当前位置:
X-MOL 学术
›
International Journal of Law and Information Technology
›
论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
Making privacy by design operative
International Journal of Law and Information Technology Pub Date : 2016-02-24 , DOI: 10.1093/ijlit/eaw002 Dag Wiese Schartum
International Journal of Law and Information Technology Pub Date : 2016-02-24 , DOI: 10.1093/ijlit/eaw002 Dag Wiese Schartum
Many scholars and politicians believe privacy by design may turn out to be a strong contribution to improved privacy protection. However, what are the prerequisites and what guidelines should we adopt to make good privacy designs for information systems? The author of this article discusses the significance and potentials of regulatory design for implementing privacy in information systems. He also suggests and demonstrates a general method of privacy by design. K E Y W O R D S : privacy by design, EU General Data Protection Regulation, eGovernment, design of information systems, systems development, methodology I N T R O D U C T I O N Personal data processing by computer software occurs in everything from large mainframe computers to the many digital devices that have become an integrated and indispensable part of our lives. Data processing affects everything from crucial to trifling matters; it penetrates our private lives, government, business, economic life and literally every aspect of society. Computer is the result of design decisions made by people. Experts specify instructions in computer software, and many of these instructions will affect the way personal data are processed. These instructions perform functions that may or may not make it easy for users of software to comply with privacy legislation. Realization of privacy laws, in other words, is largely dependent on software design, and this design is the result of experts’ preferences and decisions or, at worst, their lack of knowledge and interest in safeguarding personal privacy. Privacy by design is an almost 20-year-old goal and slogan. The catchword is based on an acknowledgement of the close relationship between formal legal privacy protection and actual protection of privacy in a computerized society. Several guidelines, policies and tools have been developed to help embed privacy into software and data management. Much of this represents a technology-oriented approach to, and a rather narrow definition of privacy, which largely addresses confidentiality and data security * Norwegian Research Center for Computers and Law, University of Oslo; Email: d.w.schartum@jus.uio.no. Thanks to Professor Lee A. Bygrave and Professor Arild Jansen for useful comments. 1 The origin of privacy by design is briefly explained by J Van Rest and others, ‘Designing Privacy-byDesign’ in B Preneel and I Demosthenes (eds), Privacy Technologies and Policy (Springer 2014) 56. 2 IS Rubinstein, ‘Regulating Privacy by Design’ (2011) 26 Berkely Tech LJ 1409, 1423. VC The Author (2016). Published by Oxford University Press. All rights reserved. For Permissions, please email: journals.permissions@oup.com. 1 International Journal of Law and Information Technology, 2016, 0, 1–25 doi: 10.1093/ijlit/eaw002 Article at U niersity C olege L odon on Feruary 5, 2016 http://ijlirdjournals.org/ D ow nladed from questions. Protection of privacy is not primarily about minimizing risks; it is just as much about complying with various statutory conditions regulating controllers of personal data, and about facilitating respect for data subjects’ rights. My personal view is that the ideological influence of privacy by design up until now has been greater than the effects on software industry. Thus, privacy by design represents many unexplored possibilities, and therefore more elaboration of the approach, and a discussion concerning how we might best move from idea to realization, are highly important. This article is based on the assumption that a reservoir of unexploited possibilities exists. A general privacy by design method is likely to create more powerful privacy designs in software systems. Since many privacy elements are based on law, a methodology should have law as its point of departure so that lawyers and other privacy experts would be able to easily recognize and understand most steps of the transformation process from law to design decisions. In this article, I offer a concrete methodology and give examples for how it may contribute positively to the aspiration of shaping privacy-friendly information systems. The proposal is based inter alia on a brief discussion of the standard privacy by design principles demonstrating that the principles do not say much about how we may move from thought to deed (see section ‘Privacy by Design as Explained’). The prospect of realizing privacy by design depends not only on methodology; legislation is equally important. Laws may be drafted to prepare the ground for privacy designs—or they may make such design aims difficult if not impossible to achieve. Generally speaking, European privacy legislation is vague and discretionary and can relatively seldom be interpreted precisely. Thus, European legislation strongly limits the opportunity to create advanced and good privacy designs of information systems. This article includes a brief discussion of how basic regulatory choices may represent an obstacle to privacy by design and how it alternatively may open up for direct formal representation of privacy rules (see section 49). The less legislation prepares the ground for privacy by design and the fewer obvious, privacy by design options that derive directly from statutory texts, the greater the need for methodologies to reveal such possibilities. Still, privacy by design-orientated policy combined with privacy by design impeding legislation, embodies a serious policy dilemma that makes it unrealistic to assume that privacy-by-design can be developed to its intended potential. Viewed from the e-Government research area regarding transformation of legislation, there is nothing very special about privacy-by-design. Rather, much of the privacy-by-design concept is affiliated with a host of problems regarding the extent we can, or should, transform legal rules into information systems. From the time we stop 3 For instance, Microsoft’s Security Development Lifecycle (SDL) for software development and IBM’s Tivoli Privacy Manager. The analysis in IS Rubinstein and N Good, ‘Privacy by Design: A Counterfactual Analysis of Google and Facebook Privacy Incidents’ (2013) 28 Berkely Tech LJ 1333, 1406, follow a security-oriented approach, cf their conclusion that ten analysed privacy incidents might have been avoided if certain privacy by design principles had been applied. 4 For an overview of challenges, criticism and limitations of privacy by design, see D Klitou, ‘A Solution, But Not a Panacea for Defending Privacy: The Challenges, Criticism and Limitations of Privacy by Design’ in B Preneel and D Ikonomou (eds), Privacy Technologies and Policy: First Annual Privacy Forum, APF 2012 (Springer 2014). 5 See sections ‘Bridging Law and Technology’, ‘Closer Look on Technological Design Elements’, ‘Privacy by Design Techniques’ and ‘Combining Design Elements and Privacy by Design Techniques’. 2 Privacy by design at U niersity C olege L odon on Feruary 5, 2016 http://ijlirdjournals.org/ D ow nladed from thinking of privacy-by-design as special, lawyers working with transformation of other parts of the law will realize that privacy by design is actually home ground. N A R R O W I N G T H E S C O P E O F T H E P R O B L E M Before entering into the core subjects, we need to delimit the problem field, starting with the ‘standard’ explanation of privacy by design. According to Cavoukian, privacy by design is about ‘embedding privacy into information technologies, business practices, and networked infrastructures, as a core functionality, right from the outset – means building in privacy right up front – intentionally, with forethought’ (my emphasis). According to the so-called ‘Privacy by design Resolution’, privacy by design also includes processes and physical design. In the proposed EU General Data Protection Regulation, Article 23, privacy by design is made mandatory: 1. The controller shall, . . . , implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. Here, technical and organizational measures are especially mentioned, and this of course includes information systems without excluding other elements. The statements referred to above illustrate that privacy by design is a broad and open concept. Privacy by design could apparently be about designing a broad range of things—both tangible and intangible—provided they have effects on privacy. In my view, such a broad definition of the object of design makes it difficult to establish a common and sufficiently concrete design methodology. Although design problems may be related, for example, in organizational measures, business practices, digital devices and software, I assume that each area requires a different methodological approach. 6 See section ‘Concluding Remarks’. 7 Regarding the relationship between privacy enhancing technologies (PETs), see Rubinstein (n 2). 8 See A Cavoukian, ‘Operationalizing Privacy by Design: A Guide to Implementing Strong Privacy Practices’ (December 2012) Information and Privacy Commissioner, Ontario, Canada. 9 ‘Privacy by Design Resolution’, 32nd International Conference of Data Protection and Privacy Commissioners (Jerusalem, Israel, October 2010). 10 Commission, ‘Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data’ (General Data Protection Regulation) COM (2012) 11, 25 January 2012. 11 I read ‘technical and organisational measures’ as a wide concept which, for instance, could comprise physical design of devices (cf ‘technical’) as well as processes and business practices (cf ‘organisational’). 12 Privacy by design is often criticized for being too open and vague; see, for instance, S Gürses, C Troncoso and C Diaz, ‘Engineering Privacy by Design’ (January 2011) Paper Presented at the C
中文翻译:
通过设计实现隐私保护
许多学者和政治家认为,设计的隐私可能对改善隐私保护起到了重要的作用。但是,为信息系统进行良好的隐私设计需要满足哪些先决条件和准则?本文的作者讨论了在信息系统中实现隐私的法规设计的重要性和潜力。他还建议并通过设计演示了一种通用的隐私保护方法。关键词:设计隐私,欧盟通用数据保护条例,电子政务,信息系统设计,系统开发,方法论引言从大型主机到许多数字设备,计算机软件对个人数据的处理都已发生,这些设备已成为不可或缺的组成部分我们的生活 数据处理影响到从关键到琐碎的事情。它渗透到我们的私人生活,政府,企业,经济生活以及社会的各个方面。计算机是人们做出设计决定的结果。专家在计算机软件中指定指令,并且其中许多指令都会影响个人数据的处理方式。这些说明执行的功能可能会或可能不会使软件用户轻松遵守隐私法规。换句话说,隐私法的实现在很大程度上取决于软件设计,而这种设计是专家的偏爱和决定的结果,或者更糟的是,他们缺乏保护个人隐私的知识和兴趣。设计隐私是将近20年的目标和口号。这个口号基于对计算机社会中正式的法律隐私保护与实际隐私保护之间紧密关系的认可。已经开发了一些准则,策略和工具来帮助将隐私嵌入软件和数据管理中。这在很大程度上代表了一种面向技术的方法以及对隐私的狭义定义,它在很大程度上解决了机密性和数据安全性问题。奥斯陆大学挪威计算机与法律研究中心;电子邮件:dwschartum@jus.uio.no。感谢Lee A. Bygrave教授和Arild Jansen教授的有用评论。1 J Van Rest等人在B Preneel和I Demosthenes(eds)的“ Designing Privacy-byDesign”(隐私设计和政策)(Springer 2014)56中作了简要解释,说明了设计的隐私起源。2 IS Rubinstein,“通过设计规范隐私”(2011年)26 Berkely Tech LJ 1409,1423。VC作者(2016)。牛津大学出版社出版。版权所有。有关权限,请发送电子邮件至:journals.permissions@oup.com。1《国际法律和信息技术杂志》,2016年,0,1–25 doi:10.1093 / ijlit / eaw002联合国大学学报(2016年5月5日)的文章http://ijlirdjournals.org/待定。保护隐私并非主要是为了最大程度地降低风险。遵守有关监管个人数据控制者的各种法定条件,以及促进尊重数据主体的权利也同样重要。我个人认为,到目前为止,设计对隐私的意识形态影响大于对软件行业的影响。因此,设计私密性代表了许多未开发的可能性,因此,对这种方法进行更多的阐述,以及就如何最好地从思想转变为实现进行讨论非常重要。本文基于以下假设:存在未开发的可能性。按设计的一般隐私保护方法可能会在软件系统中创建功能更强大的隐私保护设计。由于许多隐私要素都是基于法律的,因此一种方法应以法律为出发点,以便律师和其他隐私专家可以轻松地识别和理解从法律到设计决策的转换过程的大多数步骤。在本文中,我提供了一种具体的方法,并举例说明了该方法如何为塑造隐私友好型信息系统的愿望做出积极贡献。该提案尤其基于设计原则对标准隐私的简短讨论,表明该原则并未过多说明我们如何从思想转变为行动(请参阅“设计中的隐私权”)。通过设计实现隐私的前景不仅取决于方法,还取决于方法。立法同样重要。可以起草法律来为隐私设计打下基础,或者,即使不是不可能实现,也可能使这种设计目标变得困难。一般而言,欧洲隐私立法含糊不清,具有酌处权,很少能被准确地解释。因此,欧洲立法强烈限制了创建信息系统的高级和良好隐私设计的机会。本文简短讨论了基本的监管选择如何可能通过设计对隐私构成障碍,以及如何替代开放以直接正式表示隐私规则(请参阅第49节)。立法越少通过设计为隐私保护打下基础,而直接源自法定文本的显而易见的,通过设计的隐私保护选项就越少,对揭示这种可能性的方法学的需求就越大。尽管如此,面向设计的策略的隐私与阻碍立法的设计的隐私相结合,仍然表现出严重的政策困境,这使得假定按设计的隐私可以发展到预期的潜力是不现实的。从电子政务研究领域来看,有关立法的转变,按设计的隐私没有什么特别之处。相当,设计隐私的许多概念都与许多问题有关,这些问题涉及我们可以或应该将法律规则转换为信息系统的程度。从我们停下来的那一刻起3例如,用于软件开发的Microsoft安全开发生命周期(SDL)和IBM的Tivoli Privacy Manager。IS Rubinstein和N Good的分析“设计中的隐私:对Google和Facebook隐私事件的事实分析”(2013年)28 Berkely Tech LJ 1333,1406,遵循一种面向安全性的方法,参见他们得出的结论:十个分析了隐私事件如果应用了某些设计隐私原则,则可能会避免。4有关设计面临的挑战,批评和隐私限制的概述,请参见D Klitou,“解决方案,但不是捍卫隐私的灵丹妙药:挑战,B Preneel和D Ikonomou编辑的《隐私对设计的批评和局限》,隐私技术和政策:2012年APF第一届年度隐私论坛(Springer,2014年)。5参见“桥接法律和技术”,“对技术设计元素的更仔细了解”,“通过设计技术实现隐私”和“通过设计技术将设计元素与隐私结合起来”两节。2 2016年2月5日在美国大学伦敦分校设计的私隐权http://ijlirdjournals.org/由于对设计私隐性的特殊思考,D ow认为,从事法律其他部分改革工作的律师将意识到设计上的隐私实际上是家庭的本垒。排除问题的范围在进入核心主题之前,我们需要界定问题的范围,首先从设计上对隐私的“标准”解释开始。根据Cavoukian的说法,设计隐私是指“将隐私从一开始就嵌入到信息技术,业务实践和网络基础架构中,这是一项核心功能-意味着有意识地预先构建隐私”(我强调) 。根据所谓的“设计私隐解决方案”,设计私隐还包括流程和物理设计。在拟议的《欧盟通用数据保护条例》第23条中,设计中的隐私权是强制性的:1.控制器应:。。,请采取适当的技术和组织措施及程序,以使处理过程符合本法规的要求,并确保对数据主体的权利进行保护。这里特别提到技术和组织措施,当然,这包括不排除其他要素的信息系统。上面提到的陈述说明,设计保密是一个广泛而开放的概念。设计上的隐私显然可以与设计各种事物(包括有形的和无形的)有关,前提是它们会对隐私产生影响。我认为,对设计对象的如此宽泛的定义使得很难建立一种通用且足够具体的设计方法。尽管设计问题可能与组织措施,业务实践,数字设备和软件有关,但我认为每个领域都需要不同的方法论方法。6参见“总结”部分。7关于隐私增强技术(PET)之间的关系,请参见Rubinstein(n 2)。8见一个Cavoukian,“通过设计来实现隐私的操作:实施强有力的隐私惯例的指南”(2012年12月),加拿大安大略省信息和隐私专员。9“通过设计决议实现隐私”,第32届国际数据保护和隐私专员会议(以色列,耶路撒冷,2010年10月)。10委员会,《关于保护个人数据处理和此类数据自由流通的个人的欧洲议会和理事会条例的提案》(通用数据保护条例)COM(2012)11, 2012年1月25日。11我将“技术和组织措施”理解为一个广泛的概念,例如,可以包括设备的物理设计(参见“技术”)以及流程和业务实践(参见“组织”)。12设计隐私经常因过于公开和模糊而受到批评;例如,请参见SGürses,C Troncoso和C Diaz,“设计的工程隐私”(2011年1月)在C大会上发表的论文。
更新日期:2016-02-24
中文翻译:
通过设计实现隐私保护
许多学者和政治家认为,设计的隐私可能对改善隐私保护起到了重要的作用。但是,为信息系统进行良好的隐私设计需要满足哪些先决条件和准则?本文的作者讨论了在信息系统中实现隐私的法规设计的重要性和潜力。他还建议并通过设计演示了一种通用的隐私保护方法。关键词:设计隐私,欧盟通用数据保护条例,电子政务,信息系统设计,系统开发,方法论引言从大型主机到许多数字设备,计算机软件对个人数据的处理都已发生,这些设备已成为不可或缺的组成部分我们的生活 数据处理影响到从关键到琐碎的事情。它渗透到我们的私人生活,政府,企业,经济生活以及社会的各个方面。计算机是人们做出设计决定的结果。专家在计算机软件中指定指令,并且其中许多指令都会影响个人数据的处理方式。这些说明执行的功能可能会或可能不会使软件用户轻松遵守隐私法规。换句话说,隐私法的实现在很大程度上取决于软件设计,而这种设计是专家的偏爱和决定的结果,或者更糟的是,他们缺乏保护个人隐私的知识和兴趣。设计隐私是将近20年的目标和口号。这个口号基于对计算机社会中正式的法律隐私保护与实际隐私保护之间紧密关系的认可。已经开发了一些准则,策略和工具来帮助将隐私嵌入软件和数据管理中。这在很大程度上代表了一种面向技术的方法以及对隐私的狭义定义,它在很大程度上解决了机密性和数据安全性问题。奥斯陆大学挪威计算机与法律研究中心;电子邮件:dwschartum@jus.uio.no。感谢Lee A. Bygrave教授和Arild Jansen教授的有用评论。1 J Van Rest等人在B Preneel和I Demosthenes(eds)的“ Designing Privacy-byDesign”(隐私设计和政策)(Springer 2014)56中作了简要解释,说明了设计的隐私起源。2 IS Rubinstein,“通过设计规范隐私”(2011年)26 Berkely Tech LJ 1409,1423。VC作者(2016)。牛津大学出版社出版。版权所有。有关权限,请发送电子邮件至:journals.permissions@oup.com。1《国际法律和信息技术杂志》,2016年,0,1–25 doi:10.1093 / ijlit / eaw002联合国大学学报(2016年5月5日)的文章http://ijlirdjournals.org/待定。保护隐私并非主要是为了最大程度地降低风险。遵守有关监管个人数据控制者的各种法定条件,以及促进尊重数据主体的权利也同样重要。我个人认为,到目前为止,设计对隐私的意识形态影响大于对软件行业的影响。因此,设计私密性代表了许多未开发的可能性,因此,对这种方法进行更多的阐述,以及就如何最好地从思想转变为实现进行讨论非常重要。本文基于以下假设:存在未开发的可能性。按设计的一般隐私保护方法可能会在软件系统中创建功能更强大的隐私保护设计。由于许多隐私要素都是基于法律的,因此一种方法应以法律为出发点,以便律师和其他隐私专家可以轻松地识别和理解从法律到设计决策的转换过程的大多数步骤。在本文中,我提供了一种具体的方法,并举例说明了该方法如何为塑造隐私友好型信息系统的愿望做出积极贡献。该提案尤其基于设计原则对标准隐私的简短讨论,表明该原则并未过多说明我们如何从思想转变为行动(请参阅“设计中的隐私权”)。通过设计实现隐私的前景不仅取决于方法,还取决于方法。立法同样重要。可以起草法律来为隐私设计打下基础,或者,即使不是不可能实现,也可能使这种设计目标变得困难。一般而言,欧洲隐私立法含糊不清,具有酌处权,很少能被准确地解释。因此,欧洲立法强烈限制了创建信息系统的高级和良好隐私设计的机会。本文简短讨论了基本的监管选择如何可能通过设计对隐私构成障碍,以及如何替代开放以直接正式表示隐私规则(请参阅第49节)。立法越少通过设计为隐私保护打下基础,而直接源自法定文本的显而易见的,通过设计的隐私保护选项就越少,对揭示这种可能性的方法学的需求就越大。尽管如此,面向设计的策略的隐私与阻碍立法的设计的隐私相结合,仍然表现出严重的政策困境,这使得假定按设计的隐私可以发展到预期的潜力是不现实的。从电子政务研究领域来看,有关立法的转变,按设计的隐私没有什么特别之处。相当,设计隐私的许多概念都与许多问题有关,这些问题涉及我们可以或应该将法律规则转换为信息系统的程度。从我们停下来的那一刻起3例如,用于软件开发的Microsoft安全开发生命周期(SDL)和IBM的Tivoli Privacy Manager。IS Rubinstein和N Good的分析“设计中的隐私:对Google和Facebook隐私事件的事实分析”(2013年)28 Berkely Tech LJ 1333,1406,遵循一种面向安全性的方法,参见他们得出的结论:十个分析了隐私事件如果应用了某些设计隐私原则,则可能会避免。4有关设计面临的挑战,批评和隐私限制的概述,请参见D Klitou,“解决方案,但不是捍卫隐私的灵丹妙药:挑战,B Preneel和D Ikonomou编辑的《隐私对设计的批评和局限》,隐私技术和政策:2012年APF第一届年度隐私论坛(Springer,2014年)。5参见“桥接法律和技术”,“对技术设计元素的更仔细了解”,“通过设计技术实现隐私”和“通过设计技术将设计元素与隐私结合起来”两节。2 2016年2月5日在美国大学伦敦分校设计的私隐权http://ijlirdjournals.org/由于对设计私隐性的特殊思考,D ow认为,从事法律其他部分改革工作的律师将意识到设计上的隐私实际上是家庭的本垒。排除问题的范围在进入核心主题之前,我们需要界定问题的范围,首先从设计上对隐私的“标准”解释开始。根据Cavoukian的说法,设计隐私是指“将隐私从一开始就嵌入到信息技术,业务实践和网络基础架构中,这是一项核心功能-意味着有意识地预先构建隐私”(我强调) 。根据所谓的“设计私隐解决方案”,设计私隐还包括流程和物理设计。在拟议的《欧盟通用数据保护条例》第23条中,设计中的隐私权是强制性的:1.控制器应:。。,请采取适当的技术和组织措施及程序,以使处理过程符合本法规的要求,并确保对数据主体的权利进行保护。这里特别提到技术和组织措施,当然,这包括不排除其他要素的信息系统。上面提到的陈述说明,设计保密是一个广泛而开放的概念。设计上的隐私显然可以与设计各种事物(包括有形的和无形的)有关,前提是它们会对隐私产生影响。我认为,对设计对象的如此宽泛的定义使得很难建立一种通用且足够具体的设计方法。尽管设计问题可能与组织措施,业务实践,数字设备和软件有关,但我认为每个领域都需要不同的方法论方法。6参见“总结”部分。7关于隐私增强技术(PET)之间的关系,请参见Rubinstein(n 2)。8见一个Cavoukian,“通过设计来实现隐私的操作:实施强有力的隐私惯例的指南”(2012年12月),加拿大安大略省信息和隐私专员。9“通过设计决议实现隐私”,第32届国际数据保护和隐私专员会议(以色列,耶路撒冷,2010年10月)。10委员会,《关于保护个人数据处理和此类数据自由流通的个人的欧洲议会和理事会条例的提案》(通用数据保护条例)COM(2012)11, 2012年1月25日。11我将“技术和组织措施”理解为一个广泛的概念,例如,可以包括设备的物理设计(参见“技术”)以及流程和业务实践(参见“组织”)。12设计隐私经常因过于公开和模糊而受到批评;例如,请参见SGürses,C Troncoso和C Diaz,“设计的工程隐私”(2011年1月)在C大会上发表的论文。