Hero or Villain: The Data Controller in Privacy Law and Technologies

Privacy and Security, Networks, the Internet, and Cloud Computing, Internet and Media and Content

Article Snapshot

Author(s)

Claudia Diaz, Seda Gürses and Omer Tene

Source

Ohio State Law Journal, Vol. 74, No. 6 (2013)

Summary

By embracing privacy enhancing technologies (PETs), privacy law can better protect individuals from surveillance and other intrusions. Trusting data controllers leaves privacy vulnerable to a single point of failure.

Policy Relevance

Policymakers should discourage bans on PETs. Sometimes, use of PETs should be required.

Main Points

  • Constitutional privacy rights are based on distrust of government, and limit surveillance; by contrast, information privacy law allows surveillance by government and private-sector entities, emphasizing the accountability of data controllers as trusted information stewards.
     
  • PETs let individuals venture online free from surveillance; PETs avoid reliance on a single trusted data controller, minimize data collection, and subject systems to public scrutiny.
     
    • Some PETs require implementation by a data controller.
       
    • PETs such as email encryption tools can be deployed by a user alone.
       
    • PETs such as the Tor network (run by volunteers to enable users to communicate anonymously) involve collaboration between users and data controllers.
       
  • National governments have tried to limit the use of PETs; policymakers should not prohibit PETs, and should sometimes make PET use mandatory.
     
  • PETs protect the user from surveillance by the data controller itself, avoiding a single point of failure that threatens privacy and free speech rights; when PETs are used, methods other than surveillance must be used to detect criminal activity online.
     
  • As a part of “privacy by design,” regulators should require PETs when they can be used without sacrificing functionality or the goals of the data collector.
     
  • When PETs are used to access a data controller's services, policymakers should discourage controllers from blocking PETs; for example, search engines should not be allowed to interfere with TrackMeNot, even though it reduces the effectiveness of targeted advertising.
     
  • PETs developers should not be required to build surveillance-ready “back doors” into their technology.
     

Get The Article

Find the full article online

Search for Full Article

Share

About the Authors

TAP Academic

Omer Tene

Senior Fellow

International Association of Privacy Professionals (IAPP)

Phone: (603) 427-9211

omer@omertene.com

Claudia Diaz

Associate Professor, COSIC Research Group

Department of Electrical Engineering
KU Leuven

Kasteelpark Arenberg 10, B-3001
Leuven (Belgium)

Phone: +32 (0)16 32 18 14

claudia.diaz@esat.kuleuven.be

Seda Gürses

FWO Post-Doctoral Fellow

Computer Security and Industrial Cryptography (COSIC)
Department of Electrical Engineering
University of Leuven