Fecha de recepción: 31 julio 2014 / aprobación: 14 noviembre

Universidad de los Andes Facultad de Derecho Revista de Derecho, Comunicaciones y Nuevas Tecnologías

No. 12, Julio - Diciembre de 2014. ISSN 1909-7786 The interaction between individuals and technology, and the constant creation of digital products and services requires the permanent use and access of personal information. Therefore companies are requested to keep an active role in what refers to the protection of consumer privacy. Privacy by Design emerges as a movement which promotes that companies, in addition to comply with the law, should implement privacy throughout different processes of the organization, as well as the assurance of the protection of privacy by default, whenever the consumer uses the service or product. Technology is not a threat against privacy likewise, privacy is not an obstacle against technology’s development.

Law and technology, privacy, privacy by design, privacy by default, privacy policy.

La interacción entre los individuos y la tecnología, así como el desarrollo constante de servicios y productos digitales, hace necesario el acceso y uso permanente de información personal, por lo cual las empresas son llamadas a mantener un rol activo en cuanto a la protección de la privacidad de los consumidores. Privacidad por Diseño, surge como una corriente que promueve que las empresas, además de cumplir con la ley, implementen la privacidad en los diferentes procesos de la organización, así como la seguridad de protección de la misma, por defecto, al momento en que el consu- midor haga uso del servicio o producto. La tecnología no es una amenaza para la privacidad, así mismo la privacidad no es un obstáculo en contra de su desarrollo.

Derecho y tecnología, privacidad, privacidad por diseño, privacidad por defecto, políticas de privacidad.

A interação entre os indivíduos e a tecnologia, assim como o desenvolvimento constante de serviços e produtos digitais, torna necessário o acesso e uso permanente de informação pessoal, pelo qual as empresas são chamadas a manter um papel ativo sobre a proteção da privacidade dos consumidores. A privacidade por desenho surge como uma corrente que promove que as empresas, além de cumprir com a lei, implementem a privacidade nos diferentes processos da or- ganização, assim como a segurança de proteção da mesma, por defeito, no momento em que o consumidor faça uso do serviço ou produto. A tecnologia não é uma ameaça para a privacidade, assim mesmo a esta última não é um obstáculo contra seu desenvolvimento.

direito e tecnologia, privacidade, privacidade por desenho, privacidade por defeito, políticas de privaci- dade.

*

**

Introduction - I. WHY PRIVACY BY DESIGN? - II. FAIR INFORMATION PRACTICES (FIPs) - A. FIPs Origin - B. FIPs Evolution - III. PRIVACY BY DESIGN (PbD) - A. Seven foundational principles of privacy by design - B. Suggestions to implement a privacy by design program, in an organization III. Conclusion - References

* How to cite this article: Galindo J., (2014). Privacy by design. Implementing privacy as a good business decision. Revista de Derecho, Comunicaciones y Nuevas Tecnologías, 12. Universidad de los Andes (Colombia).

** uly Galindo Q. holds a law degree from Universidad de Los Andes in Bogotá (2007). Specialist in commercial law from the Universidad de Los Andes (2008). Assistant of Summer Course, emphasizing in transnational copyright and World Trade Organization, Georgetown University, Center for Transnational Legal Studies, London, (2010). Member of the Department of Intellectual Property, Information Technology and Entertainment at Abogados. E-mail: [email protected], [email protected]

zations a competitive advantage. Nowadays, the consumer has become the target of constant The exponential growth of technology, and more messages (from government, news, peers, fa- July Galindo Q - mily members, etc.) related to the need to ac- mersion of personal information during its use, tively protect personal information. The context indicates a need for a clear set of rules, princi- in which companies do business is different, ples and proceedings as to how companies can the costumer is different, and smarter, and this continue the technological race while still incor- change requires companies to provide the pro- porating practices that protect people’s perso- tection for which the costumer is asking. The nal data. company that is able to provide privacy protec- tion will have a better market position and will The consumer expects control over the informa- even arise as the recipient of the group of cos- tion, security standards of the receiver and fair- tumers that have decided to abandon services ness of the business practices, from the deve- loper of any service or product. These aspects in a coherent and integral manner, their privacy expectations. personal information, which in the end, should respond to the users’ expectations as to how a business executes the management of privacy. This moment requires a shift from the domina- Each day users are more aware about their ting privacy compliance/remedy approach to a privacy, and how their personal information is more proactive role on the side of the compa- managed. Failures to protect privacy and missu- nies. Privacy by design arises as an instrument ses of personal data, become newsworthy and to help organizations implement privacy by public relations nightmares (for the company), default. Privacy will be embedded accordingly and each day the public impact is greater. We from the earliest stages of the creation of a ser- can mention recent scandals involving priva- vice or product, it will cease then to be a matter cy violations associated with entities from the reserved only for lawyers, as privacy will also public and private sector. The National Securi- be a relevant aspect for the developers’ design ty Agency (NSA) was accused of espionage and process. Certainly, how the organization loca- surveillance programs over domestic (US) civi- tes the common interests of privacy, user pro- lian communications; the programs were presu- mably even extended to tape German Chancellor effect over the response to the ever-increasing Angela Merkel’s mobile phone.1 In 2012, Google challenges of data privacy management.

Privacy is a good business decision, and the 1 See, A chronology of the NSA surveillance scandal, Dw.De, http:// www.dw.de/a-chronology-of-the-nsa-surveillance-scandal/a-17197740 ability to implement it as default gives organi- (last visited March 25, 2014)

4 Revista de Derecho, Comunicaciones y Nuevas Tecnologías No. 12 - ISSN: 1909-7786 - Juilio- Diciembre de 2014 - Universidad de los Andes - Facultad de Derecho entities therein involved.6 These incidents, and the Federal Trade Commission (FTC) has ever their media exposure, increase people’s expec- issued), after the FTC concluded that Google tations, which demands a response through the misrepresented privacy assurances “to users of measures and practices that companies design, Apple Inc.’s Safari Internet browser that it would to engage in the correct management of perso- not place tracking “cookies” or serve targeted nal information. ads to those users, violating an earlier privacy settlement between the company and the FTC.”2 Complying with standards and regulations rela- Target Corporation faced a privacy security data ted to privacy should not be considered by com- breach that compromised personal information panies as a remedy or response to incidents of costumers that purchased items from Target’s that compromise personal information. Rather, US stores from November 27 to December 15, privacy should be present throughout the entire 2013.3 The personal information involved in the data breach incident was known to be the custo- or product. The challenge then is how to unders-

tand and translate users’ privacy expectations, mer name, credit or debit card number, and the card’s expiration date and CVV.4 These are only and existing standards and regulations, into the a few examples of privacy incidents5 that have design and future use of the creation. Thinking made it to the news, exposing the relevancy of of how to preserve and incentivize privacy, while privacy to the public eye while having a directly including it in the development process of the detrimental effect over the reputation of the product itself, is what privacy by design is about. After all, this concept corresponds to the action of realizing privacy standards, practices and ex- pectations, through code.7 In this sense, and by

2 Google Will Pay $22.5 Million to Settle FTC Charges it Misrepresented implementing a program of privacy by design8, Privacy Assurances to Users of Apple’s Safari Internet Browser, Ftc. Gov, http://www.ftc.gov/news-events/press-releases/2012/08/google- organizations will be able to actively achieve the will-pay-225-million-settle-ftc-charges-it-misrepresented (last visited March 25, 2014) compliance of privacy standards, regulations and expectations, and to prevent privacy inci- 3 See, A message from CEO Gregg Steinhafel about Target’s payment card issues, corporate.tarGet.com, https://corporate.target.com/ discover/article/Important-Notice-Unauthorized-access-to-payment-ca 6 See Ira S. Rubinstein; Good, Nathaniel, Privacy by Design: A (last visited March 25, 2014) Counterfactual Analysis of Google and Facebook Privacy Incidents, 28 Berkeley tech. l.J. 1333, 1336 n.7 (2013) (discussing that in general, 4 See id. privacy incident correspond to privacy concerns and “not every privacy incident results from a design failure or causes harm. However, because privacy is highly cherished and causes anxiety if violated, 5 See Acquisti, Alessandro; Friedman, Allan; and Telang, Rahul, many privacy incidents are associated with negative press coverage, Is There a Cost to Privacy Breaches? An Event Study (2006). ICIS reputational harm, regulatory investigations, and/or enforcement 2006 Proceedings. Paper 94, available at http://aisel.aisnet.org/ actions”.) icis2006/94 (last visited March 26, 2014) (mentioning that a privacy incident, in a broad descriptive understanding, corresponds to “an event involving misuse of individuals’ personal information. This 7 Id. at 1341. be criminal, commercial, or ultimately innocuous. It can be intentional 8 Id. or unintentional. It can involve customers’, partners’, or employees’ data.”) privacy by design programs)

Revista de Derecho, Comunicaciones y Nuevas Tecnologías No. 12 - ISSN: 1909-7786 - Juilio- Diciembre de 2014 - Universidad de los Andes - Facultad de Derecho 5 dents9. By virtue of this baseline principle, com- her words “I had long been worried that Google panies “promote consumer privacy throughout knew too much about me — after all, like most their organizations and at every stage of the de- people, I used Google search, Google maps, July Galindo Q velopment of their products and services”.10 Google docs and Gmail on a daily basis. Not to mention the Google ads that tracked me across In February 2014, TIME magazine published an the Web.”12 After accessing the collected search 11 article serving as an example of the importan- queries that Google keeps from every user as ce that users nowadays give to the privacy of part of its tracking feature, Agwin found that their information. In the article “How I Quit Goo- the information went back to the moment she gle,” the author explains her reasons for ceasing opened her Gmail account in 2006. In total, she to use any kind of service related to Google. It found 26,000 Google searches performed by is relevant to clarify before continuing with this her. She found that the categorized searches re- explanation (that by no means is here argued) that personal information should never be sha- representation of the activities she had perfor- red nor collected as a result of the user-product/ med, and of her thoughts throughout the day. service interaction. Nonetheless, it is no secret Agwin described the searches, as being more that a company’s behavior towards privacy may - be a deal breaker during the decision-making med, “my searches are among the most sensi- process of a user deciding between products or tive information about me”. The extremely lar- services with comparable purposes/functions. ge amount of information, and the possibility of To this effect, the user’s privacy practices and such information being used to obtain correla- choices will directly correspond with the imple- ted results about her future interests and beha- mented privacy by design program. quitting Google search. She moved to a search In the article, Julia Agwin describes her privacy engine called DuckDuckGo. concerns after noticing the amount of personal information that Google collected about her. In DuckDuckGo is a search engine that offers the search service without tracking the user; its pre-

9 See, , Privacy by Design: The 7 Foundational Principles, mise is not collecting or sharing personal infor- (2011), http://www.privacybydesign.ca/content/uploads/2009/08/7fou mation. As an example of the “search leakage” ndationalprinciples.pdf (last visited March 26, 2014) (explaining, that privacy by design should be preventative and not remedial. “…Privacy that is involved in other search engines, Duck- by design comes before-the-fact, not after”). DuckGo explains in its privacy policy “when you 10 Fed. Trade Comm’n, Protecting Consumer Privacy in an Era of Rapid do that private search, not only can those other Change: Recommendations for businesses and policy makers (2012), sites know your search terms, but they can also commission-report-protecting-consumer-privacy-era-rapid-change-rec ommendations/120326privacyreport.pdf [hereinafter FTC 2012 Report] know that you searched it. It is this combination

11 See, Julia Angwin, How I Quit Google, time, http://time.com/9210/how- i-quit-google/ (last visited March 26, 2014) 12 Id.

6 Revista de Derecho, Comunicaciones y Nuevas Tecnologías No. 12 - ISSN: 1909-7786 - Juilio- Diciembre de 2014 - Universidad de los Andes - Facultad de Derecho of available information about you that raises decision. An organization that implements pri- privacy concerns. DuckDuckGo prevents search vacy by design, offers privacy assurance as a leakage by default. Instead, when you click on “default mode of operation.”16 In contrast, an a link on our site, we route (redirect) that re- organization that lacks privacy by design will quest in such a way so that it does not send your consider it only as a response to, for example, search terms to other sites. The other sites will data breach incidents. If the costumer has pri- still know that you visited them, but they will not vacy concerns similar to those of Julia Agwin, know what search you entered beforehand.”13 the good business decision will most likely come Certainly, this type of anonymous search service from the former organization rather than the is having some impact over users preferences. latter. This decision is related to the fact that “privacy is becoming a business issue, and its went from having 1000000 average queries per protection is becoming an important aspect of day (as of July 2012) to 5000000 (in average) an organization’s ability to inspire and maintain by January 2014.14 Likewise, search engines 17 Con-

like www.startpage.com and www.ixquick.com, describe themselves as the “world’s most pri- embedded can serve as the tiebreaker. vate search engine”. Both offer the anonymous search service, and function under a “zero data Quitting Google services may seem a somewhat collection policy.”15 extreme decision, considering that there is an substantial number of users who appreciate the These are a few examples that provide relevant service generated suggestions about shopping, information as to how privacy by design can ser- searches and general interests that result from ve as the added value of a product or service. Google’s tracking features.18 This functionality fa- How a company incorporates privacy in its pro- cilitates daily life. A vivid example is the struggle duct design will likely have a direct effect over Julia Agwin had to face after deciding to migrate consumer preference. Certainly, understanding to DuckDuckGo search engine. Google’s search how to effectively implement privacy in a product suggestions were not available anymore, which and organization is a relevant aspect to consu- mer behavior. At the end, privacy by design is the 16 cavoukian, supra note 8. realization of a creative process, which by mixing 17 ann cavoukian, Privacy by Design in Law, Policy and Practice: A White privacy and innovation implies a good business Paper for Regulators, Decision-makers and Policy-makers, (2011), http://www.ipc.on.ca/images/Resources/pbd-law-policy.pdf, at 8 (last visited March 26, 2014)

13 DuckDuckGo 18 See Cecilia Kang, Google Announces Privacy Changes Across 26, 2014) Products; Users Can’t Opt Out, waShinGton poSt. (Jan. 24, 2012), 14 Id. consumers-across-products-users-cant-opt-out/2012/01/24/ gIQArgJHOQ_story.html (last visited March 27, 2014) (explaining 15 StartpaGe, https://startpage.com/eng/privacy-policy.html, (last visited Google’s combination of data of registered users across YouTube, March 26, 2014) Gmail and Google Search, will help it to better tailor its ads.)

Revista de Derecho, Comunicaciones y Nuevas Tecnologías No. 12 - ISSN: 1909-7786 - Juilio- Diciembre de 2014 - Universidad de los Andes - Facultad de Derecho 7 to disregard her privacy concerns23, but this is required information.19 not the case.

July Galindo Q Agwin’s experience illustrates something more. In the TRUSTe Report, it was possible to determi- It shows how a user went from interacting and ne that 53% of the respondents strongly agreed appreciating a service rendered to becoming with the statement of “I avoid doing business deeply concerned about a company’s priva- with companies who I do not believe protect my cy practices. For this costumer, the company’s privacy online.”24 This percentage shows that the (Google for the purpose of this example) privacy consumer is now willing to do something about practices were out of proportion. And Agwin is privacy concerns, i.e. choose one product or ser- - vice over another, or even decide to opt out. creasing. Furthermore, through the TRUSTe Report it was After a survey conducted in December 2013, established that “70% of US internet users feel TRUSTe20 was able to determine that “consu- - mer online privacy concerns remain extremely ge their privacy online than one year ago”25, high with 92% of US Internet users worrying meaning that consumers are becoming smar- about their privacy online compared with 89% in ter about managing their privacy.26 This can be January 2013. The high level of concern is fur- translated nowadays into the increase of users’ ther evidenced by 47% saying they were always or knowledge as to which company they should frequently concerned and 74% were even more trust the management of their personal infor- concerned than last year.”21 The TRUSTe Report mation. Hence, companies embark on the cha- also showed that “58% were concerned about llenge of building trust, which may be achieved businesses sharing their personal information by putting into practice two complementary ele- with other companies and 47% were concerned ments.27 First, the company should be transpa- about companies tracking their online behavior to target them with ads and content.”22 These 23 See id. at 6 (determining that the top 6 reasons for increase in online privacy concerns in 2013, consisted of: Businesses sharing user’s numbers would be irrelevant if the user decided user’s online behavior to target her with ads and content (47%), reports of government surveillance programs (e.g. NSA, PRISM) in the media 19 See Agwin, supra note 11. privacy policies of Google and other search engines (21%))

20 TRUSTe is described as a US company and global leader in Data Privacy Management (DPM) programs, About TRUSTe, http://www. 24 Id. at 11. truste.com/about-TRUSTe/ (last visited March 27, 2014) 25 Id. at 11.

21 truSte, truSte 2014 uS conSumer conFiDence privacy report conSumer opinion anD BuSineSS impact (2014) [hereinafter TRUSTe 26 See id. at 11. Report], at 3 available at http://info.truste.com/lp/truste/Web-Resource- HarrisConsumerResearchUS-ReportQ12014_LP.html 27 See pwc, 10minuteS on Data privacy: BuilD conSumer truSt throuGh Data privacy (February 2014) [hereinafter pwc Report], available at 22 Id. at 3. http://www.pwc.com/en_US/us/10minutes/assets/pwc-data-privacy.

8 Revista de Derecho, Comunicaciones y Nuevas Tecnologías No. 12 - ISSN: 1909-7786 - Juilio- Diciembre de 2014 - Universidad de los Andes - Facultad de Derecho rent with the information it provides to the user Take the mobile applications market as an through its privacy policies regarding the proce- example. This sector has been repeatedly invol- dure of collecting, further use and sharing of the ved in privacy related incidents in different juris- information. Second, the company as an orga- dictions.30 In 2012, the Groupe Speciale Mobile nization, where different inner actors interact (GSM)31 (formed by the Confederation of Euro- for the creation of a product, should be on the pean Posts and Telecommunications (CEPT)), same page. This means “developing proactive addressed the mobile ecosystem that allows the processes for considering privacy in the design interrelation of individuals while engaging with of products and other business processes that creative mobile applications and services.32 collect or use consumer data, rather than taking a reactive approach to dealing with privacy is- Likewise, GSM acknowledged that this connec- sues after they emerge.”28 tion relied “on the real-time access and use of personal information that is often transferred To acknowledge costumers’ thoughts and beha- globally between applications, devices, and 33 vior towards privacy is to recognize that privacy companies.” should be viewed by companies as a business matter, and not only as a compliance issue. Ta- Considering the amount of information that mo- king privacy by design into consideration, throug- bile app developers collect and the risks inhe- hout the life cycle of a product or service, will rent to the activity, such as malicious access to help a company to execute a strategy where pri- a user’s personal information, the GSM issued vacy is transformed into a competitive business the Privacy Design Guideline for Mobile Appli- advantage. Implementation of privacy by design will provide a company with the necessary tools

30 See Kirsten Gollatz, App Development: Is ‘Privacy by Design’ the New Standard, internet policy review. (mar. 28, 2013), http://policyreview. 29 based on trust and privacy expectations. info/articles/news/app-development-‘privacy-design-new-standard/117 (last visited March 28, 2014) (addressing that privacy incidents have impacted mobile phones user behavior, and has raised concerns about how apps handle personal data. It has even got to the point of avoiding installing an application or even to opt-out.) (last visited March 28, 2014). you’re collecting their data. In our consumer privacy survey, 80% of 31 See id. consumers said they were willing to share personal information if the Guidelines for Mobile Application Development. Although explicitly supported by the largest European operators, these guidelines, so it 28 Id. standard”).

29 See ann cavoukian, The Privacy Payoff: How Building Privacy Into Your Communications Will Give You A Sustainable Competitive 32 GSm, moBile anD privacy: privacy GuiDelineS For moBile Advantage, Address Before the International Association of Business application Development (February 2014), at 1 available at http:// www.gsma.com/publicpolicy/wp-content/uploads/2012/03/ available at http://www.ipc.on.ca/images/ gsmaprivacydesignguidelinesformobileapplicationdevelopmentv1.pdf Resources/pbd-law-policy.pdf, at 8 (last visited March 26, 2014) http:// (last visited March 28, 2014). www.ipc.on.ca/images/Resources/2008-06-24-IABC-NYC.pdf (last visited March 28, 2014). 33 Id.

Revista de Derecho, Comunicaciones y Nuevas Tecnologías No. 12 - ISSN: 1909-7786 - Juilio- Diciembre de 2014 - Universidad de los Andes - Facultad de Derecho 9 34 cation Development . Moreover, the GSM sta- ted “even applications that legitimately access and use personal information may fail to meet Before a user The app landing downloads or page is an excellent July Galindo Q the privacy expectation of users and undermine place to publish key privacy facts, or she must be made aware and provide a the wider mobile ecosystem. Problems occur I d e n t i f y hyperlink to a more yourself to when users are not given clear and transparent detailed privacy users that will collect statement. There is Users must notice of an application’s access and use of the or use personal know who is to providing users personal information, or when they are not given the scope of using their an opportunity to express meaningful choice about you, your p e r s o n a l including a and control over the use of their information for i n f o r m a t i o n company or privacy and what and how they individual name you’ll do with their secondary purposes and beyond that necessary can contact that and a country of 35 to the operation of an application or service.” origin. and encourage By adopting a privacy by design approach, the Users must have users to explore easy access (via a how best to manage GSM intended to “ensure that mobile applica- link or menu item) their privacy — but to brief contact don’t burden them tions are developed in ways that respect and details of the and keep it simple protect the privacy of users and their personal and easy. information.”36 In the following example, the GSM Privacy by Design Guidelines provide in- It showed how in practice the technical deve- formation about the practical implementation lopment is coordinated since the initial mo- and design of the privacy principles, by advising ment, with the underlying privacy principle (in the mobile app developer as to how he should this case, transparency). In a similar fashion, to translate and implement the concerns and ex- the GSM Guideline, the FTC in April 2013, and pectations about the transparency of the practi- through its Business Center, issued a guide in ces, while creating the technical features of the order to help mobile app developers to obser- 37 ve, among other matters, privacy principles. The Marketing Your Mobile App Guide,38 calls app developers to “build privacy considerations in from the start”39, highlighting the relevancy of providing user with tools and features as to how she can control her personal information (i.e. privacy settings, opt-outs, etc.)

34 See id.

35 Id. 38 Fed. Trade Comm’n, Marketing Your Mobile App: Get It Right From The Start (April 2013), http://business.ftc.gov/documents/bus81- 36 Id.

37 See id. at 5. 39 Id. at 2.

10 Revista de Derecho, Comunicaciones y Nuevas Tecnologías No. 12 - ISSN: 1909-7786 - Juilio- Diciembre de 2014 - Universidad de los Andes - Facultad de Derecho In the following sections of this article, I will tection law43 while addressing privacy and data address the Fair Information Practices (FIPs), protection matters. and their evolution, as the starting point to un- derstand what it means to design products and In order to delimit the scope of application of services with privacy in mind.40 Then, I will turn FIPs, it must be mentioned that they only apply to address the seven elements of a particular privacy by design program, along with sugges- been said in that regard that, “although there tions for their implementation within an orga- nization. Hopefully altogether, this information share the basic assumption that -in the absence will help to explore how privacy, as a competi- of PII-, there is no privacy harm’”.44 Although it is tive advantage, and through privacy by design, not the purpose of this article to do so, it must can be put into practice. be pointed out that PII does not correspond to conceptualization of PII should be strictly kept

broader. For the most part, it has been sugges- Since their existence, FIPs have played a key ted that the PII approach should be revaluated role in the regulation and behavior of entities (especially by US regulatory entities) in order to (public and private sector) while addressing the acknowledge the relevancy of PII as information management of personal data. These rules have been described as a “set of internationally re- used to re-identify an individual.45 cognized practices for addressing the privacy of information about individuals”41; they determine obligations to be met by organizations that pro- over a company’s behavior while taking privacy cess personal information.42 They provide the decisions (such as privacy by design), and while underlying principles for many laws in different processing PII, it is important to address the ori- jurisdictions, and have contributed to the shape gin and evolution of FIPs. of US privacy statutes and European data pro-

40 See Rubinstein, Good, supra note 6, at 1335.

41 roBert Gellman, Fair Information Practices: A Basic History, (March 18, 2011), http://bobgellman.com/rg-docs/rg-FIPShistory.pdf (last 43 See Rubinstein, Good, supra note 6, at 1337 n10. visited March 30, 2014). 44 Id. at 1357. 42 Paul M. Schwartz; Daniel Solove, The PII Problem: Privacy and a New 86 N.Y.U. L.Q. Rev. 45 See Schwartz, Solove, supra note 44 (addressing three approaches to the PII concept, their problematic and if it should be treated as a rule or edu/facpubs/1638 (last visited March 31, 2014) a standard, in order to respond to technology developments)

Revista de Derecho, Comunicaciones y Nuevas Tecnologías No. 12 - ISSN: 1909-7786 - Juilio- Diciembre de 2014 - Universidad de los Andes - Facultad de Derecho 11 A. FIPs Origin hand and freedom of information on the other, in order to allow a full exploitation of the poten- tialities of modern data processing technologies July Galindo Q Information Practices was enacted, originating in so far as this is desirable”.49 as a contribution from the DHEW (Department of Health, Education, Welfare) Advisory Committee Similar developments took place in Europe by on Automated Data Systems.46 This Committee 1980, when the Council of Europe adopted the was established as a response to the growing Convention for the Protection of Individuals with use of computers by entities of the private and Regard to Automatic Processing of Personal Da- 50 public sector, which certainly implied the use of ta. To both the OECD and the Council of Europe automated data systems that dealt with infor- Convention, the US FIPs served as a baseline. mation about individuals.47 Both entities “relied on FIPs as core principles, although neither document used the term. Both After observing the creation of the 1973 US FIPs organizations revised and extended the original and subsequent privacy laws enacted by mem- US statement of FIPs, with the OECD Privacy Gui- ber countries, the OECD decided in 1980 to issue delines being the version most often cited in the the OECD Privacy Guidelines. The intention of said subsequent years. The OECD, Council of Europe, document was to provide “basic rules governing and the European Union expressly recognized - that disparities in national privacy legislation sonal data and privacy, in order to facilitate the - harmonization of national legislation.”48 Through mation between countries…The goal of harmoni- these Privacy Guidelines the OECD addressed zation helped to raise interest in privacy among problems related to, at the time, emerging inter- the business community”.51 national data networks and “the need of balan- cing competing interests of privacy on the one B.

In 2012 the FTC issued the FTC 2012 Report 52 46 See EPIC, The Code of Fair Information Practices, available at http:// about privacy. In this report the FTC recog- epic.org/privacy/consumer/code_fair_info.html (last visited March 31, 2014) nized the existence of technological develop- ments such as smart phones and smart cars, 47 See Gellman, supra note 43 at 2.

48 OECD, 1980 Guidelines on the Protection of Privacy and Transborder Flows, available at http://www.oecd.org/internet/ieconomy/oecdgui- 49 Id. 50 See Council of Europe, http://conventions.coe.int/Treaty/en/Treaties/ - Html/108.htm (last visited April 1, 2014) principle, use limitation principle, security safeguards principle, open- ness principle, individual participation principle, accountability princi- 51 See Gellman, supra note 43 at 7-8. ple.”) see http://www.oecd.org/internet/ieconomy/the30thanniversar- yoftheoecdprivacyguidelines.htm (last visited April 1, 2014)). 52 See Fed. Trade Comm’n, supra note 10 at i.

12 Revista de Derecho, Comunicaciones y Nuevas Tecnologías No. 12 - ISSN: 1909-7786 - Juilio- Diciembre de 2014 - Universidad de los Andes - Facultad de Derecho that allowed companies to perform constant ty, reasonable collection limits, sound retention collection, storing and sharing of information practices and data accuracy”.58 through the use of such devices. The intention of the FTC 2012 Report was to line up standards Similarly, in 2013 the OCDE issued the 2013 59 as to how companies could use the information OECD Privacy Guidelines , which consisted of to deliver better services and products without doing so “at the expense of consumer privacy”.53 revision was necessary since “as compared with Although the FTC 2012 Report is consistent with the situation 30 years ago, there has been a the FIPs articulated in 1970s, it added three new profound change of scale in terms of the role of recommendations to the previous privacy fra- personal data in our economies, societies, and daily lives. The environment in which the tradi- business and consumers, and greater transpa- tional privacy principles are now implemented 60 rency.54 These recommendations come relevant at a time when the FTC has had an active role in As part of this revision, the OCDE introduces 55 privacy enforcement actions , that were mainly the privacy management program as the me- based on the “fairness” of the practice, and the dium through which to implement the newly in- response to privacy “consumers expectations”.56 troduced privacy by design concept. Both hold In particular, and by encouraging privacy by de- relation with the accountability principle “as a sign, the FTC 2012 Report invites companies to “promote consumer privacy throughout their responsibility for privacy protection”61. The data organizations and at every single stage of the controller must be able to demonstrate that the development of their products and services”,57 privacy management program is appropriate and to “incorporate substantive privacy protec- and includes the necessary safeguards needed tions into their practices, such as data securi- to protect the information by implementing pri- vacy by design; “whereby technologies, proces- ses and practices to protect privacy are built into 53 Id. system architectures, rather than added on later 54 See id. as an afterthought”.62

55 The FTC has initiated administrative investigations over companies’ Inc., and Google Inc. These cases are not an exhaustive list, but 58 Id. provide further information of the FTC’s considerations, while analyzing the “fairness” and “consumer expectations” prongs. See In the matter of Google Inc. 59 See OECD, 2013 OECD Privacy Guidelines, available at http://www. 2011); see also United States v. Google, Inc., No. CV 12-04177 SI oecd.org/sti/ieconomy/privacy.htm (last visited April 1, 2014) (N.D. Cal. Nov. 16, 2012); see also In the Matter of Facebook, Inc., 60 Id. at 3.

56 See Rubinstein, Good, supra note 6, at 1346. 61 Id. at 23.

57 Fed. Trade Comm’n, supra note 10 at vii. 62 Id. at 24.

Revista de Derecho, Comunicaciones y Nuevas Tecnologías No. 12 - ISSN: 1909-7786 - Juilio- Diciembre de 2014 - Universidad de los Andes - Facultad de Derecho 13 Although nowadays there may be dissimilar FIPs formulations that vary in crucial respects, “the different version coalesce around the following importance of implementing privacy by design July Galindo Q as a way to provide a coherent organisational response to consumer expectations, as well as the promotion of national legislation and the of personal information on the collection, harmonization of international standards. Even processing and use of personal data (often more, companies’ self-regulation, with proper referred to as data minimization); privacy management, plays a crucial role.

2. Data quality (accurate, complete, and timely information);

3. Limits on data retention; It was explained in the previous section that FIPs, have embodied how the proper collection and 4. Notice to individual users; use of personal data should be executed, since the 1970s. Privacy by Design (PbD) comes to 5. Individual choice or consent regarding the play a key role. PbD is the translation and inclu- collection and subsequent use of personal sion of the FIPs, and relates to the company’s information; self-regulatory privacy practices, while creating a product or service that responds to the interest 6. Reasonable security for stored data; of the consumer/market and applicable regu- 7. Transparent processing systems that affected lations. users can readily understand and act on; Privacy by Design is a concept created by 8. Access to one’s personal data; and Ontario’s Information and Privacy Commissio- ner, Ann Cavoukian, who presented a set of 9. Enforcement of privacy rights and standards foundational principles to serve as a guide by (including industry self-regulation, organiza- which to achieve a balance between regulation tional measures implemented by individual and innovation, while keeping consistency with - FIPs. It corresponded to an approach of em- ment and civil litigation).”63 bedding privacy into the design of the product, as a response to the high threats to online pri- Aside from different recommendations as to vacy that were escalating by 1990s.64 In 2010, which FIPs are relevant and how they must be the Center for Democracy and Technology (CDT) adjusted, the evolution of the FIPs, after the

63 Rubinstein, Good, supra note 6, at 1343 64 See supra note 18, at 3

14 Revista de Derecho, Comunicaciones y Nuevas Tecnologías No. 12 - ISSN: 1909-7786 - Juilio- Diciembre de 2014 - Universidad de los Andes - Facultad de Derecho recognized the relevancy of privacy by design as who actually venture to read them.”67 Privacy a tool to implement FIPs. Even more, the CDT policies are regarded as incomprehensible. Re- had been aware of the FTC process which later search performed in 2012, related to the user’s would be the FTC 2012 Report that brought to understanding after reading Facebook’s API ser- the attention of said authority to observe privacy vice privacy policy, concluded that “less than 40 by design, “we urge the FTC to encourage the percent of Facebook users understood how –it– integration of Privacy by Design into corporate can be used to access and view public –user– practices and innovation”.65 This concept was information.”68 adopted by the FTC as part of its recommenda- tions, and is one of the key points of the FTC Companies’ have directed their privacy efforts 2012 Report.66 to a legalistic and compliance approach of FIPs, giving preponderance to consumer consent-choi- A relevant aspect of today’s promotion of privacy ce. However, this approach has changed. As indi- by design is the failure of the notice and consent cated by the FTC 2012 Report, privacy concep-

model. This model requires businesses to provide tualization is broader. It is not anymore enough privacy policies that inform users how personal for a company to inform the user about its pri- information is collected and used. Considering vacy policy, but it must also implement privacy protections by default. Meaning that, “privacy by policy, the information displayed may not achieve design requires the translation of FIPs into engi- the goal of providing the user with the tools to neering and design principles and practices”69. make a well-informed decision. This circumstan- This matter can be explained with the following ce was noted in 2010 by the US Department, - stating that “according to the comments we re- cation principle, is the basis for limits on how ceived, it seems the level of effective transparen- long a company may retain personal data. But cy and awareness of current privacy practices is there is a vast difference between a company low. Privacy policies are the current framework’s promising to observe reasonable limitations on primary mechanism for informing consumers of data retention and designing a database that companies’ privacy practices. The shortcomings automatically tags personal and/or sensitive in- - 67 Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework, (2010) at 32, available at http://www.commerce. paper.pdf (last visited April 7, 2014)

65 Center for Democracy & Technology, The Role of Privacy by Design in Protecting Consumer Privacy, available at https://www.cdt.org/policy/ 68 Survey: Facebook, Google privacy policies are role-privacy-design-protecting-consumer-privacy incomprehensible, ZDnet (last visited April 7, 2014) (last visited April 7, 2014)

66 See Fed. Trade Comm’n, supra note 59. 69 See Rubinstein, Good, supra note 6, at 1341.

Revista de Derecho, Comunicaciones y Nuevas Tecnologías No. 12 - ISSN: 1909-7786 - Juilio- Diciembre de 2014 - Universidad de los Andes - Facultad de Derecho 15 formation, keeps track of how long the informa- be considered at the earliest of brainstorm sta- period of time has expired. To adapt a familiar ges. Privacy should not be included after the July Galindo Q distinction, one is just words, while the other is fact. One possible implementation tool is a action realized through code.”70 “checklist” properly tailored to the relevant busi- ness group.75 “The result is that privacy becomes an essential component of the core functionality being delivered. Privacy is integral into the sys- tem without diminishing functionality”.76 The seven foundational principles are presented by Cavoukian as a way to accomplish privacy by Full functionality – Positive-sum, not Zero-sum design objectives by “ensuring privacy and gai- It is possible to have privacy and security and ning personal control over one’s information both privacy and functionality. Avoid to unders- and, for organizations, gaining a sustainable tand privacy measures as detrimental to the qua- competitive advantage”.71 The seven foundatio- lity of the product or service.77 “Privacy by Design 72 seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” man- Proactive not reactive and preventative not re- ner, not through a dated, zero-sum approach, where unnecessary trade-offs are made. Privacy to anticipate privacy issues before they arise. by Design avoids the pretense of false dichoto- The organization should avoid acting exclusively mies, such as privacy vs. security, demonstrating with a remedial approach.73 that it is possible to have both.”78

should consider how to make privacy the default. Implement security of the data throughout its li- If the “do nothing” option exists, then privacy fecycle (full lifecycle protection). Know who has must be built into the systems keeping users’ access to the data, internally and externally, and privacy intact. This default principle should be how it is shared with third parties. Have certainty consistent with users’ expectations.74 as to which are the security measures, retention periods, and destruction of data (if applicable). 70 Id.

71 See supra note 9

72 See Id. 75 See Id.

73 See International Association of Privacy Professionals “IAPP Global 76 supra note 9 Privacy Summit”, March 5-7, 2014, Washington DC, Workshop: A Step- by-Step Guide to Integrating PbD at Your Organization. 77 See supra.

74 See Id. 78 See Id.

16 Revista de Derecho, Comunicaciones y Nuevas Tecnologías No. 12 - ISSN: 1909-7786 - Juilio- Diciembre de 2014 - Universidad de los Andes - Facultad de Derecho Workers should be trained and there should be ge in privacy as a “copy paste” exercise. Privacy full awareness of the activities of the staff.79 is unique to each organization, and ignoring this fact will situate the organization under an unne- cessary risk. By shifting from this legalistic un- put users in notice of the information you are derstanding to an organizational mandate of fo- llowing the privacy by design approach, including the real condition of the privacy practices and its seven foundational principles, a company will processes, immersed in the product. Determine how aware the users/consumers are of privacy obstacle that impairs the launching of a product and security practices. Beware of possible veri- to the market. Likewise, the company will avoid loses in productivity since the lack of privacy having the regulator telling the organization compliance will probably cause the additional 80 “what to do”. Trust is allowed, but also the ve- burden of having to redesign the product in or- der to adjust it to privacy standards. Companies

should also keep in mind that building a product presently requires the interaction of different Maintain users’ privacy interests as the para- agents within the same organization, i.e. legal, mount. It will help to empower the company security engineers, and what has been called as (competitive advantage), and to set privacy as UX designers.82 Having all agents in sync on the something more than just protection. Provide privacy goals of the organization and the direc- training, keep awareness, and have accessible tive of how to embed in privacy, will avoid con- internal policy statements and guidelines.81 The- templating privacy as an obstacle. Privacy will be re should be user-friendly options. viewed as a vehicle to continue to build trust and meet consumer’s expectations, which at the end By following the previous principles, privacy is built as an integral process, and not just by re- design approach. After all, privacy should be a medying situations that could in fact have been Positive-Sum, not Zero-Sum exercise. foreseen.

The legalistic approach to privacy has lead com- panies to commit the mistake of believing that any privacy policy is appropriate and adequate Privacy by design may be used to assess and/or to satisfy their privacy obligations, and to enga- protect privacy based on the needs of the orga-

79 See Id. 82 See Rubinstein, Good, supra note 6, at 1352. (Addressing which is the optimal way to approach who is responsible within an organization 80 See Id. for designing in privacy, and explaining the importance of including UX designers in the privacy and product design, since privacy perceptions 81 See Id. also respond to consumer social stances.)

Revista de Derecho, Comunicaciones y Nuevas Tecnologías No. 12 - ISSN: 1909-7786 - Juilio- Diciembre de 2014 - Universidad de los Andes - Facultad de Derecho 17 nization. The following suggestions, which by no - If consent is a requirement, the organization means are intended to be exhaustive, are deve- must assure that it is keeping evidence of it. loped from the recent workshop (and its suppor- This mechanism may easily be a part of the July Galindo Q A Step-by-Step Guide to Integra- privacy design process, if the organization has ting PbD at Your Organization, organized by the IAPP during the 2014 Global Privacy Summit.83 must be complied with. These suggestions are intended to help imple- ment privacy by design across the entire orga- - Is the company interested in limiting privacy nization, instead of a project-by-project basis. by design to personal data? Identify how the The implementation agrees with Cavoukian’s privacy directive is going to work, how to deal suggestion of privacy by design “be applied across the board to IT systems, accountable business practices, physical design and networ- to comply with requirements from different ked infrastructure, touching every aspect of an agencies? organization”.84 - Determine if your privacy practices are frien- In general, a privacy by design program (PbD), dly enough or need to be improved. short and long run. A challenge may be how

Identify the challenges; specially at large organi- require the allocation of resources within the company. Perhaps a way to enhance the in- terest from senior management could be the creation of new strategies to monetize data, of which are the regulations (from all diffe- and cross-border transfer strategies. rent jurisdictions) that must be met in order to avoid additional risks (i.e. COPPA – special Identify the motivation behind the privacy restrictions for the collection of information of scheme. It will be more evident in organizations children under the age of 13, EU Directive). that correspond to highly regulated sectors (e.g. scope. Enlist the support that is required and which are the key divisions, and chose a privacy coor- dinator from each one of them. Also, the orga- 83 See supra note 77 84 supra note 18, at 14

18 Revista de Derecho, Comunicaciones y Nuevas Tecnologías No. 12 - ISSN: 1909-7786 - Juilio- Diciembre de 2014 - Universidad de los Andes - Facultad de Derecho - Be the division privacy representative, on an - incident response team ring that privacy is being properly implemented throughout the organization. - Coordinate division privacy training

Promote privacy and create incentives for the - Review division data management/vendor developers, to actively participate in the privacy practices by design program. - Work with teams on review of privacy by de- sign checklists

This Committee, along with the Chief Priva- This Committee should provide training for re- levant people. It will help to have them all speak privacy throughout the organization, i.e. in the the same language, and also for the understan- event of a change in the administration that evi- ding of the roles and responsibilities within the dences no interest in privacy, this Committee organization. will deal with privacy reorganization.

Privacy Coordinators from all key divisions A detailed questionnaire or survey for each re- should be included in the Privacy Steering Com- levant business unit will help to determine the mittee. These Coordinators should receive spe- privacy practices status, and what is subject to cial training in privacy, it will help to have a more be improved, inserted or adjusted. Assessment effective implementation of the privacy by de- of the privacy practices and how they can be sign program. Training should also be extended improved, as well as matching privacy practices to executives and people that may have access with privacy policies is necessary. The organiza- to PII on random or daily basis. The training of tion should always keep present the FTC’s prin- executives/senior management will generate a say what you do, do what you say.’ better assessment of privacy risks. Some people within the organization may not know what PII is, If the organization has limited resources, the and that it can be even collected from a simple implementation will depend on a strategic plan phone call. They should be aware of the danger created as a result of the assessment/remedia- of unauthorized access to PII. tion stage. The following two steps may help to a At this stage the organization should establish - Educate people within the organization, they can be the eyes and ears. This can help pri- - Coordinate privacy assessments

Revista de Derecho, Comunicaciones y Nuevas Tecnologías No. 12 - ISSN: 1909-7786 - Juilio- Diciembre de 2014 - Universidad de los Andes - Facultad de Derecho 19 be closer to the risks or malfunctioning of the privacy program. -

July Galindo Q - Identify the biggest risks of the organization. - One way could be determining which are the llecting, and how and why are you collecting top products of interest, and work around it. them. Establish the notice and choice mecha- Schedule remediation after complying with nism (design feature). Determine which data proper audits over business units actual practi- will be subject to opt-in or opt-out feature. ces. Afterwards, address variances from privacy policies and take the necessary measures to re- The guidelines should be clear as to what mediate the practices. is the use that the business is authorized to perform from the information collected. The- re might be the assumption that the informa- tion is available for everyone to use, when Internal guidelines based on the seven founda- indeed this might be restricted depending tional principles of privacy by design, and actual on the business unit and the initial purpose business unites practices should be drafted.

Have checklists based on the guidelines. Chec- klists will help to establish a process for the re- only as much personal data as is reasona- view of the guidelines compliance. This comes relevant to protect the informa- In order to develop proper guidelines that will tion from unauthorized access and to limit require the involvement of legal and product de- velopers, the organization should take into con- Minimization has been described as one of sideration the internal data lifecycle. This comes the techniques to limit linkability. Minimiza- relevant whenever it is necessary to design pro- tion may include “not recording IP addres- duct and service features. What follows are su- ses and/or not enabling User ID cookies, or ggestions for each data lifecycle stage in order using a third party proxy server to strip out an to shape the corresponding guideline that will IP address; and a variety of techniques that integrate the privacy principles and the purpose protect, shield and minimize location data, of the product developed by the company, while from which identity is readily inferred”.85

85 See Rubinstein, Good, supra note 6, at 1357.

20 Revista de Derecho, Comunicaciones y Nuevas Tecnologías No. 12 - ISSN: 1909-7786 - Juilio- Diciembre de 2014 - Universidad de los Andes - Facultad de Derecho not only for lawyers, but also for product de- Some relevant questions can be what data velopers. they will receive, how will they use the data, will the data be shared, how will it be pro- Determine beforehand if the collection of tected. sensitive data is allowed, or if not how the

feature should be addressed in the product. Including special contractual provisions This should be clear in the privacy policy. and technical features, that may help to go- vern the practices of service providers and business partners with whom the sharing Inform users how their data will be used. takes place. Keep the process transparent, and user cen- tric.

Consider ways to give users control over The product developer should consider particular uses, especially those tended whether or not it would be possible to design a mechanism that would facilitate user con- should be designed, preferably of an opt-in trol and/or access to the data. nature. The organization should employ reasona- User control features should be prominent, ble physical, technical, and administrative easy to understand and easy to use. Privacy safeguards to protect the data. by default intends to be user friendly at all

times. Clarify the policy by which the company will

Whenever personal data is shared with ser- implement reasonable data retention and vice providers and/or business partners, it is data disposal. relevant to understand how those entities manage data. Special review should be per- Design features that will allow developers formed over their practices. In the EU, there to delete or anonymize data when it is no are different roles and obligations depen- longer needed or required. ding on the participation during the data pro- Organizations should thoroughly consider cessing. Roles such as the controller and the whether or not to delete information. Redu- processor have different duties, and it is im- cing the volume lowers the risk of possible portant to know that the organization trusts data breaches. the information collected to a processor that has the capability to keep it safe, and comply with legal and contractual obligations.

Revista de Derecho, Comunicaciones y Nuevas Tecnologías No. 12 - ISSN: 1909-7786 - Juilio- Diciembre de 2014 - Universidad de los Andes - Facultad de Derecho 21 competitiveness of the organization’s products and services. Acknowledge the organization’s responsibili-

July Galindo Q ties and duties towards data. Privacy by default is a good business decision. Companies should move towards a market whe- How the accountability tools will have to be re the privacy interests of consumers are satis- shaped depends upon for which sectors the pro- - duct or services are directed. Controlling, moni- sign program. Such a program will increasingly toring and assessing will vary depending of the become a selling point for consumers, as repu- sector. The companies’ behavior will differ if the tation of the company continues to improve in a accountability is examined from the web, cloud, directly proportional manner. mobile or advertising sectors, to cite a few exam- ples.

The guidelines should clearly state the organi- A chronology of the NSA surveillance scandal, zations’ duties towards a product or service that Dw.De, the-nsa-surveillance-scandal/a-17197740

Google Will Pay $22.5 Million to Settle FTC Char- ges it Misrepresented Privacy Assurances to A real inclusion of privacy by design will have a Users of Apple’s Safari Internet Browser, Ftc. collateral effect. When the time comes, the dra- Gov, fting of the privacy policy will be an easier and releases/2012/08/google-will-pay-225-mi- more transparent process. The knowledge an or- llion-settle-ftc-charges-it-misrepresented ganization will have of its own privacy practices A message from CEO Gregg Steinhafel about and how those practices are embedded from Target’s payment card issues, corporate.tar- the conceptualization stage of the products and Get.com, - say ver/article/Important-Notice-Unauthorized- what you do, do what you say.” A company that is access-to-payment-ca not fully aware of its privacy by design program, and therefore does not understand how unique Acquisti, Alessandro; Friedman, Allan; and Te- that program is to each organization, will most lang, Rahul, Is There a Cost to Privacy Brea- likely assume the unnecessary risk of unfair and ches? An Event Study (2006). ICIS 2006 deceitful conduct. Such company will also suffer Proceedings. Paper 94, available at from a lack of knowledge of consumers’ expec- aisel.aisnet.org/icis2006/94 tations, which in the end will only damage the

22 Revista de Derecho, Comunicaciones y Nuevas Tecnologías No. 12 - ISSN: 1909-7786 - Juilio- Diciembre de 2014 - Universidad de los Andes - Facultad de Derecho Ira S. Rubinstein; Good, Nathaniel, Privacy by google-tracks-consumers-across-products- Design: A Counterfactual Analysis of Google users-cant-opt-out/2012/01/24/gIQAr- and Facebook Privacy Incidents, 28 Berkeley gJHOQ_story.html tech. l.J. 1333, 1336 n.7 (2013) truSte, truSte 2014 uS conSumer conFiDence Ann Cavoukian, Privacy by Design: The 7 Foun- privacy report conSumer opinion anD BuSineSS im- dational Principles - pact (2014), vacybydesign.ca/content/uploads/2009/08 Web-Resource-HarrisConsumerResearchUS- /7foundationalprinciples.pdf ReportQ12014_LP.html

Fed. Trade Comm’n, Protecting Consumer Pri- pwc, 10minuteS on Data privacy: BuilD conSumer vacy in an Era of Rapid Change: Recommen- truSt throuGh Data privacy (February 2014), dations for businesses and policy makers assets/pwc-data-privacy.pdf -

mission-report-protecting-consumer-privacy- ann cavoukian, era-rapid-change-recommendations/1203 Privacy Into Your Communications Will Give 26privacyreport.pdf [hereinafter FTC 2012 You A Sustainable Competitive Advantage, Report] Address Before the International Association of Business Communicators International Julia Angwin, How I Quit Google, time Conference 2008, New York City, New York time.com/9210/how-i-quit-google/ (June 24, 2008), available at on.ca/images/Resources/pbd-law-policy.pdf DuckDuckGo Kirsten Gollatz, App Development: Is ‘Privacy StartpaGe by Design’ the New Standard, internet poli- policy.html cy review. (mar - view.info/articles/news/app-development- ann cavoukian, Privacy by Design in Law, Policy and Practice: A White Paper for Regulators,

Decision-makers and Policy-makers, (2011), GSm, moBile anD privacy: privacy GuiDelineS For mo- Bile application Development (February 2014), pbd-law-policy.pdf content/uploads/2012/03/gsmaprivacyde- Cecilia Kang, Google Announces Privacy Chan- signguidelinesformobileapplicationdevelop- ges Across Products; Users Can’t Opt Out, mentv1.pdf waShinGton poSt. (Jan washingtonpost.com/business/economy/

Revista de Derecho, Comunicaciones y Nuevas Tecnologías No. 12 - ISSN: 1909-7786 - Juilio- Diciembre de 2014 - Universidad de los Andes - Facultad de Derecho 23 Fed. Trade Comm’n, Marketing Your Mobile also United States v. Google, Inc., No. CV 12- App: Get It Right From The Start (April 2013), 04177 SI (N.D. Cal. Nov. 16, 2012); see also In the Matter of Facebook, Inc., FTC File No. July Galindo Q marketing-your-mobile-app

roBert Gellman, Fair Information Practices: A Ba- OECD, 2013 OECD Privacy Guidelines, sic History- www.oecd.org/sti/ieconomy/privacy.htm man.com/rg-docs/rg-FIPShistory.pdf Center for Democracy & Technology, The Role Paul M. Schwartz; Daniel Solove, The PII Pro- of Privacy by Design in Protecting Consumer blem: Privacy and a New Concept of Perso- Privacy, - 86 N.Y.U. L.Q. vacy-design-protecting-consumer-privacy berkeley.edu/facpubs/1638 Department of Commerce, Internet Policy Task Force, Commercial Data Privacy and Innova- EPIC, The Code of Fair Information Practices, tion in the Internet Economy: A Dynamic Policy Framework, (2010), fair_info.html gov/sites/default/files/documents/2010/ december/iptf-privacy-green-paper.pdf OECD, 1980 Guidelines on the Protection of Privacy and Transborder Flows, available at Emil Protalinski, Survey: Facebook, Google privacy policies are incomprehensible, ZD- oecdguidelinesontheprotectionofprivacyand- net survey-facebook-google-privacy-policies-are- incomprehensible/12420 Council of Europe, http://conventions.coe.int/ Treaty/en/Treaties/Html/108.htm International Association of Privacy Professio- nals “IAPP Global Privacy Summit”, March In the matter of Google Inc. US FTC File No. 102 5-7, 2014, Washington DC, Workshop: A see Step-by-Step Guide to Integrating PbD at Your Organization.

24 Revista de Derecho, Comunicaciones y Nuevas Tecnologías No. 12 - ISSN: 1909-7786 - Juilio- Diciembre de 2014 - Universidad de los Andes - Facultad de Derecho