twitter facebook rss

Privacy by Design – worrying developments

Posted by on March 5, 2015.

Last week I attended the Privacy by Design User Forum in Toronto where I delivered a presentation on how to develop a new project using Privacy by Design.  But that is not the subject of this article, this article is about a discussion which took place at the end of the event – a lively debate on the future of Privacy by Design.

About two weeks before the event, I received a phone call from a friend in Canada who wanted to talk about my presentation and the conversation soon moved on to how Privacy by Design’s existing Ambassadorial programme could evolve into a more robust certification model.  Given the FTC’s enforcement against TRUSTe late last year, it is hardly surprising that people are looking for a more transparent and meaningful solution for privacy certification, furthermore, ever since Dr. Ann Cavoukian left the IPC office and joined Ryerson the Privacy by Design programme has been left in something of a vacuum.  I am not being harsh or critical here, it is something many of us in this space have recognised and commented on and it is understandable when a public servant such as Dr. Cavoukian moves to pastures anew, that projects they developed whilst in public office have to go through a transition period.

So our call developed and we got into a very lengthy discussion on certification and after about an hour we both agreed on the following general principles that should exist in any PbD certification model:

  1. Accessibility – Any PbD certification model should include a charter which makes it globally accessible.  That means that whether you are an app developer creating your first mobile app in your bedroom in Bucharest; whether you are a community project in a village in the middle of Africa or whether you are an NGO creating privacy enhancing solutions – you should be able to obtain PbD Certification.  That means costs should be either very low or free so that it is not limited to large corporations who will simply treat it as a rubber stamp opportunity.  It would give the certification real meaning, for everyone.
  2. Governing Body – Any body responsible for the management or administration of a PbD Certification model should be completely neutral and not-for-profit.  PbD cannot afford to be tainted by trust issues, any situation where a body profits from the management of a certification programme creates significant conflicts of interests and as we saw with TRUSTe, can rapidly become meaningless as corporations simply pay their fee and receive a rubber stamp – with no serious auditing system to back-up the programme and no accountability should internal processes change.
  3. Accountability – There must be some form of accountability that allows the administrators to revoke certification should an audit reveal that an organisation is not compliant with the PbD model.

Now, let me be the first to acknowledge that meeting all three requirements above creates something of a problem – money.  In order for a governing body to be able manage such a programme it is going to cost money and auditing will also cost money.  So this makes the first requirement something of a problem – because in order for the programme to be truly accessible the costs must be close to zero which means funding of the model would need to come from somewhere else.

Now when I arrived in Toronto, there were hushed discussions taking place in dark corners and a general feeling of unease with regards to the Certification programme – we all knew it was going to be discussed at the end of the day and that the content of that discussion would be forwarded to Dr. Cavoukian in the form of an open letter, but there were rumours that things had already moved forward in a significant way.

It seems that (allegedly) Deloitte have been approached to administer the programme already and this had everyone I spoke to very concerned.  One company I spoke to at the event said they had approached Deloitte about obtaining certification and had been given a preliminary quote of $100 000.

So at the end of the day as promised, we all sat down for a discussion about the certification programme and there was significant agreement with the principles I brought forward.  Everyone agreed that the programme should be globally accessible (at least I never noted any objections).  There was widespread agreement on the neutrality of the governing body and we had a lengthy discussion on how this might happen such as perhaps using an existing group like IETF, IEEE, United Nations or perhaps the executive committee responsible for the annual International Conference for Data Protection and Privacy Commissioners (to name just a few of the suggestions).  We also discussed the possibility of a board which would peer review applicants for certification which initially could be made up of existing Ambassadors of Privacy by Design (giving the existing group some form of responsibility for the evolution of Privacy by Design) – again this was widely accepted as a good idea.  In fact the discussion was incredibly vibrant with some great ideas on how we might move forward.

Then the elephant in the room was addressed – the Deloitte rumours.  To say there was outrage at the news would actually be an understatement – from what I could observe, absolutely everyone was unhappy with the news and for exactly the right reasons.  There was no confidence that a private (for profit) entity could manage the programme without conflict of interests and avoid becoming the next TRUSTe scandal – it was agreed that to move forward with such a plan would destroy the integrity of Privacy by Design.  Also, given that everyone agreed to the programme being globally accessible (meaning low to zero costs), one can imagine the reaction to the news that at least one company had been quoted $100 000 for certification.  In fact, the entire prospect of Deloitte running the programme was seen as an absolutely unacceptable situation and one has to understand that the people attending this event were those who most strongly endorse and practice Privacy by Design and its principles – these are the adopters, the trainers, the developers – the very core community behind Privacy by Design – their voice absolutely must be heard in any discussion about moving forward with a certification model.

This week there are more rumours that Dr. Cavoukian will be announcing plans for the certification programme at the IAPP Privacy Summit conference in Washington DC and there is deep concern that that announcement will include an arrangement with Deloitte.  If that does happen, then the future of Privacy by Design is at risk, because it is a move that is absolutely not supported by the PbD community and will destroy the integrity of PbD.

I for one hope that the rumours are wrong but to end this article on a more positive note – one thing was clear about the event in Toronto – those people who attended are passionate about PbD and will fight to secure the integrity of PbD moving forward – I am proud to be one of those people and I was proud to see such a strong reaction in Toronto.


Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Alexander Hanff, News_privacy | Tags: , , , , , ,