Posted by Alexander Hanff on March 5, 2015.
Last week I attended the Privacy by Design User Forum in Toronto where I delivered a presentation on how to develop a new project using Privacy by Design. But that is not the subject of this article, this article is about a discussion which took place at the end of the event – a lively debate on the future of Privacy by Design.
About two weeks before the event, I received a phone call from a friend in Canada who wanted to talk about my presentation and the conversation soon moved on to how Privacy by Design’s existing Ambassadorial programme could evolve into a more robust certification model. Given the FTC’s enforcement against TRUSTe late last year, it is hardly surprising that people are looking for a more transparent and meaningful solution for privacy certification, furthermore, ever since Dr. Ann Cavoukian left the IPC office and joined Ryerson the Privacy by Design programme has been left in something of a vacuum. I am not being harsh or critical here, it is something many of us in this space have recognised and commented on and it is understandable when a public servant such as Dr. Cavoukian moves to pastures anew, that projects they developed whilst in public office have to go through a transition period.
So our call developed and we got into a very lengthy discussion on certification and after about an hour we both agreed on the following general principles that should exist in any PbD certification model:
Now, let me be the first to acknowledge that meeting all three requirements above creates something of a problem – money. In order for a governing body to be able manage such a programme it is going to cost money and auditing will also cost money. So this makes the first requirement something of a problem – because in order for the programme to be truly accessible the costs must be close to zero which means funding of the model would need to come from somewhere else.
Now when I arrived in Toronto, there were hushed discussions taking place in dark corners and a general feeling of unease with regards to the Certification programme – we all knew it was going to be discussed at the end of the day and that the content of that discussion would be forwarded to Dr. Cavoukian in the form of an open letter, but there were rumours that things had already moved forward in a significant way.
It seems that (allegedly) Deloitte have been approached to administer the programme already and this had everyone I spoke to very concerned. One company I spoke to at the event said they had approached Deloitte about obtaining certification and had been given a preliminary quote of $100 000.
So at the end of the day as promised, we all sat down for a discussion about the certification programme and there was significant agreement with the principles I brought forward. Everyone agreed that the programme should be globally accessible (at least I never noted any objections). There was widespread agreement on the neutrality of the governing body and we had a lengthy discussion on how this might happen such as perhaps using an existing group like IETF, IEEE, United Nations or perhaps the executive committee responsible for the annual International Conference for Data Protection and Privacy Commissioners (to name just a few of the suggestions). We also discussed the possibility of a board which would peer review applicants for certification which initially could be made up of existing Ambassadors of Privacy by Design (giving the existing group some form of responsibility for the evolution of Privacy by Design) – again this was widely accepted as a good idea. In fact the discussion was incredibly vibrant with some great ideas on how we might move forward.
Then the elephant in the room was addressed – the Deloitte rumours. To say there was outrage at the news would actually be an understatement – from what I could observe, absolutely everyone was unhappy with the news and for exactly the right reasons. There was no confidence that a private (for profit) entity could manage the programme without conflict of interests and avoid becoming the next TRUSTe scandal – it was agreed that to move forward with such a plan would destroy the integrity of Privacy by Design. Also, given that everyone agreed to the programme being globally accessible (meaning low to zero costs), one can imagine the reaction to the news that at least one company had been quoted $100 000 for certification. In fact, the entire prospect of Deloitte running the programme was seen as an absolutely unacceptable situation and one has to understand that the people attending this event were those who most strongly endorse and practice Privacy by Design and its principles – these are the adopters, the trainers, the developers – the very core community behind Privacy by Design – their voice absolutely must be heard in any discussion about moving forward with a certification model.
This week there are more rumours that Dr. Cavoukian will be announcing plans for the certification programme at the IAPP Privacy Summit conference in Washington DC and there is deep concern that that announcement will include an arrangement with Deloitte. If that does happen, then the future of Privacy by Design is at risk, because it is a move that is absolutely not supported by the PbD community and will destroy the integrity of PbD.
I for one hope that the rumours are wrong but to end this article on a more positive note – one thing was clear about the event in Toronto – those people who attended are passionate about PbD and will fight to secure the integrity of PbD moving forward – I am proud to be one of those people and I was proud to see such a strong reaction in Toronto.
Share This: Submitted in: Alexander Hanff, News_privacy |