Right engineering? The redesign of privacy and personal data protection

ABSTRACT

The idea of building safeguards for privacy and other fundamental rights and freedoms into ICT systems has recently been introduced in EU legislation as ‘Data Protection by Design’. This article studies the techno-epistemic network emerging around this idea historically and empirically. We present the findings of an ‘extended peer consultation’ with representatives of the emerging network: policy-makers, regulators, entrepreneurs and ICT developers, but also with jurists and publics that seem instead to remain outside its scope. Standardization exercises here emerge as crucial hybrid sites where the contributions and expectations of different actors are aligned to scale up privacy design beyond single technologies and organizations and to build highly interconnected ICT infrastructures. Through the notion of ‘privacy by network’, we study how the concept of privacy hereby becomes re-constituted as ‘normative transversal’, which both works as a stabilizing promise for responsible smart innovation, but simultaneously catalyzes the metamorphosis of the notion of privacy as elaborated in legal settings. The article identifies tensions and limits within these design-based approaches, which can in turn offer opportunities for learning lessons to increase the quality of privacy articulations.

KEYWORDS:

• Privacy by design
• data protection by design
• privacy engineering

Acknowledgements

We wish to thank Katja de Vries for her consultations at the start of the research process and Antti Silvast for his instructive comments on an earlier version of this text.

Disclosure statement

No potential conflict of interest was reported by the authors.

ORCID

C. Raab http://orcid.org/0000-0002-4579-0320

Notes

1. European Parliament and Council Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).

2. See article 24 GDPR on ‘responsibility of the controller’.

3. Data protection through extra-legal instruments and processes in addition to law has developed gradually in most jurisdictions (see Bennett and Raab 2006).

4. It seems to follow similar logics as approaches such as value-sensitive design (Friedman 1996).

5. In ways analogous to those described as mediation of values and technological artefacts by sociologists of technology (Latour 1999).

6. CANDID – Checking Assumptions and promoting responsibility in smart Development – was an EU Horizon 2020 project, Grant no – 732561. The project aimed to critically appraise smart technologies and to explore their prospects.

7. The IoT is a key priority for the EU Digital Single Market. The European Commission estimates that the number of IoT connections within the EU will increase to almost 6 billion in 2020, leading to a trillion euro market (Commission Staff Working Document Advancing the Internet of Things in Europe, SWD/2016/0110). Privacy by design has been singled out as a key concern for all IoT stakeholders, especially ICT product developers (Article 29 Working Party 2014).

8. This shift to the articulation of rights in the socio-technical design of ICTs does not imply that other modalities like written text disappear. ‘Just as written law has not replaced the role of unwritten law but complemented and changed it, written law as well as unwritten law will continue to play a key role in providing legal protection’ (Hildebrandt and Koops 2010, 454).

9. These technologies had been developed since the 1980s by computer scientists and cryptographers, most notably Chaum (1981).

10. European Commission M/530 Implementing Decision C(2015) 102 on a standardization request to the European standardization organizations as regards European standards and European standardization deliverables for privacy and personal data protection management.

11. See Kamara (2017) on this case as an example of an increasing co-regulation approach to EU data protection.

12. See, for instance, European Commission Rolling Plan for ICT Standardization 2015, GROW/H3.

13. Enshrined in article 7 of the Charter of Fundamental Rights of the European Union, OJ C 326, 26 October 2012.

14. Supra note 6.

15. We draw inspiration from the notion of ‘extended peer review’ elaborated by Funtowicz and Ravetz (1993). An extended peer review is the process of including people and groups that have experience and knowledge beyond academic science when trying to assure the quality of research, thus increasing the reliability of results. Here, we apply the concept within a techno-regulatory context, also with the aim of extending to other epistemic sources.

16. From this perspective personal data protection, as captured in the notion of DPbD, becomes another such articulation on top of these earlier privacy-design developments, in spite of the fact that privacy and data protection are often considered distinct in legal practice.

17. Recital 78 of the GDPR states that ‘producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications [emphasis added]’. Bygrave (2017) remarks that ‘the Regulation evinces an expectation that the duty imposed by Article 25 on controllers will be passed both ‘downstream’ to processors and ‘upstream’ to technology developers’ (116).

18. This right was first recognized by the German Constitutional Court in 1983 (BVerfGE 65, 1). It can be understood in association with the free development of personality according to which subjects need to have the capacity to decide autonomously (see Gonzalez Fuster 2014).

19. The Charter recognizes privacy and personal data protection as two distinct fundamental rights in articles 7 and 8. The right to privacy protects the individual by warranting a certain level of opacity to the citizen (Gutwirth and De Hert 2007). Opacity guarantees non-interference in individual matters by the state and, more recently, by private actors. The right to personal data protection instead imposes a certain level of ‘transparency’ and accountability on the exercise of power.

20. Co-creation is an approach for the joint creation of value by the company and the customer. Its principles are: dialogue with users, access to data, risk assessment and transparency of information (Prahalad and Ramaswamy 2004).

21. EIP-SCC is a public–private partnership supported by the European Commission bringing together cities, industries, SMEs, investors, researchers and other smart city actors. http://eu-smartcities.eu/initiatives/2/description.

22. Standards imply a process through which organizational claims about adherence to norms can be more objectively tested (Bennett and Raab 2006).

23. Standards ‘play a very important role within the internal market […] in the presumption of conformity of products to be made available on the market with the essential requirements […] laid down in the relevant Union harmonisation legislation’. Recital 5 of European Parliament and Council Regulation 1025/2012 on European standardization.

24. In this view, work on the basic infrastructure for ICT systems is of horizontal relevance and ‘standards should be considered as building blocks. Metaphorically, one could see these technologies such as Lego pieces that can be utilised to build complex architectures’ (EC Rolling Plan 2015, 5, supra note 12). Privacy aspects are a prime example.

25. Especially ISO 27550 standard on Privacy Engineering (see Section 2).

26. This contribution was made in a peer public session focused specifically on DPIA. See van Dijk and Rommetveit (2015).

27. The peer states that contributions from ethics and social science may not be able to counter this tendency but could rather enhance them. Such shifts could imply epistemic divisions concerning who is articulating what within these processes. She argues that this poses the risk that human rights such as privacy are separated in two components, in which the articulation of privacy as a value is delegated to ethics and social studies (as in ELSA studies for ethical, legal and social aspects) and the articulation of privacy as a right to jurists. This externalizes values from human rights.

28. Thompson (2013). This both goes beyond the ideas of ethics having to ‘clean up’ after science (ethics lag) or of merely describing the ethical, legal and social implications of scientific research and development (ELSA studies).

29. Similar arguments have been made about the co-productive role of law in techno-scientific innovation, criticizing the image of a ‘law lag’ and arguing for the constitutive role of law within scientific work itself; see Jasanoff (2007).

30. On the crucial difference between law and technology in this context of techno-regulation, see Brownsword (2005); Gutwirth, De Hert, and de Sutter (2008); de Vries and van Dijk (2013).

31. It has been noted that design-based approaches to fundamental rights and freedoms raise concerns about lack of democratic legitimization and the unambiguous self-enforcing character of ‘code as law’ leaving no room for deliberation (Hildebrandt and Koops 2010).

32. The colour blue here pertains to privacy as one of the first-generation human rights as civic and political freedoms often called blue rights. This is in contrast with second-generation economic, social and cultural rights (red rights) and third-generation environmental and other rights (green rights).

33. The chain perspective is also relevant for understanding the interdependencies of data processing across multiple stakeholders, which can give rise to systemic privacy risks at the level of the broader ICT ecosystem.

34. Like those involved in developing DPIA templates for RFID and smart metering technologies.

35. See Sections 2 and 4.4.

36. A second source is Actor Network Theory (Callon 1986; Latour 1999).

37. For this notion, see Callon (1986).

38. Some have argued that this hybrid innovation governance situation requires a shift from individual role responsibility to ‘collective co-responsibility’ for the innovation process, partly through such ‘responsibilization’ methods like standardization, certification and codes of conduct that go beyond the limits of positive law (Von Schomberg 2011).

39. Beyond responsibility (performance of roles) lies accountability, in the sense of the requirement to give an account to the public and/or regulators of how a certain role has been carried out and conforms to legal and ethical requirements (Raab 2012). The ability of distributed responsibility-holders in the privacy-design network to give such accounts would be in some doubt.

40. On crossing this ‘Rubicon’ between law and engineering in privacy design, see Rommetveit, Tanas, and van Dijk (forthcoming).

Additional information

Funding

This work was supported by the European Commission funded Project CANDID – Checking Assumptions and promoting responsibility in smart Development – EU Horizon 2020 project, under [grant number 732561] and by the Belgian ‘Research Foundation Flanders’ (FWO) funded projects: ‘A Risk to a Right? Exploring a new notion in data protection law’ [grant number G046815N], and ‘Rights in Design. The technological reconstitution of privacy and data protection’ [grant number 12K4316N].