Ira Rubinstein – Regulating Privacy by Design

CITP Lecture Series

Date: Thursday, March 24, 2011
Time: 4:30 PM – 6:00 PM
Location: 101 Sherrerd Hall
Reception immediately following in 3rd floor atrium

The article I’m writing is directed at privacy regulators and seeks to clarify the meaning of privacy by design (PbD) and PETs. The main goal is to identify appropriate regulatory incentives that might offset the economic costs of adopting such technologies, especially given that the benefits of this new approach remain somewhat uncertain. The article begins by developing a taxonomy around two sets of distinctions. First, it classifies PETs as substitutes or complements depending on how they interact with legal protection of personal data. Substitute PETs aim for zero-disclosure of personal data, making law superfluous. Complementary PETs fall into two sub-categories: those which are privacy-friendly (i.e., they enable greater user control over personal data through enhanced notice, choice, and access); and those which are privacy-preserving (i.e., they offer strong privacy guarantees while permitting activities (such as data-mining or targeted advertising) that might otherwise be viewed as invasive. Second, it distinguishes two forms of PbD: In the first, firms build-in privacy protections by using or inventing PETs; in the second, they rely on engineering approaches and related tools that implement privacy principles throughout both the product development and the data management lifecycles. Building on these distinctions, and using targeted advertising as the main illustration, I then review the economic incentives for firms to invest in privacy technology and conclude that consumer demand is weak; firms lack the data needed for effective use of a cost-benefit approach; some other reasons for investing, like reputational sanctions, are also weak; and that firms are reluctant to incur the opportunity costs of privacy technology investments in the form of restricting their own ability to collect or process personal data. The article concludes by suggesting that regulators might achieve better success in promoting the use of PbD by 1) identifying best practices in privacy design and development, including prohibited, required, and recommended practices; and 2) situating best practices within an innovative regulatory framework that a) promotes experimentation with new technologies and engineering practices; b) encourages effective codes of conduct through stakeholder representation, face-to-face negotiations, and consensus-based decision making; and c) supports flexible, incentive-driven safe harbor mechanisms as defined by new privacy legislation.