What is Privacy by Design and by Default?

Article 25 of the GDPR is titled “Data Protection by Design and by Default.” The language in the GDPR itself is somewhat ambiguous about what these concepts mean and equally important, how to comply. Those terms, however, originate from the principles of “privacy by design” and “privacy by default,” which have a long history in data protection legislation and can shed important light on a data controller’s duties under GDPR. This issue of The eData Guide to GDPR will provide a brief history of the principles of “privacy by design” and “privacy by default,” an explanation of Article 25’s “Data Protection by Design and by Default” standards, and recommendations for compliance with the GDPR standard.

History of “Privacy by Design” and “Privacy by Default”

Shortly after the GDPR was enacted on May 25, 2018, the European Data Protection Supervisor (EDPS) issued a preliminary opinion on “privacy by design.”[1] While the opinion is not intended to provide a legal analysis of Article 25’s “Data Protection by Design and by Default” requirements, it does provide a history of the “privacy by design” concept, which eventually led to the language in Article 25. This background is useful in understanding the intent behind Article 25 (and thus, in understanding how to comply with it).

According to the EDPS opinion, the terms “privacy by design” and “privacy by default” were developed in the 1990s by Dr. Ann Cavoukian, the Information and Privacy Commissioner of Ontario, Canada.[2] In 2009, she published “Privacy by Design: The 7 Foundational Principles,” in which she states that “privacy by design” means that companies must proactively consider privacy “throughout the entire data lifecycle,” starting from the beginning of the design phase.[3] Dr. Cavoukian writes that this “life cycle protection” ensures that “all data are securely retained, and then securely destroyed at the end of the process, in a timely fashion. Thus, Privacy by Design ensures cradle to grave, secure lifecycle management of information, end-to-end.”[4]

According to these principles, this protection can and should be imposed without diminishing the functionality of the business or system.[5] Dr. Cavoukian emphasized:

“Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made. Privacy by Design avoids the pretense of false dichotomies, such as privacy vs. security, demonstrating that it is possible, and far more desirable, to have both.”[6]

“Privacy by default” in turn, means that the “privacy by design” principle should be incorporated by default into any system or business – so that personal data is automatically protected without any action from the data subject.[7] In other words, “No action is required on the part of the individual to protect their privacy — it is built into the system, by default”.[8] The EDPS explains that this “default setting” means that the individual should not “bear the burden” of protecting his or her own data when using any service or product. Rather, the fundamental right of privacy would be protected “automatically,” as the default setting.[9] Dr. Cavoukian’s “privacy by design” and “privacy by default” principles were soon embraced by European privacy law legislators.

In 2010, the 32nd Conference of Data Protection and Privacy Commissioners adopted the “Resolution on Privacy by Design” and “invited data protection authorities to foster privacy by design in the ‘formulation of policies and legislation within their respective jurisdictions’.”[10] Shortly after, the Article 29 Working Party (WP29) “demanded” the introduction of the “privacy by design” principle into any new legislation that resulted from the European Commission’s call for public comment on data protection reform, stating that previous directives “had not been sufficient in ensuring that privacy is embedded” into information and security technologies.[11] WP29 also asked for “privacy by default settings”[12] and recommended that the two principles “should be binding for technology designers and producers as well as for data controllers...They should be obliged to take technological data protection into account already at the planning stage of information-technological procedures and systems”.[13] This recommendation paved the way for Article 25’s “Data Protection by Design and by Default” that we now see in the GDPR.

With the history of these principles in mind, we can now turn to requirements of Article 25.

Data Protection by Design

Article 25 of the GDPR states that a data controller must, both at the time it determines the method for processing and at the time of the processing itself

 “…implement appropriate technical and organizational measures (such as pseudonymisation), which are designed to implement data-protection principles (such as data minimization) in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”[14]

When designing its privacy program, the controller may take into account

• the state of the art;
• the cost of implementation;
• the nature, scope, context, and purposes of processing; and
• the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.[15]

GDPR’s Recital 78 further elaborates on this concept, stating that “…the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.”[16] Such measures may consist of the following:

• Minimizing the processing of personal data
• Pseudonymising personal data as soon as possible
• Transparency with regard to the functions and processing of personal data
• Enabling the data subject to monitor the data processing
• Enabling the controller to create and improve security features[17]

Data protection authorities in Europe have issued interpretations on what is required to comply with this principle. For instance, the European Commission issued guidance stating that “data protection by design” under the GDPR means that organizations should “implement technical and organizational measures, at the earliest stages of the design of the processing operations, in such a way that safeguards privacy and data protection principles right from the start (‘data protection by design’).” [18] The guidance suggests two ways in which a data controller might implement “data protection by design”:

• The use of pseudonymisation (replacing personally identifiable material with artificial identifiers)
• Encryption (encoding messages so only those authorized can read them)[19]

Similarly, the Irish Data Protection Commission (IDPC) issued its own guidance on the “protection by design” requirement, stating that the GDPR requires controllers to embed “data privacy features and data privacy enhancing technologies directly into the design of projects at an early stage. This will help to ensure better and more cost-effective protection for individual data privacy.”[20]

The UK’s Information Commissioner’s Office (ICO) also released guidance stating that GDPR’s “data protection by design” is “ultimately an approach that ensures you consider privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle…In essence this means you have to integrate or ‘bake in’ data protection into your processing activities and business practices.”[21] The requirement has broad application, including the following:

• Developing new IT systems, services, products, and processes that involve processing personal data
• Developing organizational policies, processes, business practices, and/or strategies that have privacy implications
• Physical design
• Embarking on data sharing initiatives
• Using personal data for new purposes[22]

Data Protection by Default

 Controllers are directed to implement data protection by default by implementing

“…appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. This obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.”[23]

The IDPC’s guidance interprets this requirement to mean that user service settings must be automatically data protection friendly (e.g., no automatic opt-ins on customer account pages), and that only data that is necessary for each specific purpose of the processing should be gathered.[24]

Similarly, the European Commissioner’s guidance states that a social media platform should be “encouraged to set users’ profile settings in the most privacy-friendly setting, for example, by limiting from the start the accessibility of the users’ profile so that it isn’t accessible by default to an indefinite number of persons.”[25] The commissioner’s guidance continues by suggesting companies should “ensure that personal data is processed with the highest privacy protection (for example only the data necessary should be processed, short storage period, limited accessibility) so that by default personal data isn’t made accessible to an indefinite number of persons (‘data protection by default’).”[26]

The ICO’s guidance also links the principle to data minimization and purpose limitation, stating that a controller should “only process the data that is necessary to achieve your specific purpose.[27]” To accomplish this, a company needs to specify which data it will need to achieve that purpose before the processing starts, appropriately inform individuals of the processing, and only process the data it needs for the purpose for which it is being processed.[28]

Helpfully, ICO suggests that compliance does not require a company to adopt a “default to off” solution. Rather, the requirements for individual organizations will depend on the circumstances of processing and the risks posed to individuals.[29] Organizations should consider

• adopting a “privacy-first” approach with any default settings of systems and applications;
• ensuring a company does not provide an illusory choice to individuals relating to the data you will process;
• ·not processing additional data unless the individual grants permission;
• ensure that personal data is not automatically made publicly available to others unless the individual decides to make it so; and
• providing individuals with sufficient controls and options to exercise their rights.[30]

Complying with Article 25 - Data Protection by Design and by Default

Data controllers have a responsibility to comply with “Data Protection by Design and by Default.” Unfortunately, the regulation does not provide rules or specific requirements to guide organizations to achieve compliance – each organization’s compliance will depend on its own circumstances. For instance, ICO has indicated that, when considering whether to impose a penalty, it will take into account the technical and organizational measures a company has put in place with respect to Article 25 compliance.[31] The ICO also warned that it has the power, under the Data Protection Act 2018 (DPA 2018), to issue an Enforcement Notice against any company for any failings in respect of Article 25.[32]

Given that Article 25 imposes a significant burden to ensure built-in data protection, all data controllers should analyze how their organization as a whole processes personal information, and ensure that the fundamental right of privacy is taken into account every step of the way. This should include the following:

• Designing an organizational-wide privacy program that identifies where and when your organization processes personal data, and ensures that each department involved in processing personal data has a data protection plan in place
• Ensuring that a data protection plan is part of any new business development that may involve processing personal data
• Minimizing the processing of personal data so that your organization is only processing the personal data that is needed to achieve the purposes for which it is being processed
• Pseudonymising or encrypting personal data whenever possible
• Ensuring that any personal data processing is transparent to data subjects and that data subjects are informed of how their data is being used
• Ensuring that data subjects have the ability to exercise their rights[33]
• Staying abreast of advances in data protection technology and ensuring that your organization has the ability to update its data protection policy in order to take advantage of such advances, where feasible