Privacy by Design Is Crucial to the Future of AI
We’re kicking off a new series exploring the intersection of AI and Privacy by Design, and evaluating what impact it will have on laws, regulations, GRC, and even new incoming frameworks.This article is authored by Lior Solomon, Matt Hillary, and Shane Tierney.
In a world filled with GPT wrappers and rushed-to-market solutions using unfinished generative AI models, it makes you wonder what implications the slew of draft state, federal, and international regulations will have on them.
On the one hand, you have rapid innovation and pioneers experimenting in near real-time; on the other, you have significant privacy concerns and data risks that are sidelined because we are once again entering a new technological frontier.
If history repeats itself—and it often does—we’ll see technology far outpace regulation until we hit a breaking point. For example, AI tools have made it easier than ever to create deepfakes and impersonate celebrities such as Taylor Swift, and we’ve seen new direct bills proposed in response.
While Photoshop fakes have been around for decades, situations like this create spillover events that not only make great political fodder but are also an ideal opportunity to throw the book at malicious actors to serve as a warning to others.
For these reasons, we’re kicking off a new series exploring the intersection of AI and Privacy by Design, and evaluating what impact it will have on laws, regulations, GRC, and even new incoming frameworks.
Defining Privacy by Design
The idea behind Privacy by Design originated around the 1990s. It was pioneered by former Information and Privacy Commissioner of Ontario, Canada, Dr. Ann Cavoukian, who continues to beat the drum on the concept. The aim is to address the rising privacy concerns brought about by the rapid advancements in technology, particularly in the realm of data collection and processing.
As Shane Tierney, Senior Program Manager, GRC, explains, "Privacy by Design tries to set out these tent poles and ethos of how to actually approach any given project or initiative that a company would take on. It tries to be almost project agnostic."
The principles are not just about the technical aspects of privacy, but they also encompass ethical considerations. They are about being proactive rather than reactive when it comes to privacy. They emphasize the importance of full functionality with privacy considerations built into it and stress the need for user-centric, transparent, and visible actions.
This forward-thinking approach to privacy was groundbreaking at the time and has now become a standard practice in many industries worldwide. This is largely due to the recognition that effective privacy measures cannot simply be retrofitted onto existing systems. Rather, they must be an integral part of the design and operation of technologies and business practices from the beginning.
Privacy by Design has become so impactful as a concept that ISO developed ISO 31700-1:2023 as a set of standards an organization can align with to ensure they protect privacy throughout the lifecycle of a consumer product, including data processed by the consumer.
Similarly, concepts like Shift Left Security highlight the need to introduce security checks into software development cycles even before code is written.
The introduction and refinement of such concepts make it clear that the world demands more proactive approaches, and the countless breach notifications we are now desensitized to are no longer suitable.
Integrating Privacy by Design Into AI
When it comes to AI, these principles become even more critical. AI systems, particularly generative AI models, often ingest huge amounts of personal information to deliver the desired results. Therefore, it's essential to embed privacy into the AI systems as a default setting.
“There are generally three different principles: There's the data that you use to train the model, the architecture that you use, and then there are the models that you generate. Those are the models you ultimately end up putting into your product,” said Matt Hillary, Drata’s CISO.
Therefore, it's crucial to respect and implement the principles of Privacy by Design in all projects and initiatives, especially when integrating AI into a technology stack. This not only ensures compliance with data privacy regulations but also builds trust with users and creates safer, more secure digital systems.
“When we think about privacy in the world of AI, it's just making sure that on one hand, we use the power of knowledge and the power of the crowd, like crowd knowledge, if you may, the data that you get from the customers, but still being very thoughtful of where that data unifies and where do we store it,” said Lior Solomon, Drata’s VP of Data.
The 7 Principles of Privacy by Design
Privacy by Design is a concept centered on seven fundamental principles. These principles guide the approach to privacy and data protection and are meant to be an integral part of product design and engineering.
Proactive, Not Reactive; Preventative, Not Remedial: The idea is to anticipate and prevent privacy-invasive events before they happen rather than waiting for privacy risks to materialize and then reacting.
Privacy as the Default Setting: Personal data must be automatically protected in any system or business practice. No action is required on the part of the individual to protect their privacy—it is built into the system by default.
Privacy Embedded Into Design: Privacy is an integral part of the system without diminishing functionality. It is embedded into IT systems and business practices' design and architecture, not bolted on as an add-on.
Full Functionality – Positive-Sum, Not Zero-Sum: Privacy by Design seeks to accommodate all legitimate interests and objectives, not just privacy. It avoids the pretense of false dichotomies, such as privacy vs. security.
End-to-End Security – Lifecycle Protection: Privacy by Design, having been embedded into the system prior to the first element of information being collected, extends securely throughout the entire lifecycle of the data involved.
Visibility and Transparency: Privacy by Design seeks to assure all stakeholders that whatever business practice or technology is involved is, in fact, operating according to the stated promises and objectives, subject to independent verification.
Respect for User Privacy: Above all, Privacy by Design requires architects and operators to prioritize the interests of the individual by offering measures such as strong privacy defaults, appropriate notice, and empowering user-friendly options.
These principles serve as a guide for organizations and businesses to ensure that privacy is an integral part of their operations from the onset rather than being an afterthought.
Connecting the Dots: AI vs. Regulations
The rise of regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) highlights the increasing global focus on privacy rights.
These comprehensive data protection laws have been put in place to ensure that organizations handle personal data responsibly. They emphasize not just the importance of protecting data but also the rights individuals have over their personal information.
Moreover, Privacy by Design also helps to build trust with users. When users see that an organization takes their privacy seriously, they are more likely to engage with that organization and use its services. As such, Privacy by Design not only helps to meet regulatory requirements but can also provide a competitive advantage in today's digital market.
In the end, Privacy by Design is not just about compliance. It is about respecting user privacy and building safer, more trustworthy digital systems. It is an approach that prioritizes the user, making it an essential part of any organization's digital strategy.
As Tierney puts it, "If you're not really thinking about the security, availability, and integrity of that information that you're pulling into the system, it's a nightmare waiting to happen."
Next up in our series, Matt, Lior, and Shane will share their perspective on how these principles and concepts are applied to Drata. For further reading, check out Lior’s article on Drata's AI Philosophy.