Privacy by Design: Taking Ctrl of Big Data

Cleveland State University EngagedScholarship@CSU Cleveland State Law Review Law Journals 3-1-2017 Privacy by Design: Taking Ctrl of Big Data Eric Everson Herzing University Follow this and additional works at: https://engagedscholarship.csuohio.edu/clevstlrev Part of the Privacy Law Commons, and the Science and Technology Law Commons How does access to this work benefit you? Let us know! Recommended Citation Eric Everson, Privacy by Design: Taking Ctrl of Big Data, 65 Clev. St. L. Rev. 27 (2017) available at https://engagedscholarship.csuohio.edu/clevstlrev/vol65/iss1/6 This Article is brought to you for free and open access by the Law Journals at EngagedScholarship@CSU. It has been accepted for inclusion in Cleveland State Law Review by an authorized editor of EngagedScholarship@CSU. For more information, please contact . PRIVACY BY DESIGN: TAKING CTRL OF BIG DATA ERIC EVERSON* ABSTRACT The concept of Privacy by Design is rooted in systems engineering. Yet, it is the legal framework of global privacy that gives new color to this concept as applied to Big Data. Increasingly, the long arm of the law is reaching into Big Data, but it is not simply by matter of regulatory enforcement or civil legal developments that Privacy by Design (PbD) is being thrust into the spotlight once more. Given that Big Data is considered miniscule in contrast to future data 1 environments, PbD is simply the right thing to do. This paper aims to explore the origin of PbD, the current and future state of Big Data and regulatory enforcement, and the methodology of PbD applied to Big Data. As a cornerstone of organizational culture, PbD is a concept that allows organizations of any size to embrace the privacy interests of the data they collect, store, and use at the forefront of their 2 approach. CONTENTS   INTRODUCTION .......................................................................................... 28   WHAT IS PRIVACY BY DESIGN? ................................................................. 28   PRIVACY BY DESIGN APPLIED TO BIG DATA ............................................. 30   A. Proactive Not Reactive; Preventative Not Remedial ........................ 30   B. Privacy as the Default Setting .......................................................... 31   C. Privacy Embedded Into Design ........................................................ 31   D. Full Functionality—Positive-Sum, Not Zero-Sum ............................ 32   E. End-to-End Security—Full Lifecycle Protection .............................. 32   F. Visibility and Transparency – Keep it Open .................................... 33   G. Respect for User Privacy—Keep it User-Centric ............................. 34   H. Big Data and Regulatory Enforcement of the Privacy Interest in Data .................................................................................................. 34   I. Global Privacy Compliance in the Big Data Era ............................. 38   J. The Right Thing to Do ...................................................................... 40   IV. CONCLUSION ...................................................................................................... 42   I. II. III. * JD, MBA, MSIT-SE, Associate Faculty of Information Security, Herzing University. Mr. Everson is a technology attorney licensed by the Florida Bar. His work focuses on the intersection of technology, business, and the law. Areas of focus in his practice include privacy, bank regulation, financial technology, cyber and information security, social media, and intellectual property 1 Ron Miller, If You Think Big Data’s Big Now, Just Wait, TECH CRUNCH (Aug. 10, 2014), https://techcrunch.com/2014/08/10/big-data-bound-to-get-really-really-big-with-theinternet-of-things/. 2 Peter Schaar, Privacy by Design, 3 IDENTITY INFO. SOC’Y 267, 267 (2010). 27 Published by EngagedScholarship@CSU, 2017 1 28 CLEVELAND STATE LAW REVIEW [Vol. 65:27 I. INTRODUCTION 3 Big Data notably has been referred to as the rocket fuel of economic growth. As the field of big data progresses, maturity will develop as the focus moves away from the initial excitement that we can process large data and toward understanding the 4 acquiring, stewarding, and sharing of our data. Turning to the world’s foremost collection of aggregate data, Google’s definition of “Big Data” is “[e]xtremely large data sets that may be analyzed computationally to reveal patterns, trends, and associations, especially relating to human behavior and 5 interactions.” So, with at least a baseline for why we value Big Data, the central theme of this paper is focused on leveraging the PbD framework for the purpose of taking control of this valuable asset of Big Data in its collection, storage, and use. II. WHAT IS PRIVACY BY DESIGN? To best understand the PbD framework, it should be noted that the concept is an evolving framework that was first applied to systems engineering.6 Also, PbD has notable thematic applicability to the continual advancement of data collection, storage, and use.7 PbD is a foundational approach that takes privacy into account at the forefront of the engineering lifecycle by culturally perpetuating privacy at all levels of an organization.8 Continued refinement of PbD has yielded seven core tenants called the foundational principles, which include: 1) proactive not reactive, preventative not remedial; 2) privacy as the default setting; 3) privacy embedded into design; 4) full functionality—positive-sum, not zero-sum; 5) end-to-end security— full lifecycle protection; 6) visibility and transparency—keep it open; and 7) respect 9 for user privacy—keep it user-centric. These tenants will be explored in greater detail as this paper later examines the application of methodology to Big Data. As a pedagogical framework, PbD encourages managers and creators to think about the data and privacy interests therein that are to be ingested at the forefront of the design process as opposed to being an afterthought in the development 10 lifecycle. PbD allows creators to specially architect environments and systems with considerations of data use for implementation at the onset, which will directly tie to business or operational processes once the solution is promoted into a live 3 Edd Wilder-James, Making a Moonshot? Put Data in Your Rocket, FORBES (June 21, 2013), http://www.forbes.com/sites/edddumbill/2013/06/21/making-a-moonshot-put-data-inyour-rocket/. 4 Id. 5 Big Data, GOOGLE.COM, https://www.google.com/#q=definition+big+data (last visited Sept. 18, 2016). 6 Peter Hustinx, Privacy by Design: Delivering the Promises, 3 IDENTITY INFO. SOC’Y 253, 253-54 (2010). 7 Ann Cavoukian, Privacy by Design: The 7 Foundational Principles, IAB.ORG (2009), https://www.iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf. 8 Id. 9 Id. 10 Id. https://engagedscholarship.csuohio.edu/clevstlrev/vol65/iss1/6 2 2016] PRIVAC (...truncated)