The GDPR requires organisations to implement appropriate technical and organisational measures to implement data protection principles and safeguard individual rights. While data protection by design and by default (or ‘privacy by design’) is not a new concept, the GDPR makes it a legal requirement, and thus practical guidance is needed for implementation
This article will discuss these concepts and requirements in the context of recent guidance published by the European Data Protection Supervisor (EDPS) and the UK Information Commissioner’s Office (ICO), as well as other frameworks that can be leveraged to put policy into practice.
Intro to Privacy by Design
Privacy by Design is a framework encouraging the proactive embedding of privacy into the design specifications of information technologies, network infrastructure and business practices, thereby achieving the strongest privacy protections possible. The term “privacy by design” was originally coined by Dr. Ann Cavoukian while she was the Information ad Privacy Commissioner of Ontario, Canada. Dr. Cavoukian broke PbD down into “7 foundational principles.”
“Privacy as the Default Setting” is the second principle on Dr. Cavoukian’s list:
Build in the maximum degree of privacy into the default settings for any system or business practice. Doing so will keep a user’s privacy intact, even if they choose to do nothing.
In other words, the individual should not bear the burden of data protection when using a service or product, but rather, should enjoy “automatic” protection of their data and privacy rights as the default without having to take additional steps of their own, thereby lifting the burden off of the individual.
EDPS Preliminary Opinion on Privacy by Design
In May 2018, the EDPS issued a Preliminary Opinion on Privacy by Design in which they distinguish between “the general principle of ‘Privacy by Design’ which encompasses an ethical dimension consistent with the principles and values of the EU Charter of Fundamental Rights, and the specific legal obligations provided by Article 25 of the GDPR.” In the Opinion, the EDPS also “provides examples of methodologies to identify privacy and data protection requirements and integrate them into privacy engineering processes with a view to implementing appropriate technical and organisational safeguards” as well as “standardization efforts to integrate privacy requirements in system design and the state of the art of privacy enhancing technologies.”
According to the EDPS, the term “privacy by design” means “the broad concept of technological measures for ensuring privacy as it has developed in an international debate over the last few decades,” while the term “data protection by design and by default” refers to “the specific legal obligations established by Article 25 of the GDPR.” The EDPS goes on to clarify that while the measures implemented to address Article 25 “will also contribute to achieving the more general objective of ‘privacy by design’ . . . a wider spectrum of approaches may be taken into account for the objective of ‘privacy by design’ which includes a visionary and ethical dimension, consistent with the principles and values enshrined in the EU Charter of Fundamental Rights of the EU.” In this way, the EDPS interprets PbD as being the more high-level, over-arching and aspirational concept (i.e., “the principles and values”) and Article 25 being a more focused application or implementation of that broad concept—it might be analogous to the relationship between a high-level policy and a low-level procedure.
The EDPS also explained their role in privacy by design, stating for example that they will:
- continue to promote privacy by design, where appropriate in cooperation with other data protection authorities in the EDPB;
- support coordinated and effective enforcement of Article 25 of the GDPR and related provisions;
- provide guidance to controllers on the appropriate implementation of the principle laid down in the legal base; and
- together with the DPAs of Austria, Ireland and Schleswig-Holstein, launch a competition for a privacy friendly app in the mobile health domain.
The opinion also mentions the EDPS’s cooperation in the International Working Group on Data Protection and Telecommunications (IWDGDPT, “Berlin Group”), a group of national data protection authorities from around the world, as well as representatives from the private and NGO sectors. The Opinion also includes an analysis of “the international dimension of privacy by design,” pointing to adoption of the concept in Canada, Australia, Israel, the U.S., and of course, the EU.
With regard to the U.S., the Opinion references a 2012 report by the U.S. Federal Trade Commission (FTC) which proposed privacy by design as one of three main concepts, as well a statement by FTC Commissioner Edith Ramirez that echoed Dr. Cavoukian’s principle of “privacy as the default setting”:
[Privacy] must be something that an engineer or website developer instinctively thinks about when writing code or developing a new product. Respecting privacy must be considered integral to the innovation process. . . . privacy by design helps lift the burden of privacy protection off the shoulders of consumers.
Along those lines, the EDPS notes that “the FTC definition of privacy by design can be seen as quite similar (methodologically and even substantially to a large extent) to what is in the EU law in all its dimensions . . . and is clearly formulated with a view to the practical implementation of the principle.”
But the FTC is not alone in the U.S. The EDPS also makes note of the National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce, which recently issued an internal report on Privacy Engineering and Risk Management in Federal Systems that includes a privacy risk model and a methodology to implement privacy requirements when engineering systems processing personal data.