loader image
Specialist services for Implementing Privacy by Design and Privacy by Default The concepts of privacy by design and privacy by default promote compliance with data protection laws and regulations from the earliest stages of initiatives involving personal data. Originally introduced by the Canadian Privacy Commissioner of Ontario back in the 90s, the concepts of privacy by design and privacy by default have, in recent years, seen adoption by regulators from around the world as essential components of privacy protection. Though potentially putting more strain on the conception and development of new initiatives, following privacy by design principles can be used as a means to help ensure full compliance with data protection principles as required by law (see our article on data protection principles). It can lead to potential privacy issues being identified at an earlier and less costly stage and to the increase of awareness of privacy and data protection-related matters throughout an organization. Under the current EU Data Protection Directive (DPD), no specific requirement to implement privacy by design and privacy by default exists. While data controllers are required to implement technical and organizational measures under the DPD to protect data against unlawful processing, this is merely an afterthought as it only relates to data that has already been processed.

Privacy by Default

  • purpose specification – explaining to users how personal data is collected, processed, retained, and disclosed.
  • collection limitation – fair, lawful, and limited to that which is necessary (also applies to data processing, retention, and disclosure).
  • data minimization − non-identifiable interactions and transactions as default. Wherever possible, the identifiability of personal information should be minimized.

Privacy by design under the GDPR

In choosing to include privacy by design and privacy by default as key principles in the GDPR, the legislator has acknowledged that privacy cannot be ensured only using legislation, but that it should be a fundamental component in the design and maintenance of information systems and mode of operation for each organization. Article 25 of the GDPR codifies both the concepts of privacy by design and privacy by default. Under this Article, a data controller is required to implement appropriate technical and organizational measures both at the time of determination of the means for processing and at the time of the processing itself to ensure data protection principles such as data minimization are met. Any such privacy by design measures may include, for example, pseudonymization or other privacy-enhancing technologies. In addition, the data controller will need to ensure that, by default, only personal data which is necessary for each specific purpose of the processing is processed. In particular, such measures need to ensure personal data is not automatically made available to third parties without the individual’s intervention. By way of practical example: when creating a social media profile, privacy settings should, by default, be set on the most privacy-friendly setting. Setting up profiles to be public by default is no longer allowed under the GDPR.

Privacy by design in practice

The GDPR takes a flexible approach to privacy by design. This means that in implementing privacy by design a data controller needs to take into account the state of the art, the cost of implementation and the nature, scope, context, and purposes of processing as well as the likelihood and severity of risks to the rights and freedoms of natural persons posed by the processing of their personal data. Though the envisaged, flexible approach gives data controllers the ability to determine their level of compliance based on the privacy risks involved, it also gives rise to uncertainty as to the required level of compliance and this takes on a degree of urgency given the statutory fines of up to EUR 10,000,000, or up to 2% of annual worldwide turnover, whichever is higher. It is, therefore, important to regularly assess privacy compliance, by, for example, conducting regular Privacy Impact Assessments (PIAs). The UK Information Commissioner’s Office (ICO) has issued a PIA code of practice, outlining the principles which form the basis for a PIA and giving practical guidelines for identifying and minimizing privacy risks created by new projects or policies. This code of practice has been endorsed by the Dutch Data Protection Authority (Dutch DPA) among others. Integrating the PIA principles into privacy by design approach may significantly reduce the organizational strain associated with privacy by design and also create more internal awareness around GDPR compliance.  
What are the practical implications? The explicit mention in the GDPR of the requirements of 'privacy by design' and 'privacy by default will mean that businesses must implement internal processes and procedures to address these requirements. Some practical steps that may be advisable include:
  • implementing a privacy impact assessment template that the business can populate each time it designs, procures, or implements a new system;
  • revising standard contracts with data processors to set out how risk/liability will be apportioned between the parties about the implementation of 'privacy by design' and 'privacy by default' requirements;
  • revisiting data collection forms/web-pages to ensure that excessive data is not collected;
  • having automated deletion processes for particular personal data, implementing technical measures to ensure that personal data is flagged for deletion after a particular period, etc.

Who we help

  • Tech companies and Startups
  • SaaS Vendors
  • Marketing companies
  • AI and Blockchain
  • Financial services companies

Current developments

Although the concept of privacy by design is not present in the DPD, national regulators are already actively pursuing its adoption and enforcement. The Dutch DPA, for example, recently imposed an order subject to a penalty on Blue trace, a company supplying Wi-Fi-tracking technology to track mobile devices in and around stores. The Blue trace technology collected and stored personal data including the MAC address of each mobile device within its Wi-Fi range, but in doing this was not able to make a distinction between customer mobile devices situated inside a particular store, and mobile devices of passers-by outside a store. Therefore, the MAC address of every mobile device in reach, regardless of whether or not it was used by a store customer, was, in principle, stored for an indefinite period and without informing the data subject. According to the Dutch DPA, Blue trace was in breach of several data protection principles including data-minimization, data retention, and its information obligations to data subjects. Adhering to the concept of privacy by design from the outset would likely have resulted in Blue trace identifying the risks at a much earlier and less costly stage in the development of the technology, and would probably have avoided DPA enforcement.