smith's Data Privacy, Security and Management and EME Technology and Outsourcing teams. Nick Tyler and Katalina Chin are Associates in the Team and all are based in the firm's London office. The team advises on both global and European data protection and information law.