Privacy by design — or “Data Protection by Design” as it is referred to in the General Data Protection Regulation (GDPR) — is essential to meaningful privacy protection. Yet, it is often quite thin and incomplete. As I wrote a few years ago about privacy by design, “The ‘privacy’ the designers have in mind might be so focused on one particular dimension of privacy that it might overlook many other dimensions.”
R. Jason Cronk has a tremendously thoughtful approach to privacy by design that helps avoid this pitfall. He is the author of the forthcoming book Strategic Privacy by Designand has been working in the fields of privacy and information security since 2004. Cronk is one of the rare privacy lawyers who also has a sophisticated technology background. Last year, Cronk and I worked together on a privacy notice generator which won the Department of Health and Human Services Office of Technology Innovation prize. Now, Cronk focuses mostly on bringing his expertise and unique spin on privacy by design to organizations through his boutique consulting firm, Enterprivacy Consulting Group.
I had a chance to read Cronk’s manuscript, and I am particularly impressed by how through his approach to privacy by design is, as well as how well he illustrates the issues with concrete examples. When his book comes out, I strongly recommend that anyone with an interest in privacy read it.
Later this year he’ll be offering a Data Protection by Design and Default intensive day in Washington, D.C. at the Privacy and Security Forum (on Wed., Oct. 3). This will be an all-day event about privacy by design. A few weeks later, he’ll be speaking about these issues in New Zealand. For those of you who can’t make it to New Zealand, then definitely join Jason for his intensive day event at the Forum.
Below, I discuss with Jason his views about privacy by design and his approach to it.
SOLOVE: How far has privacy by design progressed in terms of its acceptance, inclusion in laws, and implementation in practice? What challenges remain for privacy by design?
CRONK: Dr. Ann Cavoukian tirelessly promoted privacy by design leading to worldwide interest in it. Without her effort, we wouldn’t have seen a unanimous resolution adopted by the International Conference of Data Protection and Privacy Commissioners calling privacy by design a necessity in data protection. We wouldn’t have seen the FTC call for its adoption by companies in protecting consumer privacy. We wouldn’t have seen the inclusion of Article 25, Data Protection by Design and Default, as part of GDPR. We wouldn’t see other countries, like India, moving to include similar concepts in their laws as well. Unfortunately, part of the strength of her 7 Foundational Principles of Privacy by Design are also their weakness. She purposefully made them robust and flexible to allow organizations to find their own methods to achieve them.