The final version of a paper by Michael Birnhack, myself, and Irit Hadar, “Privacy Mindset, Technological Mindset“, is now available on SSRN:

The paper tries to answer a simple question: why engineers hardly follow privacy-by-design approaches? In looking for an answer, we analyzed the chasm between privacy ideas, as expressed in the language of the law, and engineering ideas, as expressed in engineering books. It was interesting to see that both types of texts describe desired information system architectures, but the architectures hardly agree on questions of anonymity, data minimization, flow of data, etc. We summarize the paper by discussing how the gaps between law and technology point to potential avenues to save privacy-by-design.

Here is the full abstract:

Policymakers around the world constantly search for new tools to address growing concerns as to informational privacy (data protection). One solution that has gained support in recent years among policy makers is Privacy by Design (PbD). The idea is simple: think of privacy ex ante, and embed privacy within the design of a new technological system, rather than try to fix it ex post, when it is often too late. However, PbD is yet to gain an active role in engineering practices. Thus far, there are only a few success stories. 

We argue that a major obstacle for PbD is the discursive and conceptual gap between law and technology. A better diagnosis of the gaps between the legal and technological perceptions of privacy is a crucial step in seeking viable solutions. We juxtapose the two fields by reading each field in terms of the other field. We reverse engineer the law, so as to expose its hidden assumptions about technology (the law’s technological mindset), and we read canonical technological texts, so as to expose their hidden assumptions about privacy (technology’ s privacy mindset). Our focus is on one set of informational privacy practices: the large corporation that collects data from individual data subjects. 

This dual reverse engineering indicates substantial gaps between the legal perception of informational privacy, as reflected in the set of principles commonly known as Fair Information Privacy Principles (FIPPs) and the perceptions of the engineering community. While both information technology and privacy law attempt to regulate the flow of data, they do so in utterly different ways, holding different goals and applying different constraints. The gaps between law and technology point to potential avenues to save PbD.