On September 26, attorneys general from multiple U.S. states settled with the ride sharing company Uber over a data breach that revealed personal information about both Uber’s riders and drivers. The drivers suffered the brunt of the exposure: the release of their names and driver’s license numbers. Uber did not disclose the breach when it occurred in 2016 (in violation of California’s security breach notification law), and it became public after the company’s then new CEO, Dara Khosrowshahi, announced it shortly after his arrival at the company in 2017.
Though the general settlement was widely reported, there was little focus on the details. One portion stood out to me in particular; this text is taken from section 16 of California’s copy of the settlement with the company, entitled “Corporate Integrity Program”:
“No later than ninety (90) days after the Effective Date and for a period of ten (10) years thereafter, UBER shall develop, implement, and maintain a process, incorporating privacy by design principles, to review proposed changes to UBER’s applications, its products, and any other ways in which UBER users, collects, or shares data collected from or about Riders and Drivers.”
To my knowledge, this is the first time that U.S. states have included a Privacy by Design (PbD) requirement into a legal settlement with a technology firm. PbD has made an appearance in federal settlements for almost a decade—my own colleague, Al Gidari, negotiated the first settlement explicitly incorporating privacy by design requirements between Google and the Federal Trade Commission.
What the meaningful effect of including privacy by design in this settlement will be is not immediately clear. The settlement itself includes compliance obligations as well as an auditable security program, yet the PbD requirement is separate from these. While there is a period of compliance specified (ten years), the settlement doesn’t include any specifics regarding how Uber’s compliance on this point will be audited or measured.
Another issue is that there isn’t a universally accepted definition of privacy by designand the agreement itself doesn’t contain one. Dr. Ann Cavoukian both developed the principles and coined the term while she was the Information and Privacy Commissioner for the province of Ontario in Canada in the 1990s. When in doubt, her definition, as recognized by the International Conference of Data Protection Authorities and Privacy Commissioners, is the logical place to turn first. But the FTC outlined a subset of PbD principles in their 2012 report that are less precise and narrower in scope than the ICDPAPC-approved version of the framework. Presumably, if Uber is challenged over their compliance in the future, they will need to reference some accepted form of PbD principles of their choosing. I’ll wager it won’t be the ICDPAPC-approved framework.
Even with these weaknesses, the shift by regulators in acknowledging the need for privacy-by-design during the product development process is encouraging. Arguably, evaluating whether a company is incorporating privacy into their design processes is more difficult than evaluating a comprehensive privacy program focused on legal compliance. But, as Deirdre Mulligan and I argued in 2012, privacy is at its heart a human-centered process, and narrowing one’s focus to legal compliance results in data protection by design, rather than the substantive shift we argue PbD was conceived of to address:
“Understanding privacy as a human process requires companies to solicit and understand the context-dependent privacy expectations of affected individuals. This requires a conceptual and empirical inquiry into privacy’s meaning. This form of privacy by design begins with value-centered and human-centered processes. It requires a new set of privacy experts. Ensuring that a company accurately describes its privacy-related activities in its terms of service and provides appropriate mechanisms to capture consumer acceptance of them is a task for lawyers. Understanding the values at play and privacy requirements in a given context requires a separate set of skills. It requires research to understand and document what individuals bring to the table—their naïveté, their uninformed and ill-conceived notions of how technology works, their mental models based in prior brick and mortar interactions, and their cognitive biases, to name a few. It demands attentiveness to context and human experience, the very attributes that companies, through privacy notices, attempt to disavow and make irrelevant."
In short — incorporating privacy by design requires more than hiring a chief privacy officer or other compliance personnel. It requires far more than simply ensuring that the engineering staff have heard of the word “privacy”. (I’m only half-joking about this.) Privacy by design also requires employees who have the expertise to understand users’ privacy concerns and expectations and who have the authority to advocate for them even when users’ needs conflict with the company’s goals.
Ultimately, the inclusion of the PbD requirement in this settlement may function as both a carrot and a stick--both a nudge to get companies like Uber to take notice and reform their ways, and another avenue for regulators and enforcement officials to crack down should the company find themselves embroiled in another privacy controversy in the future that emanates from poor product design rather than a data breach. Protecting user privacy isn’t just about data security and compliance with data protection; it must be addressed at the cellular level.
This settlement forces a shift in Uber’s DNA (especially for a company that created an internal tool, Greyball, to explicitly dodge regulators), one that likely began after Khosrowshahi’s arrival in 2017 when they began to signal that they were taking privacy more seriously. It will be interesting to see if Uber’s efforts are limited to compliance and data protection by design, or if they will take a more user-centric view that puts users first. To some extent, we may measure this by an absence: a lack of future privacy imbroglios, customer boycotts, and enforcement actions.