Ira S. Rubinstein

Regulating Privacy by Design

Privacy regulators are embracing privacy by design as never before. This is the idea that “building in” privacy throughout the design and development of products and services achieves better results than “bolting it on” as an afterthought. In the US, a very recent FTC Staff Report makes privacy by design one of three main components of a new privacy framework. According to the FTC, firms should adopt privacy by design by incorporating substantive protections into their development practices and implementing comprehensive data management procedures; the latter may also require a privacy impact assessment (PIA) where appropriate. In contrast, European privacy officials view privacy by design as also requiring the broad adoption of Privacy Enhancing Technologies (PETs), especially PETs that shield or reduce identification or minimize the collection of personal data. Despite the enthusiasm of privacy regulators, privacy by design and PETs have yet to achieve widespread acceptance in the marketplace. One reason is that Internet firms derive much of their profit from the collection and use of personal data and may be unwilling to build in privacy if it disrupts profitable activities or new business ventures. Nor does the available evidence support the view that privacy by design pays for itself (except perhaps for a small group of firms who must protect privacy to maintain highly valued brands and avoid reputational damage). At the same time, the regulatory implications of privacy by design remain murky at best, not only for adopters but also for free riders. This Article seeks to clarify the meaning of privacy by design and thereby suggest how privacy regulators might develop appropriate incentives to offset the certain economic costs and uncertain privacy benefits of this new approach. It begins by developing a taxonomy of PETs, classifying them as substitutes or complements depending on how they interact with data protection or privacy laws. Substitute PETs aim for zero-disclosure of PII, whereas complementary PETs enable greater user control over personal data through enhanced user controls. Next, it explores the meanings of privacy by design in the specific context of the FTC’s emerging concept of “comprehensive information privacy programs.” It also examines the activities of a few industry leaders, who rely on engineering approaches and related tools to implement privacy principles throughout the product development and the data management lifecycles. Building on this analysis and using targeted advertising as its primary illustration, the Article then suggests how regulators might achieve better success in promoting the adoption of privacy by design by 1) identifying best practices in privacy design and development, including prohibited practices, required practices, and recommended practices; and 2) situating best practices within an innovative regulatory framework that a) promotes experimentation with new technologies and engineering practices; b) encourages regulatory agreements through stakeholder representation, face-to-face negotiations, and consensus-based decision making; and c) supports flexible, incentive driven safe harbor mechanisms as defined by (newly enacted) privacy legislation.

The anonymization debate should be about risk, not perfection

Focusing on the process of anonymity rather than pursuing the unattainable goal of guaranteed safety.

Federal and State Preemption of Local Privacy Regulation

In recent years, cities have started to regulate the collection, use, and disclosure of personal data by local government agencies. Much of this regulatory activity involves setting limits on police department acquisition and/or use of surveillance equipment and technology or establishing privacy principles safeguarding all data collection and use by city agencies. Obviously, the prospects for successful local policymaking in the privacy arena (“privacy localism�?) extend no further than the preemptive effect of applicable federal and/or state law. If federal electronic surveillance law preempts local surveillance ordinances or city privacy laws, that’s game, set, and match. State preemption of privacy localism poses an even greater threat given that cities derive their power to govern not from any federal sources of law but from state constitutional and statutory provisions as interpreted by state courts. Thus, states can override local privacy initiatives in either of two ways: by enacting laws that preempt local privacy laws or withdrawing city authority to adopt such laws. In short, quite apart from its substantive merits, the success or failure of privacy localism largely rests on cities finding ways to avoid preemption and maintain local power. This Article examines in detail the threat of federal and state overrides of privacy localism. This is a narrow perspective on privacy localism but of vital importance for the reason just given: federal — and especially state — preemption has the capacity to stop local privacy regulation in its tracks. The inquiry into federal preemption of local privacy regulation requires a review of over two dozen federal privacy statutes. This turns out to be quite manageable because so few of them bear directly on local surveillance ordinances or local regulation of city data practices (which are the principle concerns of privacy localism). State preemption is harder to tackle given that there are approximately 700 state privacy laws, which makes for a crowded regulatory arena with a seemingly endless capacity to override local privacy law. The sheer number of state laws requires some simplifying assumptions to guide the state preemption analysis. Because Seattle and New York city are leading the way in regulating local police use of surveillance technologies and local data practices, this Article will mostly focus on Washington and New York state laws regulating (1) video cameras and/or facial recognition, automatic license plate readers (ALPRs), and drones; and (2) government records or personal data collected by government agencies insofar as they overlap with Seattle and New York City’s locally adopted privacy rules.