4 | 2013 Volume 4 (2013) Issue 1 ISSN 2190-3387 Articles “Privacy by Design”: Nice-to-have or a Necessary Principle of Data Protection Law? by David Krebs On the Role of Copyright Protection in the Information Society - Anti-ACTA Protests in Poland as a Lesson of Participatory Democracy Law and Electronic Commerce Information Technology, Intellectual Property, Journal of by Katarzyna Gracz Patentability and Scope of Protection for DNA Sequence-related Inventions from Perspective of the United States of America and Europe by Radoslav M. Milkov Reports Swiss Patent Jurisprudence 2012 by Cyrill P. Rigamonti Book Reviews Ch Geiger (ed), Criminal Enforcement of Intellectual Property by Rita Matulionyte Editors’ Pick by T. Dreier, L. Guibault, A. Metzger, M. Peguera Editors: Thomas Dreier Axel Metzger Gerald Spindler Lucie Guibault www.jipitec.eu Miquel Peguera Table Of Contents Articles Journal of Intellectual Property, Information Technology and “Privacy by Design“: Nice-to-have or Electronic Commerce a Necessary Principle of Data Protection Law? Law by David Krebs 2 Volume 4 Issue 1, 2013 www.jipitec.eu On the Role of Copyright Protection in the Information [email protected] Society - Anti-ACTA Protests in Poland as a Lesson of Participatory Democracy A joint publication of: by Katarzyna Gracz 21 Prof. Dr. Thomas Dreier, M. C. J., Karlsruhe Institute of Technology, Patentability and Scope of Protection for DNA Vincenz-Prießnitz-Str. 3, Sequence-related Inventions from Perspective 76131 Karlsruhe of the United States of America and Europe Prof. Dr. Axel Metzger, LL. M., by Radoslav M. Milkov 36 Institute for Legal Informatics, Leibniz Universität Hannover, Königsworther Platz 1, 30167 Hannover Reports Prof. Dr. Gerald Spindler, Swiss Patent Jurisprudence 2012 Dipl.-Ökonom, Georg-August- by Cyrill P. Rigamonti 53 Universität Göttingen, Platz der Göttinger Sieben 6, 37073 Göttingen Book Reviews Karlsruhe Institute of Technology, Leibniz Universität Hannover, and Ch Geiger (ed), Criminal Enforcement Georg-August-Universität Göttingen of Intellectual Property are corporations under public law, by Rita Matulionyte 63 and represented by their respective presidents. Editors‘ Pick by T. Dreier, L. Guibault, A. Metzger, M. Peguera 66 Editors: Thomas Dreier Axel Metzger Gerald Spindler Lucie Guibault Miquel Peguera Editor-in-charge for this issue: Thomas Dreier Administrative Editor: Philipp Zimbehl Student Editor: Jessica H. Lee Project Assistant: Michael Funke Layout: Magdalena Góralczyk, Matthias Haag, Marco Ganzhorn ISSN 2190-3387 Funded by 4 1 2013 David Krebs “Privacy by Design”: Nice-to-have or a Necessary Principle of Data Protection Law? by David Krebs* Juris Doctor, LL.M., Member of the Law Society of Alberta (Canada) Abstract: Privacy by Design is a term that was to contemporary technology. Effective privacy coined in 1997 by the Canadian privacy expert and legislation ought to include an explicit privacy-by- Commissioner for Ontario, Dr Ann Cavoukin, but one design requirement, including mandating specific that has recently been receiving more attention in technological requirements for those technologies terms of its inclusion as a positive requirement into that have the most privacy-intrusive potential. This EU, US and Canadian data protection frameworks. paper discusses three such applications and how This paper argues that the right to personal privacy is privacy considerations were applied at the design a fundamental right that deserves utmost protection stages. The recent proposal to amend the EU data by society and law. Taking privacy into consideration protection framework includes an explicit privacy-by- at the design stage of a system may today be an design requirement and presents a viable benchmark implicit requirement of Canadian federal and EU that Canadian lawmakers would be well-advised to legislation, but any such mention is not sufficiently take into consideration. concrete to protect privacy rights with respect Keywords: Data Protection, Canadian Privacy Law, Comparative Law, EU Data Protection Regulation, Right to Privacy © 2013 David Krebs Everybody may disseminate this article by electronic means and make it available for download under the terms and conditions of the Digital Peer Publishing Licence (DPPL). A copy of the license text may be obtained at http://nbn-resolving. de/urn:nbn:de:0009-dppl-v3-en8. Recommended citation: David Krebs, “Privacy by Design”: Nice-to-have or a Necessary Principle of Data Protection Law?, 4 (2013) JIPITEC 2, para. 1. A. Introduction biometrics and private sector Internet marketing initiatives. Currently, for the most part at least, 1 The threats to the individual right to privacy – technology is being adjusted after the fact to patch or what is sometimes referred to as the right to privacy-related issues as they arise or after they have ‘informational self-determination’1 or simply already had a negative impact. the ‘right to be let alone’2 – are currently being widely discussed, debated and analysed. This is 2 To address these concerns and to move from a particularly so where this right is impacted by reactive to a proactive approach, Dr Ann Cavoukian, new technologies or the incremental move of current Privacy Commissioner for Ontario, in 1997 our daily activities online. New technologies that had already developed the principles behind – and impact the way in which information about people, coined the phrase – ‘privacy by design’ (PbD). PbD ‘personally identifiable information’3 (‘PII’), is used, recognizes that the deployment of technologies collected, stored and disseminated are appearing designed to achieve a certain commercial or public sector goal without having considered the privacy at a frequent and rapid pace. These may be ‘apps’, 4 facial recognition technologies, smart electricity implications at the design stage of the technology grids, Radio Frequency Technologies (RFID), cloud can result in personally identifiable information (PII) computing, mass and surreptitious surveillance, being used or disclosed in ways that harm privacy rights permanently. PbD embodies the merger of 4 2 2013 “Privacy by Design”: Nice-to-have or a Necessary Principle of Data Protection Law? two objectives: the protection and control of PII and been some significant developments in this regard. privacy, and the advancement of the commercial The third part will look at pertinent examples of application of technologies in a sustainable but systems to which PbD principles were applied, and competitive manner.5 The Protection of Information without which the resulting systems would likely and Electronics Documents Act6 (‘PIPEDA’)7 (as well have been much more privacy-intrusive. The last as the European Data Protection Directive)8 contains part of the analysis will focus on the views of data provisions relating to the adequacy of protective protection authorities relating to incorporating security measures and also, implicitly, privacy ‘by PbD into legislative frameworks, including a close design’ requirements. At present, however, PbD look at the legislative proposal from the Ontario is not an explicit part of the legislative scheme in Commissioner, Dr Ann Cavoukian, which was Canada, the European Union (EU) or the United included as part of a very recent publication from States of America (US), even though it is often cited her office.15 The final part of this article will make as a best practice and perhaps even as the ‘gold some recommendations and suggested points for standard’ in privacy protection.9 future research in this regard.16 3 Calls for an introduction of PbD into legislative frameworks have been receiving more attention B. Privacy by Design recently, for example, within the proposal for an EU privacy framework,10 in proposed legislation in the US,11 as well as a resolution at the 32nd International I. The Right to Privacy Conference of Data Protection and Privacy Commissioners in Jerusalem. In Canada, there have been no such [Code] will present the greatest threat to both concrete proposals, only the vocal views of the liberal and libertarian ideals, as well as their Federal and Ontario Commissioners. greatest promise. We can build, or architect, 4 This paper argues that legislated PbD is the cyberspace to protect values that we believe necessary next step in privacy law to protect a are fundamental. Or we can build, or architect, right that is fundamental to liberty, personal or code cyberspace to allow those values to 17 integrity and democracy. For this reason, PbD disappear. deserves explicit mention as a tenet of privacy and 6 This section is not intended to provide an exhaustive data protection law. However, the view that laws background to or a detailed comparative analysis based on PbD principles alone would be sufficient of the right to privacy in Canada versus other in this regard is not tenable in a world of ubiquitous Western jurisdictions.18 Rather, it is intended to computing and transformative technologies. A set the stage for the discussion of why a legislated broad, principled approach relies on organizations PbD requirement might be a necessary addition to adopting appropriate measures without providing existing data privacy frameworks in order to protect the necessary guidance necessary to prevent actions the right to privacy as a fundamental personal and injurious to personal privacy such as data breaches, democratic right. unwanted tracking or uncontrolled collection of ever-increasing amounts of PII. PbD needs to be 7 In some jurisdictions,