• 沒有找到結果。

「從設計著手保護隱私」的法制化研究―以行動應用程式開發為例 - 政大學術集成

N/A
N/A
Info
下載
Protected

Academic year: 2021

Share "「從設計著手保護隱私」的法制化研究―以行動應用程式開發為例 - 政大學術集成"

Copied!
85
0
0

加載中.... (立即查看全文)

立即下載 ( 85 頁 )

全文

(1)國立政治大學法學院碩士在職專班 碩士論文 Master of Laws Program for Executives College of Law National Chengchi University Master Thesis. 立. 政 治 大. ‧ 國. 學. 「從設計著手保護隱私」的法制化研究―. ‧. 以行動應用程式開發為例. sit. y. Nat. LEGAL STUDY ON PRIVACY BY DESIGN FOR. n. al. er. io. MOBILE APPLICATIONS DEVELOPMENT. Ch. engchi. i Un. v. 指導教授:陳起行博士 Dr. CHEN, CHI-SHING 研 究 生:張永慶 CHANG, YUNG-CHING. 中華民國 104 年 7 月 July 2015.

(2) 立. 政 治 大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. i Un. v.

(3) 摘. 要. 在這資通訊技術快速發展的時代,人類對於智慧型手機與行動應用程式 的使用持續的增加,然而行動應用程式的功能日趨多元,可能造成個人隱私與 資料遭受到侵害的相關法律議題也引起政府官員、專家學者、法律人員、產業 人士與消費者的關注。本文基於目前的行動應用程式產業提出了兩項非常重要 的問題:(一)在設計與開發行動應用程式之前,是否有需要執行「從設計著 手保護隱私」的法律機制來強化消費者隱私權的保護?(二)台灣是否應該將. 政 治 大. 「從設計著手保護隱私」的法律機制納入個人資料保護法,以符合當代歐洲與. 立. 美國的資訊隱私保護法制?. ‧ 國. 學. 我國目前並無明確法律政策規範行動應用程式的隱私保護議題,本文藉. ‧. 由比較法分析途徑,針對歐盟與美國隱私保護主管機關所提出「從設計著手保 護隱私」的意見書、規範建議與相關法律進行比較研究,並且研擬台灣政府與. Nat. sit. y. 產業可能因應的對策與解決方案,使產品或服務在開發之初即納入隱私保護機. al. er. io. 制。此外,本文透過跨領域電腦科學的軟體工程方法與專家學者建議,評估導. v. n. 入「從設計著手保護隱私」機制於目前行動應用程式之隱私保護架構下所產生 的效益與影響。. Ch. engchi. i Un. 最後,本文亦逐一分析我國個人資料保護法以及歐美所提出的行動隱私 相關規範,並且建議透過電子參與的方式讓政府官員、專家學者與企業可以定 期對話,一起為將來的個人資料保護法制修訂,考量納入「從設計著手保護隱 私」概念,強化行動隱私權之保護工作。. 關鍵字:從設計著手保護隱私、行動應用程式、行動隱私、個人資料保護法、 電子參與. i.

(4) Abstract In the contemporary age of Information and Communication Technology (ICT), the rapid use of smartphones and mobile applications consistently increasing, legal issues regarding invasion of mobile privacy concern government officials, academics, industry experts and consumers. This thesis raises two overarching questions based on mobile applications (apps) industry: (i) Is it necessary to legally enforce Privacy by Design (PbD) into mobile apps development to ensure better protection of privacy right? (ii) Should Taiwan government incorporate PbD into its Personal Information. 政 治 大. Protection Act (PIPA) to conform the US and EU regulations?. 立. This thesis use comparative jurisprudence approach to examine mobile privacy. ‧ 國. 學. regulations by analyzing opinions, staff reports and regulations from the US and EU to determine how better Taiwan can emulate the US and EU’s guidelines on PbD to. ‧. ensure that privacy protection mechanisms are implemented into product or service from the onset of mobile apps development. Furthermore, this thesis also assesses. Nat. sit. y. current privacy protection regulations and frameworks through a “bridging-approach”. al. er. io. based on software engineering methodology where we conclude PbD results during. v. n. mobile apps development cycle, and also demonstrate considerable interdisciplinary. Ch. i Un. cooperation between legal science and computer science.. engchi. Finally, this thesis proposes feasible solutions to address contemporary mobile privacy issues in Taiwan through a critical review of Taiwan’s PIPA, US and EU’s mobile privacy regulations, and suggest e-participation approach to involve different stakeholders – government officials, academics, and industry experts for future PbD policy making and regular dialogs to ensure robust protections of mobile privacy right.. Keywords: Privacy by Design, Mobile Applications, Mobile Privacy, Personal Information Protection Act, E-Participation. ii.

(5) Acknowledgements. People have always said that writing a thesis is a solo and long journey. I am now at the end of the road and there were difficult moments when I look back, but I have felt everything in the search of knowledge. Just looked back my past five-year journey in NCCU, I work not only as an industry expert, but I am also trained to think differently as a legalist.. 政 治 大. First of all, I would like to sincerely thank my advisor Prof. Chi-Shing Chen who believed in me from the first day when I took my first course of law study on. 立. “Introduction to the Study of Law” in 2010 thought by Prof. Chen, where I was highly. ‧ 國. 學. motivated in the interdisciplinary between legal and computer sciences, then I continually followed his steps to took the second course on “Seminar on Law and. ‧. Culture Seminar” in 2013, and the last course of law study on “Seminar on Legal Informatics” in 2015.. sit. y. Nat. I am also very grateful to Prof. Ting-Chi Liu who had taught me the. io. n. al. er. fundamentals of privacy and data protection law through his course on “Constitution. i Un. v. Law Seminar” in 2012 and served as jury member for my master thesis.. Ch. engchi. I want to thank to Mr. Steve Wang who is serving as Vice President of Mobile Applications Development and Mr. Jerry Chen who is serving as Vice President of Global Product Management in HTC Corporation. Steve and Jerry have provided me a lot of suggestions on software development and product planning processes where Privacy by Design can be incorporated. Finally, I am deeply thankful to my mother Ms. Rong-Fei Lin who has supported my daily living, so I could focus on writing this thesis.. iii.

(6) Table of Contents. Abstract ...................................................................................................... i Acknowledgements ................................................................................. iii List of Tables ........................................................................................... vi. 政 治 大. List of Figures......................................................................................... vii. 立. ‧ 國. Introduction ................................................................................... 1. ‧. Research Questions ............................................................................... 5. 1.2. Theoretical Approach............................................................................ 6. 1.2.2. Analysis and Engineering Privacy by Design ........................... 9. er. 1.2.1. io. sit. y. Nat. 1.1. Study and Review Mobile Privacy Regulations ....................... 7. al. n. 1.3. 2. 學. 1. Ch. engchi. i Un. v. Summary ............................................................................................. 10. Privacy Regulations and Privacy by Design ............................. 11 2.1. 2.2. European Union .................................................................................. 12 2.1.1. Data Protection Directive 95/46/EC ....................................... 14. 2.1.2. Data Protection Act 1998 (UK) .............................................. 19. 2.1.3. General Data Protection Regulation ....................................... 21. United States ....................................................................................... 25. iv.

(7) Taiwan................................................................................................. 28. 2.4. Summary ............................................................................................. 32. Privacy Protection Framework – A New Paradigm ................ 33 3.1. Incorporating Fair Information Practice to Privacy by Design ........... 36. 3.2. Privacy by Design Roadmap for Mobile Apps Stakeholders ............. 41 3.2.1. 3.3. Engineering Privacy by Design .......................................................... 51 3.3.1 3.3.2. Summary ............................................................................................. 62. ‧ 國. ‧. Conclusions and Recommendations .......................................... 64. Nat. y. 4. 政 治 大 Incorporating Privacy Enhancing Technology ....................... 59 立 Privacy in Software Development Life Cycle ........................ 54. 學. 3.4. Mobile Apps Stakeholders ...................................................... 42. sit. 3. 2.3. n. al. er. io. References .............................................................................................. 66. Ch. engchi. v. i Un. v.

(8) List of Tables. Table 2.1: Taiwan PIPA Articles and OECD FIP Principles......................................30 Table 2.2: Taiwan PIPA Articles, OECD FIP Principles and PbD Principles ...........31 Table 3.1: OECD FIP Principles and PbD Principles .................................................41 Table 3.2: PbD Roadmap for Mobile Apps Stakeholders...........................................50. 立. 政 治 大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. vi. i Un. v.

(9) List of Figures. Figure 2.1: Structure of Privacy and Data Protection Regulations in EU ..................13 Figure 2.2: Elements of Legal Technology Design in GDPR ....................................24 Figure 3.1: Multidisciplinary Cooperation for Privacy by Design .............................34 Figure 3.2: Structure of Engineering Privacy by Design ............................................53 Figure 3.3: Privacy Impact Assessment and Software Development Life Cycle .......59. 立. 政 治 大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. vii. i Un. v.

(10) Chapter 1 Introduction. In the contemporary age of Information and Communication Technology (ICT), the rapid use of smartphones and mobile applications (apps), the legal issues of. 政 治 大 Currently, the 立 commonly established and enforced mobile industry legal. mobile privacy protections concern government officials, academics, industries and consumers.. ‧ 國. 學. frameworks to protect consumers’ privacy are referred to as Information Privacy Law. 1 Information Privacy Law is a wide-ranging body of law, encompassing. ‧. Common Law2, Constitutional Law3 and Statutory Law4 in the US; Data Protection. Nat. sit. y. Directive5 and General Data Protection Regulation6 in the European Union. However,. n. al. er. io. the legal frameworks to protect customers’ privacy at a “pre-design” stage of mobile apps are still limited.. 1. 2. 3. 4 5. 6. Ch. engchi. i Un. v. Daniel J. Solove and Paul M. Schwartz (2015), Information Privacy Law (5th ed.), Wolters Kluwer, New York, USA. Solove and Schwartz, supra note 1, at 10-35, The Warren and Brandeis Article, The Recognition of Warren and Brandeis’s Privacy Torts (William Prosser, Privacy; Lake v. Wal-Mart Stores, Inc.), Tort Law, Evidence Law, Property Rights, Contract Law and Criminal Law. Solove and Schwartz, supra note 1, at 35-36, Federal Constitutional Law and State Constitutional Law. Solove and Schwartz, supra note 1, at 37-40, Federal Statutory Law and State Statutory Law. EU Article 29 Data Protection Working Party, Directive 95/46/EC of the European Parliament and the Council of Europe on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data (October 1995), http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML (Accessed on 15 November 2014). European Commission, Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data (General Data Protection Regulation, January 2012), http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0011:FIN:EN:PDF (Accessed on 19 November 2014).. 1.

(11) Therefore, it is significant that mobile apps industries legally enforce and publicize privacy protection at a precautionary stage to provide more proactive and preventative mechanisms to protect consumers’ privacy and personal data. This study focuses its discussions and analyses on “Privacy by Design” (PbD) and examines its functions and implications.. This study is an exploratory on PbD and aims at. understanding the issues to recommend better “legal technology design” frameworks to protect consumers’ mobile privacy at their initial pre-design stages.7 Due to the rapid growth and dynamic change of the mobile markets and. 政 治 大 at the initial stages because new technologies oftentimes contain unforeseen problems 立. technologies, it is vital to take privacy protection requirements into account especially. ‧ 國. 學. which sometimes are difficult to overcome after the basic designs have been completed. Therefore, it is important to identify and examine the possible privacy. ‧. invasions before designing new products and services and incorporate them into. Nat. sit. y. privacy protection mechanisms during the mobile apps developments lifecycle. This. n. al. er. io. will ensure the better protections of consumers’ privacy requirements.. Ch. i Un. v. The design and implementation of privacy protection requirements are difficult. engchi. problems that require in-depth translation of the complex social, legal and ethical concern of mobile apps. The concepts of PbD have been proposed worldwide by academic researchers, government officials, and industry experts in order to reinforce privacy protection concerns as well as addressing problems and challenges in mobile apps industries. Generally speaking, PbD consists of a number of principles that can be applied to the mobile apps development lifecycle to mitigate privacy concerns and to enhance 7. Matthias Pocs, Will the European Commission be able to standardise legal technology design without a legal method? Computer Law & Security Review Vol. 28 (December 2012, pp. 641-650).. 2.

(12) personal data protection compliance requirements. Ann Cavoukian had developed the seven foundational principles which include: (i) Proactive not Reactive; Preventative not Remedial, (ii) Privacy as the Default Setting, (iii) Privacy Embedded into Design, (iv) Full Functionality – Positive-Sum, not Zero-Sum, (v) End-to-End Security – Full Lifecycle Protection, (vi) Visibility and Transparency – Keep It Open, (vii) Respect for User Privacy – Keep it User-Centric. 8 A brief description of these seven principles is important. (1) Proactive not Reactive; Preventative not Remedial:. The PbD approach is. 政 治 大 Cavoukian, this approach is to anticipate and prevent privacy invasive events 立 characterized by proactive rather than reactive measures. According to Ann. ‧ 國. 學. before they happen. In this case, PbD does not wait for privacy risks to occur nor does it offer solutions for dealing with privacy issues once they have happened,. ‧. rather it aims to prevent them from occurring in the first place. For example,. Nat. sit. y. mobile apps companies or service providers can proactively incorporate privacy. n. al. er. io. protection mechanisms as important features into products or services at initial. i Un. v. stages of development in order to prevent future invasions.. Ch. engchi. (2) Privacy as the Default Setting: Under this approach, the PbD seeks to deliver maximum degree of privacy by ensuring that personal information are automatically protected in any given IT system, business practice, and mobile apps industry. For instance, if mobile apps users do nothing, their privacy still remains intact, and no action for users is required to protect their privacy, as it is built into the system by default.. 8. Ann Cavoukian, Privacy by Design – The 7 Foundational Principles (August 2009), https://www.privacybydesign.ca/index.php/about-pbd/7-foundational-principles/ (Accessed on 3 October 2014).. 3.

(13) (3) Privacy Embedded into Design: What this means is that PbD is embedded into the design and architecture of any ICT systems and business practices. It is not add-on feature after the fact. As a result, the outcome is that privacy protection becomes an essential component of the core functionality being delivered including mobile apps. This is what Cavoukian referred to “privacy integral to the system” without reducing its functionality. (4) Full Functionality – Positive-Sum, not Zero-Sum: PbD seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through zero-sum approach where unnecessary trade-offs are made. PbD avoids. 政 治 大. the pretense of false dichotomies as well as demonstrating that it is possible to. 立. have both, for example, such as privacy versus security in an ICT system.. ‧ 國. 學. (5) End-to-End Security – Full Lifecycle Protection: Once PbD has been embedded. ‧. into the system prior to the first element of information being collected. It. y. sit. This ensures that all data are securely retained and then securely. io. er. finish.. Nat. extends security throughout the entire lifecycle of the data involved from start to. al. n. destroyed at the end of process in a timely fashion. Thus, PbD ensures end-to-. i n C U end lifecycle protection all the h data collected. i en gch. v. (6) Visibility and Transparency – Keep it Open: PbD seeks to assure all stakeholders from whatever ICT systems or business practices involved in processes and operations, according to the stated promises and objectives, subject to independent verification. Their processes and operations will remain visible and transparent to users and providers. (7) Respect for User Privacy–Keep it User-Centric: PbD requires all stakeholders to keep the interests of the individual uppermost by offering strong privacy default settings, such as appropriate notice and empowering user-friendly options. The. 4.

(14) purpose of this principle is to promote and boost users’ privacy right at the center of any products or services being delivered. However, these principles and approaches still remain unclear and leave many questions unanswered to government officials and mobile apps industries. Though PbD is a new paradigm of privacy protection framework that is spreading and has achieved high-level acceptance around the world, the next big question to be addressed is – how can PbD be best operationalized? This thesis will focus on the best operating PbD during mobile apps development lifecycle as well as conforming. 政 治 大. the international regulations for privacy and data protections.. 學. ‧ 國. 立 1.1 Research Questions. ‧. According to market research reports, smartphone market will reach a total of. y. Nat. sit. 2.0 billion unit shipments in 2015 (up 2.6% from 1.96 billion units shipped in 2014). n. al. er. io. and 2.2 billion unit shipments in 2019 (IDC 2014). 9 Moreover, mobile apps will. Ch. i Un. v. reach a total of 180 billion downloads (up 29.5% from 139 billion downloads in 2014). engchi. and 269 billion downloads in 2017 (Gartner 2013). 10 These market reports have demonstrated we are living in the transformative mobile society. People rely on smartphone and mobile apps more than ever before, thus consumers increasingly concern their privacy information stored in smartphones and invaded by mobile apps. This thesis will focus on two questions: (i) Is it necessary to legally enforce PbD into mobile apps development to ensure better protection of privacy right? (ii). 9. 10. International Data Corporation (IDC), Worldwide Mobile Phone 2015-2019 Forecast and Analysis (April 2015), http://www.idc.com/getdoc.jsp?containerId=255079 (Accessed on 15 February 2015). Garner, Worldwide Mobile Apps Downloads 2012-2017 (September 2013), http://www.gartner.com/newsroom/id/2592315 (Accessed on 15 February 2015).. 5.

(15) Should Taiwan government incorporate PbD into its Personal Information Protection Act (PIPA) to conform the US and EU regulations?. 1.2 Theoretical Approach To address questions raised above, this thesis use comparative jurisprudence approach to review mobile privacy regulations by analyzing opinions, staff reports and regulations from the US and EU to determine how better Taiwan governments,. 政 治 大 protection mechanisms are implemented properly from the onset of mobile apps 立. academics and industries can emulate the PbD guidelines to ensure that privacy. ‧ 國. 學. development.. However, lawyers and engineers alone cannot promote the privacy and data. ‧. protection as both disciplines depend on each other. Thus, this thesis also assesses. y. Nat. sit. current privacy protection frameworks and “legal technology design” 11 through a. n. al. er. io. “bridging-approach” based on software engineering methodology where we conclude. Ch. i Un. v. PbD results during mobile apps development cycle. This approach also demonstrates. engchi. considerable interdisciplinary cooperation between legal science and computer science.. 11. Matthias Pocs, Will the European Commission be able to standardise legal technology design without a legal method? Computer Law & Security Review Vol. 28 (December 2012, pp. 641-650).. 6.

(16) 1.2.2 Study and Review Mobile Privacy Regulations The first part of this thesis will focus on reviews of those PbD guidance and mobile privacy regulations from the US and EU. In October 2010, regulators from around the world gathered at the annual assembly of Internal Data Protection and Privacy Commissioners in Jerusalem, Israel and unanimously passed a landmark resolution recognizing PbD as an essential component of fundamental privacy protection. 12 Moreover, International Data Protection and Privacy Commissioners. 政 治 大. adopted a resolution on big data in October 2014 in Mauritius. One of the resolutions. 立. is to develop and use big data technologies according to the PbD principles.13. ‧ 國. 學. The US Federal Trade Commission’s (FTC) recognition of PbD in March 2012. ‧. as one of its three recommended practices for protecting online privacy in its final. sit. y. Nat. report entitled, “Protecting Consumer Privacy in an Era of Rapid Change: A. n. al. er. io. Proposed Framework for Business and Policy Makers”, build in privacy at every. v. stage of product development.14 PbD is also defined as baseline principle for privacy. Ch. engchi. i Un. framework in this study. In January 2013, California Department of Justice issued guidance on how mobile apps can better protect consumer privacy –“Privacy On The. 12. 13. 14. International Data Protection and Privacy Commissioners, Resolution on Privacy by Design (October 2010), 32nd International Conference, http://www.justice.gov.il/NR/rdonlyres/F8A79347170C-4EEF-A0AD-155554558A5F/26502/ResolutiononPrivacybyDesign.pdf (Accessed on 15 October 2014). International Data Protection and Privacy Commissioners, Resolution on Big Data (2014), 36th International Conference, http://www.privacyconference2014.org/media/16427/Resolution-BigData.pdf (Accessed on 2 November 2014). US Federal Trade Commission (FTC), Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Business and Policy Makers (March 2012), https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-reportprotecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf (Accessed on November 19, 2014).. 7.

(17) Go: Recommendations For The Mobile Ecosystem”.15 In February 2013, FTC also issued a staff report of “Mobile Privacy Disclosures: Building Trust Through Transparency” to strongly encourage major companies and participants in the mobile ecosystems to work expeditiously to implement the recommendations in this report.16 More recently, PbD has been incorporated into the European Commission plans to unify data protection within the European Union with a single law and the proposal was released in January 2012. Article 23 Data Protection by Design and by Default of The Proposed General Data Protection Regulation (GDPR).17 The proposed GDPR is. 政 治 大 The adoption of this regulation should occur in early 2016 and 立. still ongoing negotiations between European Parliament, and the Council and Commission.. ‧ 國. 學. enforcement of this regulation planned to take effect in 2018.. One year later, the EU Article 29 Data Protection Working Party’s (WP29). ‧. Opinion 02/2013 on apps on smart devices which was made public in March 2013.18. y. Nat. er. io. sit. In this opinion, the WP29 clarifies the legal framework applicable to the processing of personal data in the development, distribution and usage of apps on smart devices,. n. al. Ch. i Un. v. which are also related to PbD principles, such as Privacy as the Default Setting and. engchi. End-to-End Security – Full Lifecycle Protection.. 15. 16. 17. 18. Kamala D. Harris, Attorney General, California Department of Justice, Privacy On The Go: Recommendations for the Mobile Ecosystem (January 2013), http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/privacy_on_the_go.pdf (Accessed on November 19, 2014). US Federal Trade Commission (FTC), Mobile Privacy Disclosures: Building Trust Through Transparency (February 2013), http://www.ftc.gov/sites/default/files/documents/reports/mobileprivacy-disclosures-building-trust-through-transparency-federal-trade-commission-staffreport/130201mobileprivacyreport.pdf (Accessed on 19 November 2014). See The Proposed General Data Protection Regulation, supra note 6, at 57, Article 23, Data Protection by Design and by Default. EU Article 29 Data Protection Working Party, Opinion 02/2013 on Apps on Smart Devices (February 2013), http://ec.europa.eu/justice/data-protection/article-29/documentation/opinionrecommendation/files/2013/wp202_en.pdf (Accessed on 19 December 2014).. 8.

(18) 1.2.3 Analyzing and Engineering Privacy by Design The second part of this thesis is to analyze PbD foundational principles as well as analyzing how best for PbD to incorporate existing Privacy Impact Assessment (PIA) and Privacy Enhancing Technology (PET) frameworks to address mobile privacy concerns and discuss the latest research results based on engineering approach for designing and implementing privacy requirements through software engineering methodology and propose as recommendations for all PbD stakeholders – legislators, academics and engineers.. 立. 政 治 大. ‧ 國. 學. New smartphone technologies can create unique challenges for individual mobile privacy rights, thus it is important for all PbD stakeholders to preserve both. ‧. mobile privacy rights and technology innovations by a comprehensive and flexible One way to achieve that harmony is to adopt PbD approach 19 by. sit. y. Nat. approach.. n. al. er. io. embedding privacy protection mechanisms as default features in design specifications. i Un. v. for smartphone devices, mobile apps and services right from the beginning of development lifecycle.. 19. Ch. engchi. Ann Cavoukian, Privacy by Design – The 7 Foundational Principles(August 2009), https://www.privacybydesign.ca/index.php/about-pbd/7-foundational-principles/ (Accessed on 3 October 2014).. 9.

(19) 1.3 Summary In 2010, Privacy by Design became a unanimously acclaimed global privacy standard by the body of International Data Protection Commissioners. It is soon to influence technology design, business practices and physical infrastructure by embedding privacy protection at its core. The PbD standard has tremendous influence on privacy policy frameworks around the world. In 2012, the draft update of the European Data Protection legislation included adherence to PbD principles, and the. 政 治 大. US FTC released its final report on protecting consumers’ privacy with a. 立. recommendation that companies adopt PbD in building consumer privacy protection. ‧ 國. 學. at every stage in their product or service development.. Also, in 2012, the. ‧. international standards organization OASIS Technical Committee (TC), called Privacy by Design for Software Engineers (PbD-SE), and led the development of its. y. Nat. er. io. sit. charter along with Dr. Ann Cavoukian. One of the PbD-SE OASIS TC’s core tasks is to map the seven standardized PbD principles to Unified Modeling Language (UML). al. n. iv n C so that software engineers can easily privacy requirements into their mobile h eembed ngchi U apps and services developments20.. 20. Ann Cavoukian, Fred Carter, Dawn Jutla, John Sabo, Frank Dawson, Jonathan Fox, Tom Finneran, and Sander Fieten, Privacy by Design Documentation for Software Engineers Version 1.0 (June 2014),http://docs.oasis-open.org/pbd-se/pbd-se/v1.0/pbd-se-v1.0.html (Accessed on 7 May 2015).. 10.

(20) Chapter 2 Privacy Regulations and Privacy by Design. Data protection authorities for the EU and the UK as well as the FTC in the US, have been clear that PbD is a concept that needs to be encouraged and that is vital to. 政 治 大 In October 立 2010, regulators from around the world gathered at the. the proper progress of technology that will respect the privacy rights of its users or beneficiaries.. ‧ 國. 學. annual assembly of Internal Data Protection and Privacy Commissioners (ICDPPC) in Jerusalem, Israel and unanimously passed a landmark resolution recognized PbD as. ‧. an essential component of fundamental privacy protection, encouraged the adoption. y. Nat. sit. of PbD to establish privacy as organization’s default mode of operation, and invited. n. al. er. io. data protection and privacy commissioners to promote PbD in their jurisdictions.21. i Un. v. Furthermore, IDPPC has adopted a resolution on Big Data in October 2014 in. Ch. engchi. Mauritius. One of the resolutions was to develop and use Big Data technologies according to the principles of PbD.22 PbD is not yet a part of legislation in any country, even it is often cited as a best practice to the privacy and data protection. Moreover, there are calls in the EU and US to include PbD principles in legal frameworks. PbD is included as a principle 21. 22. International Data Protection and Privacy Commissioners, Resolution on Privacy by Design (October 2010), 32nd International Conference, http://www.justice.gov.il/NR/rdonlyres/F8A79347170C-4EEF-A0AD-155554558A5F/26502/ResolutiononPrivacybyDesign.pdf (Accessed on 15 October 2014). International Data Protection and Privacy Commissioners, Resolution on Big Data (2014), 36th International Conference, http://www.privacyconference2014.org/media/16427/Resolution-BigData.pdf (Accessed on 2 November 2014).. 11.

(21) under Article 23 of the proposed EU Data Protection Regulation (DPR) and in the US Commercial Bills of Rights Act. After comprehensively reviewing the EU and the US related privacy regulations as well as analyzing current PbD status. This study will briefly examine Taiwan’s PIPA to determine the best practices for mobile app stakeholders in Taiwan to ensure better privacy protection.. 2.1 European Union A 政 治 大 foundational statement of EU privacy values in relation to electronic communications 立 The right to privacy is highly legislated and developed in Europe.. ‧ 國. 學. and telecommunications is set forth in Article 7 and 8 of the Charter of Fundamental Rights of the European Union. 23 . Article 7 (Respect for privacy and family life). ‧. provides for the EU analog to the US “right to be let alone: everyone has the right to. sit. y. Nat. respect for his/her privacy and family life, home, and communications”.24 Article 8. n. al. er. io. (Protection of personal data) sets forth basic rights relating to personal data protection.. i Un. v. Strong rights of personal data protection and “respect for private life” are thus. Ch. engchi. enshrined in the Charter under the overarching concepts of personal dignity and freedom, which entered the force on 1 December 2009 under the Lisbon Treaty of Lisbon. The Charter of Fundamental Right is now legally binding and has expanded this legal basis.25. 23. 24. 25. European Convention, Charter of Fundamental Rights of the European Union (October 2012), http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12012P/TXT&from=EN (Accessed on 2 June 2015). Samuel D. Warren and Louis D. Brandeis, “The Right to Privacy”, Harvard Law Review, Vol. 4, No. 5 (December 1890, pp. 193-220). European Parliament, Respect for fundamental rights in Union (June 2015), http://www.europarl.europa.eu/atyourservice/en/displayFtu.html?ftuId=FTU_2.1.2.html (Accessed on 15 June 2015).. 12.

(22) These foundational values have been given further legal and administrative powers in a series of EU directives, two of which are more important, Data Protection Directive (also known as Directive 95/46/EC) 26 and the E-Privacy Directive (also known as Directive 2002/58/EC).27 The Data Protection Directive (DPD) established the basic legal framework for data privacy protection in the EU, whereas the EPrivacy Directive (EPD) supplements the DPD to replace Telecommunications Privacy Directive of 1997 for the better privacy protection in electronic communications sector.. 立. 政 治 大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. i Un. v. Figure 2.1: Structure of Privacy and Data Protection Regulations in EU. 26. 27. EU Article 29 Data Protection Working Party, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML (Accessed on 15 October 2014). EU Article 29 Data Protection Working Party, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML (Accessed on 15 October 2014).. 13.

(23) 2.1.1 Data Protection Directive 95/46/EC In October 1995, EU adopted Data Protection Directive 95/46/EC as a regulatory framework (thirty-three articles in eight chapters) to guarantee secure and free movement of personal data across the national borders of its member states, and the DPD went into effect in October 1998. The DPD defines the basic elements of data protection that member states must transpose into national law (e.g. UK Data Protection Act 1998), each member state manages the regulation of data protection and its enforcement within its jurisdiction. Data protection commissioners from EU. 政 治 大. member states participate in a working group at the community level according to. 立. Article 29 of DPD.28. ‧ 國. 學. Article 29 Data Protection Working Party (WP29), setup under Article 29 of. ‧. DPD, which is composed of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor (EDPS) and the. sit. y. Nat. io. er. European Commission. WP29 is an independent European advisory body on privacy and data protection. Article 30 of the DPD describes the main tasks as: (i) Provide. al. n. iv n C expert advice from the national level Commission on data protection h eto nthegEuropean chi U matters; (ii) Promote the uniform application of DPD in all Member States of the EU;. (iii) Advise the Commission on any European Community law that effects the right to the protection of personal data.29 This general DPD has been also complemented by other legal instruments, such as the EPD for the electronic communications sector. The EPD complements the. 28. 29. Electronic Privacy Information Center (EPIC), EU Data Protection Directive, https://epic.org/privacy/intl/eu_data_protection_directive.html (Accessed on 27 December 2014) Article 29 Data Protection Working Party Main Tasks, https://secure.edps.europa.eu/EDPSWEB/edps/Cooperation/Art29 (Accessed on 27 December 2014). 14.

(24) existing DPD and sets out more-specific “rights to privacy in the electronic communication sector”. The main provisions of this Directive are to ensure providers of electronic communications services to offer “secured services” as well as maintenances of “confidential information”. This Directive particularly concerns the processing of personal data issues relating to the delivery of communication services, such as security process (Article 4), confidentiality of communications (Article 5), cookies (Article 5(3)), public directories of subscribers (Article 12), unsolicited communications (Article 13), users’ control of their personal data (Article 14(3)).30. 政 治 大 Directive requires websites to obtain informed consent from visitors before storing 立. In 2009, the EPD has been amended by Cookie Directive 2009/136/EC. 31 This. ‧ 國. 學. information on a computer or any web connected devices. The storage of user information is mostly done by cookies, which can then be used for tracking website. ‧. visitors. Article 5(3) of the EPD requires that users’ have been informed about the. Nat. sit. y. use of cookies, the purpose that the cookie will be used for and the right to opt-out of. n. al. er. io. cookies, which was commonly placed in privacy policies that users mostly do not read.. i Un. v. With Article 2(5) of the Cookie Directive which replaces Article 5(3) of the EPD,. Ch. engchi. however, the website user will now be required to opt-in when visiting a website containing cookies, so the website has to block cookies, until visitors have given their informed consent to their use.. As a result, organizations offering services and. applications which attempt to access personal data will require user informed consent via the opt-in principle.. 30. 31. EU Legislation Summary, Data Protection in the Electronic Communications Sector (May 2010), http://europa.eu/legislation_summaries/information_society/legislative_framework/l24120_en.htm (Accessed on 15 January 2015). EU Article 29 Data Protection Working Party, Cookie Directive 2009/136/EC (November 2009), http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32009L0136&from=EN (Accessed on 15 January 2015).. 15.

(25) In 2006 and 2009, moreover, the EPD was amended as part of a wide range of initiative to create a “Telecoms Package”32: a comprehensive regulatory framework for the electronic communications and telecommunications to align EU’s Digital Agenda for Europe 2020 strategy.33 These are important privacy policies for mobile app stakeholders to ensure their products and services will comply with EU privacy regulations. In December 2009, the WP29 and the Working Party on Police and Justice (WPPJ) published a joint Opinion entitled “The Future of Privacy”34that advocated. 政 治 大 Though the idea of incorporating technological data protection safeguards in ICT 立. for incorporating the PbD principles into EU’s new privacy protection framework.. ‧ 國. 學. system is not completely new, the DPD already contains several provisions which call for data controllers’ obligation to implement technology safeguards in the design and. ‧. operation of ICT system, security measures and organizational measures to ensure. er. io. sit. y. Nat. compliances.. However, apps and smart devices today are ubiquitous, global and connected.. n. al. Ch. i Un. v. Chapter Four of “The Future of Privacy” summarizes: “The technological. engchi. developments have strengthened the risks for individuals’ privacy and data protection and to counterbalance these risks, the principle of Privacy by Design should be introduced in the new framework: privacy and data protection should be integrated. 32. 33. 34. European Commission, Regulatory Framework for Electronic Communications in the European Union (December 2009), https://ec.europa.eu/digital-agenda/sites/digitalagenda/files/Copy%20of%20Regulatory%20Framework%20for%20Electonic%20Communications %202013%20NO%20CROPS.pdf (Accessed on 20 May 2015). European Commission, Digital Agenda in the Europe 2020 Strategy (March 2015), http://ec.europa.eu/digital-agenda/en/digital-agenda-europe-2020-strategy (Accessed on 20 May 2015). EU Article 29 Data Protection Working Party and Working Party on Police and Justice, The Future of Privacy (December 2009), http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/wp168_en.pdf (Accessed on 20 March 2015).. 16.

(26) into the design of Information and Communication Technologies. The application of such principle would emphasize the need to implement privacy enhancing technologies, privacy by default settings and the necessary tools to enable users to better protect their personal data.. This principle of Privacy by Design should. therefore not only be binding for data controllers, but also for technology designers and producers and relevant stakeholders”. In March 2013, the WP29 published the “Opinion 02/2013 on Apps on Smart Devices”.35 In this opinion, the WP29 clarifies the legal framework applicable to the. 政 治 大 smart devices, which focused on the consent requirement, the principles of purpose 立 processing of personal data in the development, distribution and usage of apps on. ‧ 國. 學. limitation; data minimization, the need to take adequate security measures, the obligation to correctly inform end users and their rights and reasonable retention. ‧. periods and fair processing of data collected from.. y. Nat. er. io. sit. The relevant EU legal framework applicable to mobile privacy is the DPD. It applies in any case where the use of apps on smart devices involves processing. n. al. Ch. i Un. v. personal data of individuals. To identify applicable law, it is essential to first identify. engchi. the role of the different stakeholders involved, the identification of the controllers of processing carried out via mobile apps is particularly crucial in relation to applicable law. According to Article 4.1(a) of the DPD, the national law of a Member State is applicable to all processing of personal data carried out “in the context of an establishment” of the controller on the territory of that Member State. Pursuant to Article 4.1(c) of the DPD, the national law of a Member State is also applicable in cases where the controllers is not established in Community territory and makes use 35. EU Article 29 Data Protection Working Party, Opinion 02/2013 on apps on smart devices (February 2013), http://ec.europa.eu/justice/data-protection/article-29/documentation/opinionrecommendation/files/2013/wp202_en.pdf (Accessed on 19 December 2014).. 17.

(27) of equipment situated on the territory of that Member State. Since the device is instrumental in the processing of personal from about the user, this is criterion is usually fulfilled. However, this is only relevant where the controller is not established in the EU.. As a result, whenever a stakeholder involved in the development,. distribution and operation of apps is considered to be a controller, such a stakeholder is responsible alone or jointly with other stakeholders for ensuring compliance with all the requirements set forth under the DPD. The identification of the stakeholders involved in mobile apps is provided in the Section 3.2.1– Mobile Apps Stakeholders of this thesis.. 政 治 大 In addition to the DPD, the EPD (2002/58/EC, as revised by Cookie Directive 立. ‧ 國. 學. 2009/136/EC), sets a specific standard for all stakeholders worldwide that wish to store or access information stored in the users’ devices in the European Economic. ‧. Area (EEA). Article 5(3) of the EPD prescribes that “Member States shall ensure that. Nat. sit. y. the storing of information, or the gaining of access to information already stored, in. n. al. er. io. the terminal equipment of a subscriber or user is only allowed on condition that the. i Un. v. subscriber or user concerned has given his or her consent, having been provided with. Ch. engchi. clear and comprehensive information, in accordance with Data Protection Directive 95/46EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”36. 36. EU Article 29 Data Protection Working Party, Cookie Directive 2009/136/EC (November 2009), http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32009L0136&from=EN (Accessed on 15 January 2015).. 18.

(28) While many provisions of the EPD only apply to providers of public electronic communication services and providers of public communication networks in the Community, Article 5(3) applies to every entity that places on or reads information from smart devices. It applies without regard to the nature of the entity (e.g. whether public or private, an individual programmer or a major corporation or whether it is a data controller, data processor or a third party).37 The consent requirement of Article 5(3) applies to “any information”, without regard to the nature of the data being stored or accessed. The scope is not limited to. 政 治 大 the consent requirement from Article 5(3) of the EPD applies to services offered in 立. personal data, information can be any type of data stored on the device. Furthermore,. ‧ 國. 學. the Community, that is, to all individuals living in the EEA, regardless of the location of the service provider.. It is important for app developers to know that both. ‧. Directives are imperative laws in that the individuals’ rights are non-transferable and. Nat. sit. y. not subject to contractual waiver. This means that the applicable EU privacy law. n. al. er. io. cannot be excluded by a unilateral declaration or contractual agreement.38. Ch. engchi. i Un. v. 2.1.2 Data Protection Act 1998 (UK) In the UK, the Enterprise Privacy Group (EPG) was commissioned by ICO, and consulted with a cross-session of privacy, identity and security experts to write the ICO’s report on PbD which was published in November 2008. This report was a policy document to investigate the adoption of PET and provided a foundation for the 37. 38. EU Article 29 Data Protection Working Party, Cookie Directive 2009/136/EC (November 2009), http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32009L0136&from=EN (Accessed on 15 January 2015). EU Article 29 Data Protection Working Party, Opinion 02/2013 on apps on smart devices (February 2013), http://ec.europa.eu/justice/data-protection/article-29/documentation/opinionrecommendation/files/2013/wp202_en.pdf (Accessed on 19 December 2014).. 19.

(29) ICO’s strategy of privacy and data protection to both public authorities and privacy organizations. The ICO also follows a principle of designing in privacy and data protection compliance and securing privacy throughout the entire lifecycle of a system.. It suggests that PbD needs to go beyond design of technological system, to. also consider organizational changes.. This report also identified a number of. important barriers to the successful adoption of PbD within authorities and organizations as well as provided the recommendations to make PbD a reality. These recommendations are (i) executive mandate for PbD, (ii) PIA throughout the SDLC, cross-sector standards for data sharing, (iv) the development of practical privacy. 政 治 大. standards, (v) promotion of current and future research into PET, (vi) establishing. 立. more rigorous compliance and enforcement mechanisms.39. ‧ 國. 學. In December 2013, moreover, ICO has issued the guidance “Privacy in Mobile. ‧. Apps” to assist mobile apps developers comply with DPA 1998 during the Software. sit. y. Nat. Development Life Cycle (SDLC) and ensure the protection of users’ privacy rights.40. n. al. er. io. In February 2014, ICO issued its updated PIA framework 41 for organizations. The. i Un. v. primary purpose of this updated framework is to promote PbD as best practices to. Ch. engchi. help organizations comply with DPA obligations when organizations change the way to use personal data. Section 51 of DPA 1998 (General Duties of Commissioner) 42 is highly recommended for Taiwan related data protection authorities to take a. 39. 40. 41. 42. UK Information Commissioner’s Office (ICO), Privacy by Design (November 2008), at 3, http://www.ico.org.uk/for_organisations/data_protection/topic_guides/privacy_by_design (Accessed on 15 October 2014). UK Information Commissioner’s Office (ICO), Privacy in Mobile Apps – Guidance for App Developers (December 2013), https://ico.org.uk/for-organisations/guide-to-data-protection/onlineand-apps/ (Accessed on 15 November 2015). UK Information Commissioner’s Office (ICO), Conducting Privacy Impact Assessments Code of Practice (February 2014), https://ico.org.uk/media/for-organisations/documents/1595/pia-code-ofpractice.pdf (Accessed on 13 February 2015). UK Data Protection Act (DPA) 1998, Section 51(1) General duties of Commissioner(July 1998), http://www.legislation.gov.uk/ukpga/1998/29/section/51. 20.

(30) consideration and work on unanimity of best practices and suggest to government agency and non-government agency through consultations with stakeholders.. 2.1.3 General Data Protection Regulation In January 2012, The European Commission has proposed a comprehensive reform of the DPD 95/46/EC to strengthen online privacy rights and boost Europe’s digital economy. Technological progress and globalization have profoundly changed. 政 治 大 States have implemented the DPD differently, result in divergences in enforcement. 立. the way users’ data is collected, processed and used. In addition, the 27 EU Member. ‧ 國. 學. A single law will do away with the current fragmentation and costly administrative burdens, leading to saving for businesses of around 2.3 Billion Euro a year. The. ‧. initiative will help reinformce consumer confidence in online services, providing a. io. sit. y. Nat. much needed boost to growth, jobs and innovation in Europe.43. n. al. er. The Commission’s legislative proposal updated and modernized the principles. Ch. i Un. v. enshrined in the DPD to guarantee privacy rights in the future. The proposed General. engchi. Data Protection Regulation (GDPR) set out a general EU framework for data protection. A number of key changes in the reform include: (1). A single set of rules on data protection, valid across the EU. Unnecessary administrative requirements, such as notification requirements for companies, will be removed.. 43. European Commission, Commission proposes a comprehensive reform of data protection rules to increase users’ control of their data and to cut costs for businesses (January 2012), http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en (Access on 25 February 2015).. 21.

(31) (2). Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors.. The DPR provides for increased. responsibility and accountability for those processing of personal data. (3). Organizations will have obligation to notify the national supervisory authority of serious data breaches as soon as possible.. (4). Organizations will only deal with a single national data protection authority in the EU country where they have their main establishment.. (5). Whenever consent is required for data to be processed, explicitness must be given rather than assumed.. (6). 政 治 大. People will have easier access to their own data and be able to transfer personal. 立. This will improve competition among services.. The data subject’s “right to be forgotten and to erasure” will help people better. ‧. (7). 學. ‧ 國. data from one service provider to another more easily (right to data portability).. sit. y. Nat. manage data protection risks online. When they no longer want their data to be. al. iv n C EU rules must apply if personal h edata h i Uabroad by companies that are n gischandled n. (8). io. deleted.. er. processed and there are no legitimate grounds for retaining it, the data will be. active in the EU market and offer their services to EU citizens. (9). Independent national data protection authorities will be strengthened so they can better enforce the EU rules at their home countries. In particular, PbD has been incorporated into the proposed GDPR. Article 23. (Data Protection by Design and by Default) consists of four paragraphs. Paragraph 4 provides the guidelines for the PbD standards. The descriptions of Articles 23 are summarized below:. 22.

(32) Article 23(1) requires taking appropriate technical and organizational measures at the planning stage so as to comply with the data protection provisions. It provides for a legal compliance test and the compliance by technology users. Article 23(2) requires taking technical measures in order to process only the minimum personal data that are necessary to achieve the purposes.. The requirement considers in. particular the claim for Privacy-Enhancing Technologies (PETs). Article 23(3) empowers the Commission to adopt delegated acts that define criteria and requirements concerning the appropriate technical measures and. 政 治 大 these acts aim at adding to the general PbD provisions specific across sectors, 立 mechanisms referred to in Article 23(1)(2). In particular this legal basis provides that. ‧ 國. 學. products, and services.. Article 23(4) provides for technical stands that implement PbD. In contrast to. ‧. the preceding paragraphs of Article 23, this paragraph refers to “technical standards”. y. Nat. er. io. sit. which suggests a technology design based on technical standardization.. al. iv n C h e n glifec hcycle. requirements during product development i U Interpreting the explicit laws n. However, laws and regulations play an increasingly important role for software. and regulations to legal requirements has been challenges to legalists and engineers. KORA is a method that has been used in German legal research to derive legal requirements for technological system for nearly 20 years.44 In Contrast, PbD is a precautionary legal technology design required a methodology to derive legal requirement of a technological system in the begging stage of Software Development Life Cycle (see Section 3.3.1). According to Article 23(4) of the proposed GDPR, the. 44. Axel Hoffmann, Holger Hoffmann, Silke Jandt, Alexander RoBnagel, and Jan Marco Leimeister, “Towards the Use of Software Requirement Patterns for Legal Requirements”, 2nd International Requirements Engineering Efficiency Workshop (REEW) 2012, Essen, Germany.. 23.

(33) EU Commission committed to implement technical standard for legal technology design. As a result, it is suggested to set up a taskforce consist of stakeholders to define technical standards for PbD. In Matthias Pocs’ research, he has adopted KORA as legal method to implement legal technology design. 45 One the other hand, this thesis will adopt software engineering methodology based on PbD-SE as legal method for legal technology design for PbD (see Figure 2.2).. 立. 政 治 大. ‧. ‧ 國. 學. io. sit. y. Nat. Figure 2.2: Elements of Legal Technology Design in GDPR. n. al. er. Finally, the GDPR is still ongoing negotiations between European Parliament,. Ch. i Un. v. the Council, and Commission. The adoption of this Regulation is expected to come. engchi. into enforcement by 2018, which will be directly applicable in the EU Member States. The GDPR created new individual rights and imposed new accountability measures on organizations that collect or process data.46. 45. 46. Matthias Pocs, “Will the European Commission be able to standardise legal technology design without a legal method?”Computer Law & Security Review, Vol. 28 (December 2012, pp. 641-650). Ira S. Rubinstein, “Big Data: The End of Privacy or a New Beginning?”, International Data Privacy Law Vol.3, No. 2, (May 2013, pp. 74-87), at 80.. 24.

(34) 2.2 United States Privacy and data protection is not highly legislated or regulated in the US. The US has no single data protection law comparable to the EU DPD. Privacy legislation in the US tends to be adopted on an ad hoc basis, with legislation arising when certain sectors and circumstances require (e.g. Fair Credit Reporting Act of 1970, Electronic Communications Privacy Act of 1986, Video Privacy Protection Act of 1988, Children’s Online Privacy Protection Act of 1998). Therefore, while certain sectors. 政 治 大. may already satisfy the EU DPD, but most do not. The US prefers what it calls a. 立. “sector-based approach” to data protection legislation, which relies on a combination. ‧ 國. 學. of industry self-regulation and a “patchwork” of federal privacy legislation rather than. ‧. a top-down governmental regulation. One of the reasons behind US approach is that American companies fear that American consumers would use privacy legislation as. y. Nat. n. al. er. io. sit. “a weapon of nuisance making” that would create enormous costs.47. i Un. v. However, the US Federal Trade Commission’s (FTC) recognized PbD in March. Ch. engchi. 2012 as one of its three recommended practices for protecting online privacy in its final report entitled, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Business and Policy Makers”. The essence of this guideline was to ensure that privacy rights are protected at every stage of product and services development. 48 In the US, PbD is also defined as baseline principle for privacy framework.. 47. 48. Robert R. Schriver, “You Cheated, You Lied: The safe Harbor Agreement and its Enforcement by the Federal Trade Commission”, Fordham Law Review Volume 70, Issue 6 (2002, pp. 2777-2818). US Federal Trade Commission (FTC), Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Business and Policy Makers (March 2012), https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-. 25.

(35) In January 2013, California Department of Justice issued a guideline on how mobile apps can better protect consumer privacy, “Privacy on the go: Recommendations for the mobile ecosystem”.49 In February 2013, FTC also issued a staff report of “Mobile Privacy Disclosures: Building trust through transparency” to strongly encourage major companies and participants in the mobile ecosystems to work expeditiously to implement the recommendations in this report. 50 Consistent with the FTC’s laser focus on mobile privacy, in the same month of issuing staff report on mobile privacy disclosures, the Commission announced its latest privacy law enforcement action to against Taiwan-based smartphone manufacturer–HTC.. 政 治 大. According to FTC’s announcement involves the FTC’s charges that HTC did not. 立. sufficiently secure the software that it developed for its smartphones and tablet. ‧ 國. 學. computers, and did not accurately describe its data handling practices to device users.. ‧. The FTC’s allegations underscore the Commission’s view that companies are required. sit. y. Nat. under Section 5 of the FTC Act to (i) implement a number of specific PbD steps to. io. er. products capable of collecting, accessing, and transmitting personal information, and. al. (ii) carefully confirm that any representations they make about a product and how. n. iv n C personal information is handled – h including e n g statements c h i U in a product’s user guide and. representations made on the interface of a software application – remain consistent with the product’s capabilities.51. 49. 50. 51. protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf (Accessed on November 19, 2014). Kamala D. Harris, Attorney General, California Department of Justice, Privacy On The Go: Recommendations for the Mobile Ecosystem (January 2013), http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/privacy_on_the_go.pdf (Accessed on November 19, 2014). US Federal Trade Commission (FTC), Mobile Privacy Disclosures: Building Trust Through Transparency (February 2013), http://www.ftc.gov/sites/default/files/documents/reports/mobileprivacy-disclosures-building-trust-through-transparency-federal-trade-commission-staffreport/130201mobileprivacyreport.pdf (Accessed on 19 November 2014). Kelly Drye Client Advisory, FTC Settles with Mobile Device Manufacturer, Claiming Privacy by Design Unfairness and Deception Violations under the FTC Act (February 2013),. 26.

(36) In the US, the PbD debate concentrates on organizational obligations rather than on embedding of technological solutions in systems to protect privacy from the outset. The Commercial Privacy Rights Act (CPRA) of 2015, released in February 2015, includes PbD principles as “part of a mandatory privacy framework”. The Section 103 (Privacy by Design) of CPRA states that each covered entities would be required to implement comprehensive information privacy programs, including development practices through the product life cycle to safeguard Personally Identifiable Information (PII), as well as appropriate management processes and practices throughout the data life cycle.52. 政 治 大 Comparing to the EU in the regard of governmental top-down approach for PbD 立. ‧ 國. 學. legislations (e.g. DPD, EPD and the proposed GDPR) described in Section 2.1 of this thesis, PbD guidelines from the US tend toward a set of “high-level principles and. ‧. self-regulation”. One of the reasons being, as described above, the US companies. Nat. sit. y. concern the privacy legislation would potentially increase additional costs. For this. n. al. er. io. reason, it will be a good idea for Taiwan government officials to take a consideration. i Un. v. to adopt EU’s approach on privacy legislations to incorporate PbD framework into. Ch. engchi. PIPA and prepare for PbD best practices for mobile app stakeholders in Taiwan.. 52. http://www.kelleydrye.com/publications/client_advisories/0796 (Accessed on 15 November 2014). Inside Privacy, Congressional Privacy Bill: Commercial Privacy Rights of Act of 2015 (March 2015), http://www.insideprivacy.com/united-states/congress/congressional-privacy-billcommercial-privacy-rights-act-of-2015/ (Accessed on 2 June 2015); Electronic Privacy Information Center (EPIC), Commercial Privacy Bill of Rights (2011), https://epic.org/privacy/consumer/CommercialPrivacy-_Bill_of_Rights_Text.pdf (Accessed on 13 March 2015).. 27.

(37) 2.3 Taiwan In Taiwan, the first data protection law was legislated in 1995.53 The purpose of this legislation was primarily in response to the European Union Data Protection Directive requiring all EU trading partners to have comparable data protection laws to receive trans-border personal data from EU countries.. The Computer Processed. Personal Data Protection Law was renamed as the Personal Information Protection Act (PIPA) and amended on 26 May 2010. 54 The PIPA became effective on 1. 政 治 大. October 2012, except that the provisions relating to sensitive personal data and the. 立. notification obligation for personal data indirectly collected before the effectiveness. ‧ 國. 學. of the PIPA remain ineffective.. ‧. Whereas Article 2 (1) of PIPA, personal data means the name, date of birth, I.D.. sit. y. Nat. card number, passport number, characteristics, fingerprints, marital status, family,. n. al. er. io. education, occupation, medical record, medical treatment, genetic information, sexual. i Un. v. life, health checks, criminal records, contact information, financial conditions, social. Ch. engchi. activities and other information which may directly or indirectly be used to identify a living natural person; Article 6 of PIPA states “sensitive personal data means the personal data relating to medical treatments, genetic information, sex life, health checks and criminal records”. The provisions relating to sensitive personal data still remain ineffective and the date for enforcement of Article 6 shall be set by the. 53. 54. The Computer Processed Personal Data Protection Law was legislated 11 August 1995, http://db.lawbank.com.tw/FLAW/FLAWDAT08.aspx?lsid=FL010627&ldate=19950811 (Accessed on 20 October 2014). Taiwan Ministry of Justice, Personal Information Protection Act (May 2010), http://law.moj.gov.tw/Eng/LawClass/LawAll.aspx?PCode=I0050021 (Accessed on 13 March 2015).. 28.

(38) Executive Yuan. 55 There is no requirement in Taiwan for the data controller to appoint a data protection officer. However, if the data controller (government agency or non-government agency) is a government agency, a specific person should be appointed to be in charge of the security maintenance measures. Taiwan, there is no single national data protection authority. The various ministries, cities, counties governments serve as the competent authorities.56 In practice, real action to realize the new data protection law is undertaken at the level of compliance assurance for the private sectors. Article 12 of Enforcement. 政 治 大 foundation, is responsible for the establishment of a certification program (TPIPAS) 立. Rules of PIPA, 57 the Institute for Information Industry (III) 58 , a public interest. ‧ 國. 學. and the issue of privacy seal for those organizations pass the privacy audits.59 This certification program is planned to raise the compliance of data protection practices. ‧. for all companies in Taiwan up to an international level through intensive. Nat. n. al. er. io. sit. y. international cooperation under the framework of Cross-border Privacy Enforcement. 55. 56. 57. 58. 59. Ch. engchi. i Un. v. The Executive Yuan is the executive and administrative branch of the Taiwan government, headed by premier. The premier is directly appointed by the president. http://www.ey.gov.tw/en/cp.aspx?n=95097CAF31185CC1 (Accessed on 2 May 2015). Article 52 of PIPA states: “The competencies prescribed to the government authority in charge of the subject industry at the central government level, municipality directly under the central government, or county or city government may be appointed to the subordinate agencies, other agencies or charitable groups. The personnel of such agencies should fulfill the obligation of confidentiality for all the information obtained during the job-undertaking. The charitable groups prescribed in the preceding Paragraph should not be authorized by the Party in accordance with Paragraph 1 of Article34 for litigation rights and should proceed to the action for damages in its own name.” Taiwan Ministry of Justice, Enforcement Rules of the Personal Information Protection Act (September, 2012), http://law.moj.gov.tw/Eng/LawClass/LawAll.aspx?PCode=I0050022 (Accessed on 2 May 2015). Institute for Information Industry (III) was founded as a Non-Governmental Organization (NGO) in 1979 through the joint efforts of public and private sectors to support the development and applications of the information industry as well as the information society in Taiwan, http://web.iii.org.tw/About/introduction (Accessed on 2 May 2015). Taiwan Personal Information Protection & Administration System, http://www.tpipas.org.tw/index.aspx (Accessed on 2 May 2015).. 29.

(39) Arrangement (CPEA) of the Asia-Pacific Economic Cooperation (APEC). 60 There are frequent meetings among APEC member countries discussing privacy protection issues and its institution building in Asia. It is expected to have an Asian transboarder personal data certificate system built on top of each member country’s own privacy assurance program. In addition, PIPA was legislated based on the OECD’s FIP Principles and it is important to look at the relevant relationships between PIPA and FIP (see Table 2.1), where mapping of PIPA Articles on FIP Principles are provided. OECD FIP Principles. 立. 2. 3.. Data Quality Principle Purpose Specification Principle. 4.. Use Limitation Principle. 5.. Security Safeguards Principle. Chapter II: Information Collection, Processing and Use by a Government Agency (Art. 15) Chapter III: Information Collection, Processing and Use by a Non-Government Agency (Art. 19) Chapter I: General Provisions (Art. 5, Art. 11) Chapter I: General Provisions (Art. 5, Art. 8, Art. 11.3). Chapter I: General Provisions (Art. 5) Chapter II: Information Collection, Processing and Use by a Government Agency (Art. 16) Chapter III: Information Collection, Processing and Use by a Non-Government Agency (Art. 20) Chapter II: Information Collection, Processing and Use by a Government Agency (Art. 18) Chapter III: Information Collection, Processing and Use by a Non-Government Agency (Art. 27) Chapter I: General Provisions (Art. 8) Chapter II: Information Collection, Processing and Use by a Government Agency (Art. 17) Chapter I: General Provisions (Art. 3, Art. 10, Art. 11, Art. 13, Art. 14) Chapter IV: Damages and Class Litigation (Art. 28-40) Chapter V: Penalties (Art. 41-50). ‧. ‧ 國. Collection Limitation Principle. 學. 1.. Taiwan PIPA Articles 治 政 Chapter I: General Provisions (Art. 5, Art. 6, Art. 8, Art. 9) 大. n. 6.. Openness Principle. 7.. Individual Participation Principle. 8.. Accountability Principle. er. io. sit. y. Nat. al. Ch. engchi. i Un. v. Table 2.1: Taiwan PIPA Articles and OECD FIP Principles61. 60. 61. Asia-Pacific Economic Cooperation, APEC Cross-border Privacy Enforcement Arrangement (CPEA), http://www.apec.org/Groups/Committee-on-Trade-and-Investment/Electronic-CommerceSteering-Group/Cross-border-Privacy-Enforcement-Arrangement.aspx (Accessed on 2 May 2015). Ting-Chi Liu, “The Definition of Personal Data, Data Protection Principles, and the Exemptions of the Personal Information Protection Law–Using CCTV as an Example (2)”, Taiwan Jurist No. 119, (September 2012, pp. 39-53).. 30.

(40) Privacy ordering seems to characterize Asian response to the information privacy challenges of the 21st Century. The development should be well-received by the legal paradigm discussed in this thesis—PbD. PbD embeds proactive respect for privacy deeply and meaningfully across the organization, supporting achievement of a much higher privacy standard than FIP has generally provided to date. While there is no PbD best practices proposed by Taiwan government, the Table 2.2 below demonstrates the legal relationship between PbD, FIP and PIPA which can be treated reference model for stakeholders in mobile apps development, as. 政 治 大 table, there are four PbD Principles 立 are legally binding with PIPA which stakeholders. well as for TIPAPS for their new certification program. According to the following. ‧ 國. 學. must comply with when developing mobile apps, including Privacy as the Default Setting, End-to-End Security – Full Lifecycle Protection, Visibility and Transparency. ‧. – Keep it Open and Respect for User Privacy – Keep it User-Centric.. n. 2. Privacy as the Default Setting 3. Privacy Embedded into Design 4. Full Functionality – Positive-Sum, not Zero-Sum 5. End-to-End Security – Full Lifecycle Protection 6. Visibility and Transparency – Keep it Open 7. Respect for User Privacy – Keep it User-Centric. N/A. er. io. al. OECD FIP Principles. sit. y. Nat. PbD Principles 1. Proactive not Reactive; Preventative not Remedial:. v Collection Limitation Principle ni C hPurpose SpecificationUPrinciple i n g c hPrinciple UseeLimitation. Taiwan PIPA N/A. N/A. Art. 5, 6, 8, 9, 15, 19 Art. 5, 8, 11.3 Art. 5, 16, 20 N/A. N/A. N/A. Security Safeguards Principle. Art. 18, 27. Openness Principle Accountability Principle Individual Participation Principle Data Quality Principle. Art. 8, 17 Art. 28-50 Art. 3, 10, 11, 13, 14 Art. 5, 11. Table 2.2: Taiwan PIPA Articles, OECD FIP Principles and PbD Principles. 31.

(41) 2.4 Summary Examining the EU, US and Taiwan privacy regulations and PbD guidelines, it seems Taiwan government can emulate the EU GDPR because PIPA was legislated based on EU privacy framework. Also, Taiwan government should establish a new administrative agency responsible for PIPA, just same as UK’s Information Commissioner’s Office and Germany’s Federal Commissioner for Data Protection and Freedom of Information.62 In addition, Taiwan can emulate Section 51 (General. 政 治 大. Duties of Commissioner) of Data Protection Act 1998 in the UK to propose the best. 立. practices of PbD to mobile apps stakeholders in Taiwan.. According to PbD. ‧ 國. 學. guidelines in the US, Taiwan government, academics and industries can reference proposed best practices for mobile apps industries to speed up the processes to. ‧. conform the new legal paradigm of privacy protection.. sit. y. Nat. io. er. The UK ICO and US FTC are more closely aligned with a set of “high-level. al. principles and self-regulation” rather than the more “prescriptive proposals of the. n. iv n C 63 U WP29, the German Commissioner h or e now the EU iproposal”. h ngc. For this reason, it will. be a good idea for Taiwan government officials to take a consideration to adopt EU’s approach on privacy legislations to incorporate PbD framework into PIPA and prepare for PbD best practices for mobile apps stakeholders in Taiwan.. 62. Ting-Chi Liu, “Cloud Computing and Personal Data Protection – A Comparative Study between Taiwan’s Personal Data Protection Act and European Data Protection Directive”, Tunghai University Law Review, No. 43 (August 2014, pp. 53-106). 63 David Krebs, “Privacy by Design: Nice-to-have or a Necessary Principle of Data Protection Law?”, Journal for Intellectual Property, Information Technology and Electronic Commerce Law (JIPITEC), Volume 4, Issue 1 (March 2013, pp. 2-20).. 32.

(42) Chapter 3 Privacy Protection Framework — A New Paradigm. The design and implementation of privacy requirements in an Information and Communication Technology (ICT) system is a difficult problem and requires the. 政 治 大 The concept of Privacy by Design 立 (PbD) has been proposed to serve as a guideline on. translation of complex social, legal and ethical concerns into ICT system requirements.. ‧ 國. 學. how to address these concerns. PbD consists of a number of principles that can be applied from the beginning of systems development to mitigate privacy concerns and. ‧. achieve data protection compliance. However, these principles remain vague and. Nat. sit. y. leave many open questions about their application when engineering ICT systems.64. n. al. er. io. This is also challenged task for both lawyers and engineers since both are from two different disciplines to achieve the same goal.. Ch. engchi. i Un. v. PbD designates a software design approach that incorporates privacy requirements from the beginning and throughout the entire software development processes, instead of considering them as an afterthought. To achieve this, it requires an intense interdisciplinary cooperation between legal science, computer science, government officials and operational practices (see Figure 3.1). 65 For this reason, government officials, academic researchers and industry experts from different 64. 65. Seda Curses, Carmela Troncoso, and Claudia Diaz, Engineering Privacy by Design (January 2011), http://www.cosic.esat.kuleuven.be/publications/article-1542.pdf (Accessed on 15 December 2014) Ira S. Rubinstein and Nathan Good, “Privacy by Design: A Counterfactual Analysis of Google and Facebook Privacy Incidents”, Berkeley Technology Law Journal Vol. 28 (December 2013, pp. 1333-1414). 33.

參考文獻

立即下載 ( PDF - 85 頁 - 1.11 MB )

Outline

Summary Data Protection Directive 95/46/EC United States Taiwan Mobile Apps Stakeholders Privacy in Software Development Life Cycle Incorporating Privacy Enhancing Technology

相關文件

2011/12年度中文科種籽計畫

 善用從計劃得到的經驗 善用從計劃得到的經驗 善用從計劃得到的經驗 善用從計劃得到的經驗, , , ,自行設計及開發新 自行設計及開發新

Personal Data (Privacy) Ordinance, Cap. 486

Following the supply by the school of a copy of personal data in compliance with a data access request, the requestor is entitled to ask for correction of the personal data

Economic Growth and  Development

y Define  clearly  the  concept  of  economic  growth  and  development  (Economic  growth  can  simply  be  defined  as  a  rise  in  GDP  or  GDP  per 

Module (III) Theme Park

• “Theme park can be defined as being an outdoor attraction which combines rides, attractions and shows as being designed around a central theme or group of themes, and as

123 Dynamic Programming

Dynamic programming is a method that in general solves optimization prob- lems that involve making a sequence of decisions by determining, for each decision, subproblems that can

ƒ A set of process is in a deadlock state when every process in the set is waiting for an event that can be caused by only another process in the set.

* All rights reserved, Tei-Wei Kuo, National Taiwan University, 2005..

中 華 大 學

Security and privacy related literatures [19] focused on methods of preserving and protecting privacy of RFID tags; the RFID reader collision avoidance and hidden terminal

中 華 大 學

Besides, we also classify the existing RFID protection mechanisms to solve the different personal privacy threats in our security threat model.. The flowchart of security threat