Strong Accountability: Beyond Vague Promises
- 1.6k Downloads
The principle of accountability has been enjoying growing popularity over the last few years as a way to mitigate the loss of control by individuals over their personal data. It is however unclear whether accountability can be characterised precisely enough to yield effective protection and whether it bears the capacity for innovative solutions. Reasons to support accountability and criticism raised against it are discussed. Analysing accountability critically requires distinguishing between its application levels: we focus on the requirement for data controllers to provide a statement relating their actual data handling operations with their obligations, and put forward a combination of precise legal requirements and effective tools to support strong accountability. After presenting such an approach, called accountability by design, we explore the integration of this framework with legal and economic settings and discuss its complementarity with other instruments for privacy.
KeywordsAccounting Data Personal Information Protection And Electronic Documents Act (PIPEDA) Privacy Impact Assessment (PIA) Draft General Data Protection Regulation Privacy Seals
- Alhadeff, Joseph, Brendan Van Alsenoy, and Jos Dumortier. 2011. The accountability principle in data protection regulation: Origin, development and future directions. Paper presented at privacy and accountability, Berlin, Germany, April 5--6, 2011.Google Scholar
- Article 29 Data Protection Working Party. 2003. Working document on transfers of personal data to third countries: Applying article 26 (2) of the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2003/wp74_en.pdf. Accessed 28 Feb 2013.
- Article 29 Data Protection Working Party. 2010. Opinion 3/2010 on the principle of accountability.http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp173_en.pdf. Accessed 28 Feb 2013.
- Asia-Pacific Economic Cooperation, Electronic Commerce Steering Group (ECSG). 2004. APEC Privacy Framework. http://www.apec.org/Groups/Committee-on-Trade-and-Investment/~/media/Files/Groups/ECSG/05_ecsg_privacyframewk.ashx. Accessed 28 Feb 2013.
- Asia-Pacific Economic Cooperation, Electronic Commerce Steering Group (ECSG). 2009. APEC data privacy pathfinder projects implementation work plan—revised. http://aimp.apec.org/Documents/2009/ECSG/SEM1/09_ecsg_sem1_027.doc. Accessed 28 Feb 2013.
- Bellare, Mihir, and Bennet Yee. 1997. Forward integrity for secure audit logs. Technical Report CS98-580, Department of Computer Science and Engineering, University of California at San Diego.Google Scholar
- Bennett, Colin. 2012. The accountability approach to privacy and data protection: Assumptions and caveats. In Managing privacy through accountability, ed. Daniel Guagnin et al., 33–48. Basingstoke: Palgrave Macmillan.Google Scholar
- Butin, Denis, Marcos Chicote, and Daniel Le Métayer. 2013. Log design for accountability. Proceedings of the 4th international workshop on data usage management. Washington, D.C.: IEEE Computer Society.Google Scholar
- Canadian Standards Association. 1996. Model code for the protection of personal information (Q830-96). Mississauga: CSA.Google Scholar
- Cederquist, JG, Ricardo Corin, M. A. C. Dekker, Sandro Etalle, and J. I. den Hartog. 2005. An audit logic for accountability. Proceedings of the 6th international workshop on policies for distributed systems and networks. Washington, D.C.: IEEE Computer Society.Google Scholar
- Centre for Information Policy Leadership. 2009a. Global discussion on the commonly-accepted elements of privacy accountability. http://www.huntonfiles.com/files/webupload/CIPL_Galway_Conference_Summary.pdf. Accessed 28 Feb 2013.
- Centre for Information Policy Leadership. 2009b. Data protection accountability: The essential elements.http://www.huntonfiles.com/files/webupload/CIPL_Galway_Accountability_Paper.pdf . Accessed 28 Feb 2013.
- Centre for Information Policy Leadership. 2010. Demonstrating and measuring accountability: A discussion document.http://www.huntonfiles.com/files/webupload/CIPL_Accountability_Phase_II_Paris_Project.PDF . Accessed 28 Feb 2013.
- Commission Nationale Informatique et Libertés (CNIL), Label CNIL procédures d’audit de traitements. 2011. http://www.cnil.fr/la-cnil/labels-cnil/procedures-daudit/. Accessed 28 Feb 2013.
- Common Criteria for Information Technology Security Evaluation. 2013. http://www.commoncriteriaportal.org/cc/. Accessed 28 Feb 2013.
- De Hert, Paul. 2012. Accountability and system responsibility: New concepts in data protection law and human rights law. In Managing privacy through accountability, ed. Daniel Guagnin et al., 193–232. Basingstoke: Palgrave Macmillan.Google Scholar
- Ernst & Young. 2012. Privacy trends 2012. The case for growing accountability.Google Scholar
- European Commission. 2012. Proposal for a regulation of the European parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (general data protection regulation). Brussels: European Commission.Google Scholar
- European Parliament and the Council of the European Union. 1995. Directive 95/46/EC of the European parliament and of the council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Brussels: European Parliament.Google Scholar
- Feigenbaum, Joan, James Hendler, Aaron Jaggard, Daniel Weitzner, and Rebecca Wright. 2011. Accountability and deterrence in online life. Paper presented at ACM Web Science Conference 2011, Koblenz, Germany, June 14--17, 2011.Google Scholar
- Haeberlen, Andreas. 2009. A case for the accountable cloud. Proceedings of the 3rd ACM SIGOPS international workshop on large-scale distributed systems and middleware. New York: ACM.Google Scholar
- IBM. 2003. The enterprise privacy authorization language (EPAL). http://www.zurich.ibm.com/security/enterprise-privacy/epal/. Accessed 28 Feb 2013.
- Jagadeesan, Radha, Alan Jeffrey, Corin Pitcher, and James Riely. 2009. Towards a theory of accountability and audit. Proceedings of the 14th European conference on Research in computer security. Berlin: Springer.Google Scholar
- Joint NEMA/COCIR/JIRA Security and Privacy Committee (SPC). 2004. Break-glass: An approach to granting emergency access to healthcare systems.Google Scholar
- Karjoth, Günter, Matthias Schunter, and Michael Waidner. 2002. Platform for enterprise privacy practices: Privacy-enabled management of customer data. Proceedings of the 2nd workshop on privacy enhancing technologies. Berlin: Springer.Google Scholar
- Le Métayer, Daniel. 2009. A formal privacy management framework. Proceedings of formal aspects in security and trust. Berlin: Springer.Google Scholar
- Marx, Gary. 2012. Privacy is not quite like the weather. In privacy impact assessment, ed. David Wright and Paul De Hert. Berlin: Springer.Google Scholar
- Organisation for Economic Cooperation and Development. 1980. Guidelines on the protection of privacy and transborder flows of personal data.Google Scholar
- Organisation for Economic Cooperation and Development. 2011. Thirty years after the OECD privacy guidelines. http://www.oecd.org/sti/ieconomy/49710223.pdf. Accessed 28 Feb 2013.
- Organization for the Advancement of Structured Information Standards (OASIS). 2013. eXtensible Access Control Markup Language (XACML) version 3.0 OASIS standard. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf. Accessed 28 Feb 2013.
- Park, Jaehong, and Ravi S. Sandhu. 2002. Towards usage control models: Beyond traditional access control. Proceedings of ACM symposium on access control models and technologies. New York: ACM.Google Scholar
- Parliament of Canada. 2000. Personal information protection and electronic documents act.Google Scholar
- Poullet, Yves. 2001. How to regulate Internet: new paradigms for Internet governance Self-regulation: value and limits. In Variations sur le droit de la soci ét é de l ’information, ed. Claire Monville, Cahiers du Centre de Recherches Informatique et Droit. 79–114. Bruxelles: Bruylant.Google Scholar
- Raab, Charles. 2012. The meaning of ’accountability’ in the information privacy context.” In Managing privacy through accountability, ed. Daniel Guagnin et al., 15–32. Basingstoke: Palgrave Macmillan.Google Scholar
- Schneider, Fred. 2009. Accountability for perfection. IEEE Security and Privacy Magazine 7:3–4.Google Scholar
- Title 12 of the United States Code. 1978. Right to Financial Privacy Act.Google Scholar
- Trabelsi, Slim, Gregory Neven, and Dave Raggett. 2011. PrimeLife Deliverable D5.3.4: Report on design and implementation.Google Scholar
- US Federal Trade Commission. 1973. Fair Information Practice Principles.Google Scholar
- W3C. 2006. The platform for privacy preferences 1.1 (P3P1.1) specification. http://www.w3.org/TR/P3P11/. Accessed 28 Feb 2013.
- Waters, Brent, Dirk Balfanz, Glenn Durfee, and Diana Smetters. 2004. Building an encrypted and searchable audit log. Proceedings of the network and distributed system security symposium. Reston: The Internet Society.Google Scholar