Summary

國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

10

1.3 Summary

In 2010, Privacy by Design became a unanimously acclaimed global privacy standard by the body of International Data Protection Commissioners. It is soon to influence technology design, business practices and physical infrastructure by embedding privacy protection at its core. The PbD standard has tremendous influence on privacy policy frameworks around the world. In 2012, the draft update of the European Data Protection legislation included adherence to PbD principles, and the US FTC released its final report on protecting consumers’ privacy with a recommendation that companies adopt PbD in building consumer privacy protection at every stage in their product or service development. Also, in 2012, the international standards organization OASIS Technical Committee (TC), called Privacy by Design for Software Engineers (PbD-SE), and led the development of its charter along with Dr. Ann Cavoukian. One of the PbD-SE OASIS TC’s core tasks is to map the seven standardized PbD principles to Unified Modeling Language (UML) so that software engineers can easily embed privacy requirements into their mobile apps and services developments²⁰.

20 Ann Cavoukian, Fred Carter, Dawn Jutla, John Sabo, Frank Dawson, Jonathan Fox, Tom Finneran, and Sander Fieten, Privacy by Design Documentation for Software Engineers Version 1.0 (June 2014),http://docs.oasis-open.org/pbd-se/pbd-se/v1.0/pbd-se-v1.0.html (Accessed on 7 May 2015).

‧ 國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

11

Chapter 2

Privacy Regulations and Privacy by Design

Data protection authorities for the EU and the UK as well as the FTC in the US, have been clear that PbD is a concept that needs to be encouraged and that is vital to the proper progress of technology that will respect the privacy rights of its users or beneficiaries. In October 2010, regulators from around the world gathered at the annual assembly of Internal Data Protection and Privacy Commissioners (ICDPPC) in Jerusalem, Israel and unanimously passed a landmark resolution recognized PbD as an essential component of fundamental privacy protection, encouraged the adoption of PbD to establish privacy as organization’s default mode of operation, and invited data protection and privacy commissioners to promote PbD in their jurisdictions.²¹ Furthermore, IDPPC has adopted a resolution on Big Data in October 2014 in Mauritius. One of the resolutions was to develop and use Big Data technologies according to the principles of PbD.²²

PbD is not yet a part of legislation in any country, even it is often cited as a best practice to the privacy and data protection. Moreover, there are calls in the EU and US to include PbD principles in legal frameworks. PbD is included as a principle

21 International Data Protection and Privacy Commissioners, Resolution on Privacy by Design (October 2010), 32nd International Conference, http://www.justice.gov.il/NR/rdonlyres/F8A79347-170C-4EEF-A0AD-155554558A5F/26502/ResolutiononPrivacybyDesign.pdf (Accessed on 15 October 2014).

22 International Data Protection and Privacy Commissioners, Resolution on Big Data (2014), 36th International Conference, http://www.privacyconference2014.org/media/16427/Resolution-Big-Data.pdf (Accessed on 2 November 2014).

‧ 國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

12

under Article 23 of the proposed EU Data Protection Regulation (DPR) and in the US Commercial Bills of Rights Act. After comprehensively reviewing the EU and the US related privacy regulations as well as analyzing current PbD status. This study will briefly examine Taiwan’s PIPA to determine the best practices for mobile app stakeholders in Taiwan to ensure better privacy protection.

2.1 European Union

The right to privacy is highly legislated and developed in Europe. A foundational statement of EU privacy values in relation to electronic communications and telecommunications is set forth in Article 7 and 8 of the Charter of Fundamental Rights of the European Union.²³. Article 7 (Respect for privacy and family life) provides for the EU analog to the US “right to be let alone: everyone has the right to respect for his/her privacy and family life, home, and communications”.²⁴ Article 8 (Protection of personal data) sets forth basic rights relating to personal data protection.

Strong rights of personal data protection and “respect for private life” are thus enshrined in the Charter under the overarching concepts of personal dignity and freedom, which entered the force on 1 December 2009 under the Lisbon Treaty of Lisbon. The Charter of Fundamental Right is now legally binding and has expanded this legal basis.²⁵

23 European Convention, Charter of Fundamental Rights of the European Union (October 2012), http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12012P/TXT&from=EN (Accessed on 2 June 2015).

24 Samuel D. Warren and Louis D. Brandeis, “The Right to Privacy”, Harvard Law Review, Vol. 4, No. 5 (December 1890, pp. 193-220).

25 European Parliament, Respect for fundamental rights in Union (June 2015),

http://www.europarl.europa.eu/atyourservice/en/displayFtu.html?ftuId=FTU_2.1.2.html (Accessed on 15 June 2015).

‧ 國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

13

These foundational values have been given further legal and administrative powers in a series of EU directives, two of which are more important, Data Protection Directive (also known as Directive 95/46/EC)²⁶ and the E-Privacy Directive (also known as Directive 2002/58/EC).²⁷ The Data Protection Directive (DPD) established the basic legal framework for data privacy protection in the EU, whereas the E-Privacy Directive (EPD) supplements the DPD to replace Telecommunications Privacy Directive of 1997 for the better privacy protection in electronic communications sector.

Figure 2.1: Structure of Privacy and Data Protection Regulations in EU

26 EU Article 29 Data Protection Working Party, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data,

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML (Accessed on 15 October 2014).

27 EU Article 29 Data Protection Working Party, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic

communications),

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML (Accessed on 15 October 2014).

‧ 國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

14

2.1.1 Data Protection Directive 95/46/EC

In October 1995, EU adopted Data Protection Directive 95/46/EC as a regulatory framework (thirty-three articles in eight chapters) to guarantee secure and free movement of personal data across the national borders of its member states, and the DPD went into effect in October 1998. The DPD defines the basic elements of data protection that member states must transpose into national law (e.g. UK Data Protection Act 1998), each member state manages the regulation of data protection and its enforcement within its jurisdiction. Data protection commissioners from EU member states participate in a working group at the community level according to Article 29 of DPD.²⁸

Article 29 Data Protection Working Party (WP29), setup under Article 29 of DPD, which is composed of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor (EDPS) and the European Commission. WP29 is an independent European advisory body on privacy and data protection. Article 30 of the DPD describes the main tasks as: (i) Provide expert advice from the national level to the European Commission on data protection matters; (ii) Promote the uniform application of DPD in all Member States of the EU;

(iii) Advise the Commission on any European Community law that effects the right to the protection of personal data.²⁹

This general DPD has been also complemented by other legal instruments, such as the EPD for the electronic communications sector. The EPD complements the

28 Electronic Privacy Information Center (EPIC), EU Data Protection Directive,

https://epic.org/privacy/intl/eu_data_protection_directive.html (Accessed on 27 December 2014)

29 Article 29 Data Protection Working Party Main Tasks,

https://secure.edps.europa.eu/EDPSWEB/edps/Cooperation/Art29 (Accessed on 27 December 2014)

‧ 國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

15

existing DPD and sets out more-specific “rights to privacy in the electronic communication sector”. The main provisions of this Directive are to ensure providers of electronic communications services to offer “secured services” as well as maintenances of “confidential information”. This Directive particularly concerns the processing of personal data issues relating to the delivery of communication services, such as security process (Article 4), confidentiality of communications (Article 5), cookies (Article 5(3)), public directories of subscribers (Article 12), unsolicited communications (Article 13), users’ control of their personal data (Article 14(3)).³⁰

In 2009, the EPD has been amended by Cookie Directive 2009/136/EC.³¹ This Directive requires websites to obtain informed consent from visitors before storing information on a computer or any web connected devices. The storage of user information is mostly done by cookies, which can then be used for tracking website visitors. Article 5(3) of the EPD requires that users’ have been informed about the use of cookies, the purpose that the cookie will be used for and the right to opt-out of cookies, which was commonly placed in privacy policies that users mostly do not read.

With Article 2(5) of the Cookie Directive which replaces Article 5(3) of the EPD, however, the website user will now be required to opt-in when visiting a website containing cookies, so the website has to block cookies, until visitors have given their informed consent to their use. As a result, organizations offering services and applications which attempt to access personal data will require user informed consent via the opt-in principle.

30 EU Legislation Summary, Data Protection in the Electronic Communications Sector (May 2010), http://europa.eu/legislation_summaries/information_society/legislative_framework/l24120_en.htm (Accessed on 15 January 2015).

31 EU Article 29 Data Protection Working Party, Cookie Directive 2009/136/EC (November 2009), http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32009L0136&from=EN (Accessed on 15 January 2015).

‧

In 2006 and 2009, moreover, the EPD was amended as part of a wide range of initiative to create a “Telecoms Package”³²: a comprehensive regulatory framework for the electronic communications and telecommunications to align EU’s Digital Agenda for Europe 2020 strategy.³³ These are important privacy policies for mobile app stakeholders to ensure their products and services will comply with EU privacy regulations.

In December 2009, the WP29 and the Working Party on Police and Justice (WPPJ) published a joint Opinion entitled “The Future of Privacy”³⁴that advocated for incorporating the PbD principles into EU’s new privacy protection framework.

Though the idea of incorporating technological data protection safeguards in ICT system is not completely new, the DPD already contains several provisions which call for data controllers’ obligation to implement technology safeguards in the design and operation of ICT system, security measures and organizational measures to ensure compliances.

However, apps and smart devices today are ubiquitous, global and connected.

Chapter Four of “The Future of Privacy” summarizes: “The technological developments have strengthened the risks for individuals’ privacy and data protection and to counterbalance these risks, the principle of Privacy by Design should be introduced in the new framework: privacy and data protection should be integrated

32 European Commission, Regulatory Framework for Electronic Communications in the European Union (December 2009),

https://ec.europa.eu/digital-agenda/sites/digital-agenda/files/Copy%20of%20Regulatory%20Framework%20for%20Electonic%20Communications

%202013%20NO%20CROPS.pdf (Accessed on 20 May 2015).

33 European Commission, Digital Agenda in the Europe 2020 Strategy (March 2015),

http://ec.europa.eu/digital-agenda/en/digital-agenda-europe-2020-strategy (Accessed on 20 May 2015).

34 EU Article 29 Data Protection Working Party and Working Party on Police and Justice, The Future of Privacy (December 2009),

http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/wp168_en.pdf (Accessed on 20 March 2015).

‧ 國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

17

into the design of Information and Communication Technologies. The application of such principle would emphasize the need to implement privacy enhancing technologies, privacy by default settings and the necessary tools to enable users to better protect their personal data. This principle of Privacy by Design should therefore not only be binding for data controllers, but also for technology designers and producers and relevant stakeholders”.

In March 2013, the WP29 published the “Opinion 02/2013 on Apps on Smart Devices”.³⁵ In this opinion, the WP29 clarifies the legal framework applicable to the processing of personal data in the development, distribution and usage of apps on smart devices, which focused on the consent requirement, the principles of purpose limitation; data minimization, the need to take adequate security measures, the obligation to correctly inform end users and their rights and reasonable retention periods and fair processing of data collected from.

The relevant EU legal framework applicable to mobile privacy is the DPD. It applies in any case where the use of apps on smart devices involves processing personal data of individuals. To identify applicable law, it is essential to first identify the role of the different stakeholders involved, the identification of the controllers of processing carried out via mobile apps is particularly crucial in relation to applicable law. According to Article 4.1(a) of the DPD, the national law of a Member State is applicable to all processing of personal data carried out “in the context of an establishment” of the controller on the territory of that Member State. Pursuant to Article 4.1(c) of the DPD, the national law of a Member State is also applicable in cases where the controllers is not established in Community territory and makes use

35 EU Article 29 Data Protection Working Party, Opinion 02/2013 on apps on smart devices (February 2013), http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp202_en.pdf (Accessed on 19 December 2014).

‧ 國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

18

of equipment situated on the territory of that Member State. Since the device is instrumental in the processing of personal from about the user, this is criterion is usually fulfilled. However, this is only relevant where the controller is not established in the EU. As a result, whenever a stakeholder involved in the development, distribution and operation of apps is considered to be a controller, such a stakeholder is responsible alone or jointly with other stakeholders for ensuring compliance with all the requirements set forth under the DPD. The identification of the stakeholders involved in mobile apps is provided in the Section 3.2.1– Mobile Apps Stakeholders of this thesis.

In addition to the DPD, the EPD (2002/58/EC, as revised by Cookie Directive 2009/136/EC), sets a specific standard for all stakeholders worldwide that wish to store or access information stored in the users’ devices in the European Economic Area (EEA). Article 5(3) of the EPD prescribes that “Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Data Protection Directive 95/46EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”³⁶

36 EU Article 29 Data Protection Working Party, Cookie Directive 2009/136/EC (November 2009), http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32009L0136&from=EN (Accessed on 15 January 2015).

‧ 國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

19

While many provisions of the EPD only apply to providers of public electronic communication services and providers of public communication networks in the Community, Article 5(3) applies to every entity that places on or reads information from smart devices. It applies without regard to the nature of the entity (e.g. whether public or private, an individual programmer or a major corporation or whether it is a data controller, data processor or a third party).³⁷

The consent requirement of Article 5(3) applies to “any information”, without regard to the nature of the data being stored or accessed. The scope is not limited to personal data, information can be any type of data stored on the device. Furthermore, the consent requirement from Article 5(3) of the EPD applies to services offered in the Community, that is, to all individuals living in the EEA, regardless of the location of the service provider. It is important for app developers to know that both Directives are imperative laws in that the individuals’ rights are non-transferable and not subject to contractual waiver. This means that the applicable EU privacy law cannot be excluded by a unilateral declaration or contractual agreement.³⁸

2.1.2 Data Protection Act 1998 (UK)

In the UK, the Enterprise Privacy Group (EPG) was commissioned by ICO, and consulted with a cross-session of privacy, identity and security experts to write the ICO’s report on PbD which was published in November 2008. This report was a policy document to investigate the adoption of PET and provided a foundation for the

37 EU Article 29 Data Protection Working Party, Cookie Directive 2009/136/EC (November 2009), http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32009L0136&from=EN (Accessed on 15 January 2015).

38 EU Article 29 Data Protection Working Party, Opinion 02/2013 on apps on smart devices (February 2013), http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp202_en.pdf (Accessed on 19 December 2014).

‧

protection compliance and securing privacy throughout the entire lifecycle of a system. It suggests that PbD needs to go beyond design of technological system, to also consider organizational changes. This report also identified a number of important barriers to the successful adoption of PbD within authorities and organizations as well as provided the recommendations to make PbD a reality. These recommendations are (i) executive mandate for PbD, (ii) PIA throughout the SDLC, cross-sector standards for data sharing, (iv) the development of practical privacy standards, (v) promotion of current and future research into PET, (vi) establishing more rigorous compliance and enforcement mechanisms.³⁹

In December 2013, moreover, ICO has issued the guidance “Privacy in Mobile Apps” to assist mobile apps developers comply with DPA 1998 during the Software Development Life Cycle (SDLC) and ensure the protection of users’ privacy rights.⁴⁰ In February 2014, ICO issued its updated PIA framework⁴¹ for organizations. The primary purpose of this updated framework is to promote PbD as best practices to help organizations comply with DPA obligations when organizations change the way to use personal data. Section 51 of DPA 1998 (General Duties of Commissioner) ⁴² is highly recommended for Taiwan related data protection authorities to take a

39 UK Information Commissioner’s Office (ICO), Privacy by Design (November 2008), at 3, http://www.ico.org.uk/for_organisations/data_protection/topic_guides/privacy_by_design (Accessed on 15 October 2014).

40 UK Information Commissioner’s Office (ICO), Privacy in Mobile Apps – Guidance for App Developers (December 2013), https://ico.org.uk/for-organisations/guide-to-data-protection/online-and-apps/ (Accessed on 15 November 2015).

41 UK Information Commissioner’s Office (ICO), Conducting Privacy Impact Assessments Code of Practice (February 2014), https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf (Accessed on 13 February 2015).

42 UK Data Protection Act (DPA) 1998, Section 51(1) General duties of Commissioner(July 1998), http://www.legislation.gov.uk/ukpga/1998/29/section/51

‧ 國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

21

consideration and work on unanimity of best practices and suggest to government agency and non-government agency through consultations with stakeholders.

2.1.3 General Data Protection Regulation

In January 2012, The European Commission has proposed a comprehensive reform of the DPD 95/46/EC to strengthen online privacy rights and boost Europe’s digital economy. Technological progress and globalization have profoundly changed the way users’ data is collected, processed and used. In addition, the 27 EU Member States have implemented the DPD differently, result in divergences in enforcement.

A single law will do away with the current fragmentation and costly administrative burdens, leading to saving for businesses of around 2.3 Billion Euro a year. The initiative will help reinformce consumer confidence in online services, providing a much needed boost to growth, jobs and innovation in Europe.⁴³

The Commission’s legislative proposal updated and modernized the principles enshrined in the DPD to guarantee privacy rights in the future. The proposed General Data Protection Regulation (GDPR) set out a general EU framework for data protection. A number of key changes in the reform include:

(1) A single set of rules on data protection, valid across the EU. Unnecessary administrative requirements, such as notification requirements for companies, will be removed.

43 European Commission, Commission proposes a comprehensive reform of data protection rules to increase users’ control of their data and to cut costs for businesses (January 2012),

43 European Commission, Commission proposes a comprehensive reform of data protection rules to increase users’ control of their data and to cut costs for businesses (January 2012),

在文檔中 「從設計著手保護隱私」的法制化研究―以行動應用程式開發為例 - 政大學術集成 (頁 19-0)