Strong Accountability: Beyond Vague Promises

Chapter

Abstract

The principle of accountability has been enjoying growing popularity over the last few years as a way to mitigate the loss of control by individuals over their personal data. It is however unclear whether accountability can be characterised precisely enough to yield effective protection and whether it bears the capacity for innovative solutions. Reasons to support accountability and criticism raised against it are discussed. Analysing accountability critically requires distinguishing between its application levels: we focus on the requirement for data controllers to provide a statement relating their actual data handling operations with their obligations, and put forward a combination of precise legal requirements and effective tools to support strong accountability. After presenting such an approach, called accountability by design, we explore the integration of this framework with legal and economic settings and discuss its complementarity with other instruments for privacy.

References

  1. Alhadeff, Joseph, Brendan Van Alsenoy, and Jos Dumortier. 2011. The accountability principle in data protection regulation: Origin, development and future directions. Paper presented at privacy and accountability, Berlin, Germany, April 5--6, 2011.Google Scholar
  2. Article 29 Data Protection Working Party. 2003. Working document on transfers of personal data to third countries: Applying article 26 (2) of the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2003/wp74_en.pdf. Accessed 28 Feb 2013.
  3. Article 29 Data Protection Working Party. 2010. Opinion 3/2010 on the principle of accountability.http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp173_en.pdf. Accessed 28 Feb 2013.
  4. Asia-Pacific Economic Cooperation, Electronic Commerce Steering Group (ECSG). 2004. APEC Privacy Framework. http://www.apec.org/Groups/Committee-on-Trade-and-Investment/~/media/Files/Groups/ECSG/05_ecsg_privacyframewk.ashx. Accessed 28 Feb 2013.
  5. Asia-Pacific Economic Cooperation, Electronic Commerce Steering Group (ECSG). 2009. APEC data privacy pathfinder projects implementation work plan—revised. http://aimp.apec.org/Documents/2009/ECSG/SEM1/09_ecsg_sem1_027.doc. Accessed 28 Feb 2013.
  6. Bella, Giampaolo, and Lawrence C. Paulson. 2006. Accountability protocols: Formalized and verified. ACM Transactions on Information and System Security 9:138–161.CrossRefGoogle Scholar
  7. Bellare, Mihir, and Bennet Yee. 1997. Forward integrity for secure audit logs. Technical Report CS98-580, Department of Computer Science and Engineering, University of California at San Diego.Google Scholar
  8. Bennett, Colin. 2012. The accountability approach to privacy and data protection: Assumptions and caveats. In Managing privacy through accountability, ed. Daniel Guagnin et al., 33–48. Basingstoke: Palgrave Macmillan.Google Scholar
  9. Butin, Denis, Marcos Chicote, and Daniel Le Métayer. 2013. Log design for accountability. Proceedings of the 4th international workshop on data usage management. Washington, D.C.: IEEE Computer Society.Google Scholar
  10. Canadian Standards Association. 1996. Model code for the protection of personal information (Q830-96). Mississauga: CSA.Google Scholar
  11. Cavoukian, Ann. 2012. Privacy by design [Leading edge]. IEEE Technology and Society Magazine 31:18–19.CrossRefGoogle Scholar
  12. Cederquist, JG, Ricardo Corin, M. A. C. Dekker, Sandro Etalle, and J. I. den Hartog. 2005. An audit logic for accountability. Proceedings of the 6th international workshop on policies for distributed systems and networks. Washington, D.C.: IEEE Computer Society.Google Scholar
  13. Centre for Information Policy Leadership. 2009a. Global discussion on the commonly-accepted elements of privacy accountability. http://www.huntonfiles.com/files/webupload/CIPL_Galway_Conference_Summary.pdf. Accessed 28 Feb 2013.
  14. Centre for Information Policy Leadership. 2009b. Data protection accountability: The essential elements.http://www.huntonfiles.com/files/webupload/CIPL_Galway_Accountability_Paper.pdf . Accessed 28 Feb 2013.
  15. Centre for Information Policy Leadership. 2010. Demonstrating and measuring accountability: A discussion document.http://www.huntonfiles.com/files/webupload/CIPL_Accountability_Phase_II_Paris_Project.PDF . Accessed 28 Feb 2013.
  16. Commission Nationale Informatique et Libertés (CNIL), Label CNIL procédures d’audit de traitements. 2011. http://www.cnil.fr/la-cnil/labels-cnil/procedures-daudit/. Accessed 28 Feb 2013.
  17. Common Criteria for Information Technology Security Evaluation. 2013. http://www.commoncriteriaportal.org/cc/. Accessed 28 Feb 2013.
  18. De Hert, Paul. 2012. Accountability and system responsibility: New concepts in data protection law and human rights law. In Managing privacy through accountability, ed. Daniel Guagnin et al., 193–232. Basingstoke: Palgrave Macmillan.Google Scholar
  19. Ernst & Young. 2012. Privacy trends 2012. The case for growing accountability.Google Scholar
  20. European Commission. 2012. Proposal for a regulation of the European parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (general data protection regulation). Brussels: European Commission.Google Scholar
  21. European Parliament and the Council of the European Union. 1995. Directive 95/46/EC of the European parliament and of the council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Brussels: European Parliament.Google Scholar
  22. Feigenbaum, Joan, James Hendler, Aaron Jaggard, Daniel Weitzner, and Rebecca Wright. 2011. Accountability and deterrence in online life. Paper presented at ACM Web Science Conference 2011, Koblenz, Germany, June 14--17, 2011.Google Scholar
  23. Guagnin, Daniel et al., ed. 2012. Managing privacy through accountability. Basingstoke: Palgrave Macmillan.CrossRefGoogle Scholar
  24. Haeberlen, Andreas. 2009. A case for the accountable cloud. Proceedings of the 3rd ACM SIGOPS international workshop on large-scale distributed systems and middleware. New York: ACM.Google Scholar
  25. IBM. 2003. The enterprise privacy authorization language (EPAL). http://www.zurich.ibm.com/security/enterprise-privacy/epal/. Accessed 28 Feb 2013.
  26. Jagadeesan, Radha, Alan Jeffrey, Corin Pitcher, and James Riely. 2009. Towards a theory of accountability and audit. Proceedings of the 14th European conference on Research in computer security. Berlin: Springer.Google Scholar
  27. Joint NEMA/COCIR/JIRA Security and Privacy Committee (SPC). 2004. Break-glass: An approach to granting emergency access to healthcare systems.Google Scholar
  28. Karjoth, Günter, Matthias Schunter, and Michael Waidner. 2002. Platform for enterprise privacy practices: Privacy-enabled management of customer data. Proceedings of the 2nd workshop on privacy enhancing technologies. Berlin: Springer.Google Scholar
  29. Lazouski, Aliaksandr, Fabio Martinelli, and Paolo Mori. 2010. Usage control in computer security: A survey. Computer Science Review 4:81–99.CrossRefGoogle Scholar
  30. Le Métayer, Daniel. 2009. A formal privacy management framework. Proceedings of formal aspects in security and trust. Berlin: Springer.Google Scholar
  31. Marx, Gary. 2012. Privacy is not quite like the weather. In privacy impact assessment, ed. David Wright and Paul De Hert. Berlin: Springer.Google Scholar
  32. Organisation for Economic Cooperation and Development. 1980. Guidelines on the protection of privacy and transborder flows of personal data.Google Scholar
  33. Organisation for Economic Cooperation and Development. 2011. Thirty years after the OECD privacy guidelines. http://www.oecd.org/sti/ieconomy/49710223.pdf. Accessed 28 Feb 2013.
  34. Organization for the Advancement of Structured Information Standards (OASIS). 2013. eXtensible Access Control Markup Language (XACML) version 3.0 OASIS standard. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf. Accessed 28 Feb 2013.
  35. Park, Jaehong, and Ravi S. Sandhu. 2002. Towards usage control models: Beyond traditional access control. Proceedings of ACM symposium on access control models and technologies. New York: ACM.Google Scholar
  36. Parliament of Canada. 2000. Personal information protection and electronic documents act.Google Scholar
  37. Poullet, Yves. 2001. How to regulate Internet: new paradigms for Internet governance Self-regulation: value and limits. In Variations sur le droit de la soci ét é de l ’information, ed. Claire Monville, Cahiers du Centre de Recherches Informatique et Droit. 79–114. Bruxelles: Bruylant.Google Scholar
  38. Raab, Charles. 2012. The meaning of ’accountability’ in the information privacy context.” In Managing privacy through accountability, ed. Daniel Guagnin et al., 15–32. Basingstoke: Palgrave Macmillan.Google Scholar
  39. Reed, Chris. 2007. Taking sides on technology neutrality. SCRIPTed 263:263–284.CrossRefGoogle Scholar
  40. Schneider, Fred. 2009. Accountability for perfection. IEEE Security and Privacy Magazine 7:3–4.Google Scholar
  41. Schneier, Bruce, and John Kelsey. 1999. Secure audit logs to support computer forensics. ACM Transactions on Information and System Security 2:159–176.CrossRefGoogle Scholar
  42. Title 12 of the United States Code. 1978. Right to Financial Privacy Act.Google Scholar
  43. Trabelsi, Slim, Gregory Neven, and Dave Raggett. 2011. PrimeLife Deliverable D5.3.4: Report on design and implementation.Google Scholar
  44. US Federal Trade Commission. 1973. Fair Information Practice Principles.Google Scholar
  45. W3C. 2006. The platform for privacy preferences 1.1 (P3P1.1) specification. http://www.w3.org/TR/P3P11/. Accessed 28 Feb 2013.
  46. Waters, Brent, Dirk Balfanz, Glenn Durfee, and Diana Smetters. 2004. Building an encrypted and searchable audit log. Proceedings of the network and distributed system security symposium. Reston: The Internet Society.Google Scholar
  47. Wright, David, and Paul De Hert, ed. 2012. Privacy impact assessment. Berlin: Springer.CrossRefGoogle Scholar
  48. Wright, David, Raphaël Gellert, Serge Gutwirth, and Michael Friedewald. 2011. Minimizing technology risks with PIAs, precaution, and participation. IEEE Technology and Society Magazine 30:47–54.CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media Dordrecht 2014

Authors and Affiliations

  • Denis Butin
    • 1
  • Marcos Chicote
    • 1
  • Daniel Le Métayer
    • 1
  1. 1.InriaUniversité de LyonVilleurbanneFrance

Personalised recommendations