First Monday

FM reviews


Privacy impact assessment David Wright and Paul De Hert (editors).
Privacy impact assessment.
Dordrecht and New York: Springer, 2012.
decorated boards, 523 p., ISBN 978–8–400–72542–3, $US189.00.



How should society evaluate the effects on personal privacy that result from new technologies, government programs, corporate activities and the like? Parsing this question into its component elements is not simple. You must begin by defining what privacy means, a task that is time–consuming at best and impossible at worst. Other issues of who, what, how, and when are not much easier. The best that anyone can do is to start with one piece of the puzzle.

That is just what David Wright and Paul De Hert accomplish in Privacy impact assessment, a volume devoted to one of the privacy tools currently in use to evaluate privacy risks. The book offers a broad and worldwide perspective, with 20–plus chapters contributed by privacy scholars, public and private sector practitioners, and regulators. It’s the first volume on the subject.

A privacy impact assessment (or PIA) is a methodology for assessing the impacts on privacy of a project, policy, program, service, product, or other activity. PIAs are successors, in a way, to other approaches to addressing privacy. One of the first was the privacy notice, now commonplace on most Web sites. Privacy notices have been found wanting because of their length, general incomprehensibility, ease of amendment, and other flaws. At best, notices describe, but do not evaluate. The idea that notices will allow users to protect themselves is laughable today.

Along the way to PIAs, there was a boomlet for a while for privacy enhancing technologies, privacy protections built into systems and activities during the design phase. A lovely thought, but one overwhelmed by the time pressure of the business cycle, absence of clear definitions, undefined standards, and a lack of tension between record keepers, record subjects, and privacy regulators. A more current version of the same idea — Privacy by Design — suffers from the same shortcomings. Slogans sound great, but they solve no mysteries.

Many countries around the world have also tried their hand at privacy law and privacy regulation. This approach has shown some success, but there is much to debate about the quality and effectiveness of the efforts. The United States is the most notable laggard when it comes to comprehensive approaches to privacy, and it may be telling that the book has only one chapter (plus a preface) by Americans.

In the introductory chapter, editors Wright and De Hert make clear that there is no consensus about how to conduct a PIA, a point underscored by the rest of the book as other authors offer differing points of view and different histories. The editors offer a brief history of PIAs, the reasons for conducting them, a description of different approaches, and a discussion of major issues. The introduction is an excellent overview of the issues, and it is worth the price of admission all by itself. The editors return in other chapters, sometimes with co–authors, with other insights. They also provide a closing chapter with well–considered findings and recommendations that will inform policy–makers and practitioners alike.

A major section of the book explores the experience in five countries, with the focus mostly on the public sector. David Parker, the British Government’s Official Historian of Privatisation and an academic at Cranfield University, offers a useful discussion of regulatory impact assessments in the United Kingdom. RIAs and PIAs share many features, and the chapter makes the point that PIAs have precedents in other fields, and those precedents can be instructive. He is not the only author to comment on the “box–ticking” mentality as a shortcoming of assessments that just meet a legal requirement and fail to fulfill their fundamental objective of truly informing decision–makers.

Chapters from other authors not only offer different perspectives and case studies, but they also tend to provide a brief history of national privacy laws and institutions at the same time. Roger Clarke, a long–time privacy advocate and practitioner, offers an overview of Australian law through a PIA lens. He also provides a lovely one–page chart describing how PIAs compare to other privacy processes. Clarke is not shy in identifying a lack of rigor in the use of PIAs. His Australian colleague, Nigel Waters, offers several case studies, including one for the Hong Kong Smart Identity Card. Waters is one of several authors who asks who should be the client for a PIA, and he discusses the inevitable conflict of interest that arises when the proponent of an activity hires and pays for the PIA.

Robin Bayley and Colin Bennett provide a review of the Canadian legislation framework and the Canadian PIA experience. A notable shortcoming that they identify is the tendency to focus on legal compliance rather than doing the right thing and asking larger questions. This is a point that goes to the heart of what PIAs should accomplish. Legal compliance as well as box–ticking seem to be enemies to the real purpose of PIAs.

John Edwards, a New Zealand practitioner discusses the timing, cost, and purchaser of a PIA with an insider’s eye on details of the terms, constraints, and temptations that an assessor faces in a real–world environment. A much later chapter from Blair Stewart of the New Zealand Privacy Commissioner’s Office has a different New Zealand perspective, addressing PIAs from the perspective of the regulator as a consumer of PIAs. One of Stewart’s observations is that the role of data protection authorities is another variable in the PIA puzzle, ranging from giving approval to merely offering comment to perhaps nothing at all.

Adam Warren and Andrew Charlesworth offer a review for the U.K., where they find most of the PIA activity in the public sector. They find the PIA picture fragmentary and confused.

Kenneth Bamberger and Deirdre Mulligan find the U.S. government’s response to a legislated mandate for government agency PIAs neither swift nor uniform. They are not nearly as critical of the indifferently drafted U.S. PIA legislation as it deserves. Some readers may be surprised to find some praise for the Department of Homeland Security’s (DHS) privacy office, which the authors fairly characterize as an effective embedded privacy expert. DHS PIAs are variable, but some are excellent and made a real difference. Bamberger and Mulligan also make the case that the right individual leading a privacy evaluation makes a big difference in its effectiveness. Good people can produce a useful result even when the standards are inadequate and the environment is not ideal. The reverse conclusion is unfortunately just as true.

Reading these uniformly mixed reviews of PIAs largely in a governmental context, it might be hard to develop much enthusiasm for the PIA as a meaningful tool. Common problems are a lack of openness, inconsistency, political barriers, conflicts of interest, insufficient resources, absence of accountability, and badly timed reviews. Still, there are enough successes and enough promise — and perhaps too few realistic alternatives — for the authors uniformly to believe that PIAs can be useful despite the shortcomings. Each chapter comes with suggestions for improving the process through better standards, better oversight, more rigor, and the like. The universal view that PIAs hold promise cannot be rejected. If there is a critic who dismisses PIAs totally, he did not contribute a chapter to this book.

The next section has three chapters on the private sector experience, from Nokia, Siemens, and Vodaphone. The reader walks away from these chapters with a much more positive view of PIAs. Tobias Bräutigam calls PIAs the cornerstone of privacy compliance at Nokia, and he makes his case well. Vodaphone has a formal Privacy Risk Management System, a telling title. High–level management support for privacy assessments is apparent in all three companies, with resources to match. Multinationals that must comply with disparate privacy rules around the world face a host of obligations for which PIAs are useful.

It may be noteworthy that all three companies are based in Europe, where the history of comprehensive privacy law and regulation dates back further than anywhere else in the world. Privacy is something that all three companies see as a risk to their enterprises and to their customers. PIAs or PIA–like activities are in whole or in part a defense mechanism to assure compliance. Whether an organization ends up in the right place solely for defensive reasons may not matter much.

Even discounting somewhat the perhaps self–serving description of the companies’ embrace of PIAs and their aggressive implementation, the private sector application of PIAs is impressive and more uplifting than the public sector’s. What accounts for the difference between public and private sectors? Unfortunately, no one addresses that question in any depth. The editors suggest in the final chapter that high–level support and embedding privacy expertise within an organization account for the private sector success and for the one U.S. agency, the Department of Homeland Security, that has done the best with PIAs. That makes sense.

Later chapters address the development of the PIA by the International Standards Organization for financial services and for radio–frequency identification tags (RFID). The RFID story is a complex interplay between the private sector and European data protection authorities that after considerable effort produced a functional result with further reviews still to come. Both of these activities took years, but both seem to reach a positive outcome. Again, it appears that the private sector’s willingness — with prodding to be sure — to confront privacy squarely in these instances was a major factor in the end.

drop quote

It may be that the political and bureaucratic pressures that arise in any public sector approach to complex issues of policy, law, technology, and practice tend to dilute privacy issues so that they are less likely to be sincerely addressed. Even a good PIA may be ignored by a minister already committed publicly to a predetermined approach, or it may be hidden by a bureaucracy used to shelving criticism, especially criticism that the bureaucracy paid for.

This is not to suggest that PIAs are never successful in the public sector. This book includes enough examples to disprove the suggestion. Further, the approaches described by private sector companies are procedurally impressive, but whether a good process produces a fair and balanced privacy result, rather than a strictly legal one, remains unexamined.

Charles Raab and David Wright (again!) offer one of the most interesting chapters in which they address how to do a PIA for surveillance activities. They fairly point out the shortcomings of using PIAs to evaluate surveillance activities but still see PIAs as valuable for this purpose. This chapter is a useful starting point for anyone considering a PIA in this difficult space. And there’s more here. Raab and Wright also ask just what a PIA should focus on, essentially posing the hard question of what privacy should mean in the conduct of a PIA. They analyze privacy using concentric circles, with the innermost circle focusing on individual privacy, the next circle addressing relationships, third considering impacts on groups, and the last worrying about impacts on society. The circles, but not the authors, suggest to me an outline of legislation or a policy document for defining and broadening the focus of PIAs.

Canadian Privacy Commissioner Jennifer Stoddard has one of the last words in her chapter reviewing the very mixed Canadian experience with PIAs. In some cases, she observes that a lack of resources and senior management support prevented an infrastructure needed to sustain PIAs. In other cases, the absence of clear lines of accountability for privacy prevented PIAs from succeeding. Those conclusions ring true in nearly all cases. Stoddard is one of many chapter authors working hard to improve PIA standards and implementation.

The book demonstrates that there is no right or wrong way to conduct a PIA. There are many options and many approaches, and time will tell which are best suited for which activity, company, or agency. One unstated lesson is that no one should hope that a PIA requirement will solve the “privacy problem”. PIAs offer promise, but hard work and eternal vigilance will remain essential if they are to succeed in helping decision–makers strike a fair balance between competing interests.

It is tempting to say that the jury is still out on the value of PIAs, but the book demonstrates that PIAs are in widespread use, that there is a consensus among the authors and others that PIAs are or can be helpful, and that there is no shortage of ideas for improvement. Anyone tasked with defining PIA requirements through policy, rule, or law or simply with conducting an individual PIA will be richly rewarded by reading this volume. — Robert Gellman, Privacy and Information Policy Consultant, Washington, D.C. End of article

Copyright © 2012, First Monday.

Book review of Privacy impact assessment
by Robert Gellman.
First Monday, Volume 17, Number 9 - 3 September 2012