“Privacy by Design” to become even more important globally

Privacy-bloggen: You have been acknowledged as being one of the first in the world who recognized  the potential importance of technology to protect privacy and personal data and you have, as early as  in the mid-1990s, presented the Privacy by Design concept. What is this concept about, and what impact do you reckon it will have in the future?

Ann Cavoukian: At the heart of Privacy by Design (PbD) is the tenet that individuals have the right to control their own personal information. Much more than a theoretical concept, Privacy by Design is a real-life solution that proactively embeds privacy into technologies, business practices and networked infrastructure at the outset to ensure that privacy is the default condition. Of course, building in privacy at the start is not always possible, which is why my Office recently introduced Privacy by ReDesign to implement PbD into already existing and legacy systems.

Regarding its future impact — the possibilities are limitless as technologies are forever changing. In this growing world of online social media, mobile devices, big data and of course cloud computing, privacy is paramount. But we must change our thinking from a zero-sum paradigm to positive-sum. This means that privacy is not sacrificed at the expense of other business interests, such as security. You can, and must, have both. Our interests are diverse — among other things, we want to socialize on the Internet, build a more sustainable electrical grid, utilize and share health records and more. We can do all of these things and still have privacy, but only if we prioritize it as a requirement for both new and existing technologies, infrastructures and business practices. Our need for privacy has not disappeared. On the contrary, privacy is an essential dimension of the human condition and it will continue to be well into the future.

Privacy-bloggen: We are living  in a globalizing world driven by digitization. As the Internet knows no national boundaries, it seems reasonable to assert that there is a need for a global privacy regime. But is it possible, with the cultural and legal differences that exist, and is the way forward more likely to create a set of universal privacy principles that comply with the demands from consumers, businesses and governments?

Ann Cavoukian: Privacy is a fundamental right that knows no borders. Privacy by Design is a solution for everyone – consumers, businesses and governments. Last year, a landmark resolution was unanimously passed by global Data Protection Authorities to make Privacy by Design an international standard. This endorsement marks a sea change in how the international community will go about preserving privacy. Of course, my work does not end with this accomplishment. For over 20 years, as the Information and Privacy Commissioner of Ontario, Canada, I have partnered with stalwarts such as IBM, Intel, and Nokia to advance Privacy by Design. Together, we have fostered innovation and accomplished groundbreaking work in many fields, including biometrics, the Smart Grid and even Targeted Advertising. Forging new relationships to advance Privacy by Design is not a hard sell. After all, Privacy by Design makes sense for everyone — especially businesses. Not only is it cheaper to build in privacy before a breach occurs, it is also a compelling way to win the trust of clients and build your brand.

Privacy-bloggen: Considering that legal responses often lag behind market and technology innovation, would you agree that self-regulation is an adequate and timely instrument to meet privacy and data protection challenges including citizen engagement and empowerment as a prerequisite for sustainable solutions?

Ann Cavoukian: To preserve privacy and adequately protect data, you need both self-regulation as well as regulatory oversight. However, with the rapidly changing pace of technology, it is difficult for legislation to keep up, which is why Privacy by Design is important. PbD is flexible and can be utilized by organizations from a small local business to a large government body. Regarding privacy protection, it is simply ‘good business’ for companies to be proactive and stay ahead of existing legislation. Strong privacy practices form the basis of a virtuous cycle that establishes trust of the brand in the minds of consumers, which leads to greater loyalty, ultimately driving competitive advantage.

The exponential growth of information and communications technology has benefited us in many ways, such as fostering citizen engagement and the empowerment of individual and collective voices.  In my role as a Commissioner, overseeing both access and privacy, this information explosion has spurred a wide variety of challenges. Recently, I have been particularly concerned at the lack of understanding between the concepts and purposes of Big Data and Open Data. Simply stated, Big Data describes the ever-increasing massive amounts of information that organizations have, and continue to collect — much of which is personally identifiable information. On the other hand, Open Data rests on the idea that certain types of non-personal information such as maps, medical research etc., should be freely available to unrestricted use by everyone. Open Data encourages civic participation and redefines the importance of freedom of information legislation across the globe. As the Big Data movement continues to grow and evolve, it is well worth holding onto the fact that privacy remains fundamental to our freedom.


Dr. Ann Cavoukian,  since 1997  the Canadian Province of Ontario’s Information and Privacy Commissioner, is recognized as one of the leading privacy experts in the world.

The post is the English edition of the post on Privacy-bloggen.


Danmark bør gå i front med CSR-innovation i menneskerettigheder

Danmark og CSR

I Forsk2015 kataloget (maj 2008), der identificerer og prioriterer Danmarks strategiske forskningstemaer, fremhæves virksomhedernes evne til at innovere som en central udfordring og at en strategisk forskningsindsats skal tilvejebringe et forbedret videngrundlag for virksomhedsledere, medarbejdere og politikere omkring den måde, hvorpå innovationsprocesser ledes, organiseres og fremmes bedst muligt. Målet er at bringe Danmark op blandt de mest innovative lande i verden.

Regeringen har i sin handlingsplan for virksomheders samfundsansvar (maj 2008) sat sig et visionært mål om, at udbrede forretningsdrevet samfundsansvar blandt både store og mindre virksomheder.

Om forretningsdrevet samfundsansvar foreslår regeringen for eksempel, at virksomhederne kan udvikle nye produkter eller ydelser, der indeholder en social eller miljømæssig dimension.

I forbindelse med et af de fire indsatsområder i handlingsplanen om udbredelse af forretningsdrevet samfundsansvar vil regeringen bl.a. øge rådgivningen om innovation og samfundsansvar til små og mellemstore virksomheder i de regionale væksthuse.

I tilknytning til denne aktivitet har Center for Samfundsansvar netop stået i spidsen for et nordisk projekt om CSR-drevet innovation, der har til formål at støtte en innovationsproces, der med udgangspunkt i sociale eller miljømæssige hensyn bidrager til udvikling af en service eller et produkt, der er økonomisk rentabelt samtidigt med, at det gavner medarbejdere, miljø eller samfund på nye måder.

Endvidere har Europa-kommissionen med den “Europæiske Alliance for CSR” til hensigt at medvirke til at få de europæiske virksomheder til at acceptere Corporate Social Responsibility og at øge støtten til og anerkendelsen af CSR som et bidrag til en overordnet bæredygtig udvikling og til Europæisk vækst og beskæftigelse. Alliancens medlem- mer har bl.a. identificeret et prioritetsområde baseret på samfundsmæssige behov, at fremme innovation inden for bæredygtig teknologi, produkter og services samt at skabe innovation på miljøområdet med specifikt fokus på at integrere den miljømæssige nyttevirkning og energibesparelser i produkt- og service udviklingsprocessen.

Danmark og IKT

Det fremgår ligeledes af FORSK2015 kataloget, at visionen er, at Danmark i 2015 er ledende inden for udvikling af nye innovative IKT-baserede produkter og services samtidig med, at samfundets behov og den generelle IKT udvikling i højere grad sammentænkes. En central passage i kataloget er følgende: ” Der vil i en række sammenhænge også være behov for at indtænke emner som sikkerhed, pålidelighed, tryghed og privacy i forskningen.”

I 2008 rangerer FN’s E-Government Survey Danmark blandt de øverste to lande i offentlig e-parathed kun overgået af USA. Endvidere er Danmark placeret blandt de fem første lande på globalt plan i indeks om e-parathed (EIU 2008). Hertil kommer, at  EIU World Investment Prospects anser Danmark for at have det mest erhvervsvenlige miljø i perioden 2007-2011.

Europa-Kommissionens Digital Competitiveness Report (august 2009) viser, at Danmark er blandt de bedste nationer for de fleste i2010 indikatorer og er en klar frontløber i udviklingen af informations-samfundet. Med en handlingsplan for grøn IT lanceret i 2008, er Danmark også i front med hensyn til miljøvenlig anvendelse af IKT.

Selvom Danmark på det seneste på visse punkter har mistet lidt af sin førerposition, så vidner tal som disse om, at Danmark er en verdensklasse IKT-klynge, og at regionen besidder et enormt forretningspotentiale for internationale IKT-aktører. Danmark har en stor koncentration af virksomheder, der arbejder inden for IKT-området, og den største IKT-klynge i Danmark er placeret i det Storkøbenhavnske område og spænder over den sydlige del af Sverige.

Denne grænseoverskridende IKT klynge har en arbejdsstyrke på 100.000 IKT-medarbejdere og fungerer som en fremragende indgang til den skandinaviske IKT-industri.

Danmark og CSR-IKT innovation

En virksomheds samfundsansvar drejer sig også om at respektere og fremme de grundlæggende menneskerettigheder. 6 af FN´s 10 principper for samfundsansvar for virksomheder (Global Compact) fremhæver, at virksomheder bør støtte og respektere internationalt erklærede menneskerettigheder; samt sikre, at den ikke medvirker til krænkelser.

Imidlertid er der ikke den store fokus på at udvikle nye produkter eller serviceydelser, der indeholder en menneskeretlig dimension. CSR-innovation og design i menneskerettigheder kan på samme måde som et  miljømæssigt engagement være knyttet til en virksomheds forretning og forretningsmodel, til processer og teknologier og til bestemte produkter og services med henblik på at fremme en udvikling af de grundlæggende menneskerettigheder.

Som udgangspunkt vil der kunne opnås en særlig synergieffekt ved at fokusere på  menneskerettigheder, som har en særlig betydning for IKT området, såsom informations- og ytringsfriheden, retten til at deltage i teknologisk udvikling samt retten til privatlivets fred.

CSR-innovation og design i menneskerettigheder (eller CSR-innovation and design in human rights) vil ikke alene kunne være rettet mod løsning af bestemte menneskerettighedsmæssige problemer båret af et samfundsmæssigt hensyn men også være specifikt markedsorienteret. Et paradigmeskift med forretningsmodeller, teknologier, samarbejdsmodeller, idéskabelse og iværksætteri i et menneskeret-tighedsmæssigt perspektiv vil befordre en ny almengyldig og fundamental tilgang til ansvarlig innovation.

Den ekspansive udvikling af overvågningsteknologier som f.eks. RFID, biometri, GPS, CCTV, MEMS, smart ID-kort osv. især efter 11/9, har samtidig medført ny og spændende forskning og udvikling i privacy enhancing technologies (PET). Disse PET løsninger er et sammenhængende system af IKT instrumenter som beskytter privacy ved at eliminere eller reducere persondata eller ved at forhindre unødvendig og/eller uønsket behandling af persondata uden at miste datasystemets funktionalitet, Business casen viser, at der kan designes teknologier til beskyttelse af privatlivets fred, som jo er en basal menneskeret (Menneskerettigheds-erklæringens artikel 12).

CSR innovation og design i menneskerettigheder skal være med til at udvikle nye teknologier ( f.eks. ambient intelligence i sammenhæng med embedded system design), videnskoncepter og videnskompetencer. Mange relevante nøgleteknologier eksisterer allerede, men skal videreudvikles og forfines til specifikke formål i en ny kontekst (teknologisk konvergens) i sammenhæng med udvikling af nye forbrugerorienterede markedsmekanismer. CSR innovation and design in human rights er ikke kun en ny trendy public relation idé, men et helhedsorienteret, nytænkende og skelsættende koncept med en forretningsmæssig forankring, som skal bidrage til at eliminere den tilsyneladende dikotomi mellem profit og etiske principper ved at gøre investeringer i human rights profitable i både snæver og bredere forstand.

Danmark er verdens mest innovative land med hensyn til virksomheders samfundsansvar (CSR) også kaldet samfundsansvarlig virksomhedsinnovation eller CSI. Der er mange gode grunde til at fastholde og udbygge denne førerposition ved at udnytte etablerede ressourcer, kompetencer og synergieffekter til at satse på det hidtil ret oversete aspekt af CSR, der synes at have et signifikant globalt potentiale. Om brugerdreven innovation og demokratisk teknologiudvikling, der ligger i forlængelse af CSR, henvises til et blogindlæg om biometri.

Forskellige initiativer med en række aktører vil derfor blive undersøgt i den kommende tid.  Eventuelt interesserede er velkommen til at rette henvendelse til Dansk Privacy netværk´s sekretariat.

The European Security Research and Innovation Forum (ESRIF) underlines human rights and privacy

European Security Research and Innovation Forum (ESRIF) has released its final findings a 323 page report on aspects of European Research and Innovation to enhancing the security of European citizens.

From a human rights and privacy perspective the reports main statements and recommendations raises hope for a new sustainable agenda of immense impact on European and global security. These aspects are pointed out several places in the report. For instance with this message (on page 12):

“Protecting the EU’s population and infrastructure must resonate with good governance, common economic sense, and respect for fundamental rights and Europe’s cultural values. For ESRIF, gaining a competitive advantage and leadership position in the global security market for Europe must reflect European values.”

And further on page 21: ” Surveillance is increasingly a central element of security management and takes place through a number of means, from closed circuit television to various biometric tools. As these tools are developed, the impact on European values of the relation between surveillance and civil and human rights, the place of new technologies in society role, their role in security crises and their consequences for the individual remain poorly understood. Future research and innovation should carefully assess these societal questions and their links with Europe’s security”.

In the public debate security and privacy is often characterized as a zero-sum trade off in the sense that any gain by one side is offset by an equal loss on the other side. But this is not necessarily true for tradeoffs between privacy and security and the report challenges this presumable dicthomy. In this connection I would like to highlight this passage:

“A primary task of ESRIF is to develop criteria and guidelines for security technologies and measures in line with human rights in general and with the protection of privacy. Security technologies that are consistent with and enhance privacy should allow the security industry to develop widely acceptable security products. Integrating privacy in the design of new security technologies and systems will be a competitive advantage for the European security industry. It should be possible to implement them in such a way that in the future more security does not imply a loss of privacy.”

Further it is stated that ESRIF advocates implementation of a ‘privacy by design’ data protection approach that should be part of an information system’s architecture from the start. “To ensure real effectiveness, this privacy-by-design” protection should combine general privacy controls, a separation of data of different streams, privacy management systems, and effective ‘anonymisation’ of personal data. Research in these areas must be pursued to ensure that effective solutions are available as soon as possible” (page 31).

ESRIF also have as a key message “the promotion of a security by design approach in any newly developed complex system or product, ensuring that security is addressed at the point of conception, as it has been the case for safety by design”.

This could be considered as a new research and innovation challenge embedding from scratch both privacy and security instruments being of equal importance and necessity in the process from concept and design to system development and operation. Maybe it would call for a new term to clarify this research and innovation approach ? For instance: “privacy and security integration by design” ?

From the report I would also like to mention the key message that “education and scenario-based training contribute significantly to the overall acknowledgement and recognition that security is a common responsibility of all stakeholders, especially, policymakers, regulators and citizens.” In a recent  post  I have pinpointed the importance of education and learning in regard to privacy and data protection due to the same reasons.

I have also given special attention to the reports statements about biometrics in a post (in Danish) on the blog of Danish Biometrics appreciating in particular the message that ” The EU Commission itself has classified biometrics as a privacy enhancing technology and it is understood that the Commission would wish biometric technologies to be developed more towards the preservation of users’ privacy”.

I highly recommend reading the report which can be downloaded here.

Read the preliminary reaction of the EU Commission to the ESRIF final report here.