Privacy-by-Design and Privacy-by-Default

Privacy-by-design and privacy-by-default are two cornerstone concepts of data protection regulatory frameworks. Thus, compliance thereof is an essential legal prerequisite for any entity which is involved in the collection, storage and processing of user's personal data. The foregoing approaches to data privacy have been codified under the General Data Protection Regulations, 2018 (the “GDPR”) and their influence is reflected in other data protection legislations around the globe as well.

What is Privacy-by-Design?

The privacy-by-design approach enables organizations to proactively manage and avoid privacy risks. To this end, the privacy-by-design framework requires an organization to contemplate data privacy issues at the design stage of any system, service, product or process, and then throughout the lifecycle.

In light of the foregoing assessment, organizations should incorporate such appropriate technical and organizational measures in accordance with the nature of processing being undertaken, which are designed to identify any privacy risks to individuals and mitigate those risks, as well as implement data protection principles, and protect the rights of data subjects.¹

The privacy-by-design framework requires that privacy safeguards are organically integrated into the operational phase of all activities and processing, rather than grafted on as an afterthought as a result of a security incident or a personal data breach, thus ensuring data privacy protections throughout the life cycle of a project or system.²

To comply with the privacy-by-design framework, organizations may adopt data-oriented or process-oriented strategies. ³  The data-oriented strategies are technical in nature and focus on privacy-friendly processing of data.⁴  These strategies focus on minimizing data processing to the extent possible, limiting the detail in which personal data is processed, and encrypting the data so it is not accessible to the public without authorization.⁵

The process-oriented strategies, on the other hand, cater to the processes involved in the processing of personal data, and constitute informing data subjects of the processing of their personal data in a timely and adequate manner. Process-oriented strategies focus on providing data subjects with adequate control over the processing of their personal data, and committing to, and enforcing the processing of personal data in a privacy-oriented manner and demonstrating the same.⁶

In order to successfully implement the privacy-by-design approach, organizations must ensure the following measures at minimum:

• conduct a privacy risk assessment;
• ensure appropriate security controls (including pseudonymisation and encryption) depending on the nature of personal data and risks posed to the rights of individuals and implement data protection principles effectively;
• provide clear and comprehensive information to data subjects regarding the processing of their personal data, facilitate data subjects' rights fulfillment, and enable individuals to monitor the processing;
• minimize the processing of personal data, and ensure that the collection / processing of personal data only happens pursuant to permitted lawful grounds; and
• implement strict internal and external access restrictions as per applicable privacy laws.

What is Privacy-by-Default?

The privacy-by-default approach requires organizations to implement the strictest available privacy-oriented settings by default.⁷  This is done to ensure data minimization, i.e., only such processing is carried out which is considered to be strictly necessary to achieve specified and lawful purposes.⁸  For this purpose, relevant, adequate and necessary data for a specific processing purpose should be specified from the off-set and the data subjects should be adequately informed.

To ensure compliance with privacy-by-default, organizations should also adhere to the data protection principle of 'purpose limitation,'⁹  which mandates that an organization should only collect and process such data which are relevant, adequate, and limited to specified, explicit and legitimate purposes, and not further perform any processing activities which are incompatible with the foregoing purposes.¹⁰

An example of the privacy-by-default approach in action would be that a social media platform may, by default, limit the accessibility of a user's profile to an indefinite number of persons.¹¹

In order to successfully implement the privacy-by-default approach, organizations must ensure the following measures at minimum:

• strictest privacy options must be enabled by default (opt-in consent mechanism by default - unchecked consent boxes);
• not process any additional data without the consent of users or having another lawful basis;
• data retention periods should be reasonable and proportionate to the purposes of the processing;
• automatically delete or anonymize personal data once the purpose of the processing has been fulfilled;
• provide users with sufficient control and transparency in relation to data processing activities and present them with clear and comprehensive information;
• avoid the use of dark patterns while obtaining consent from users such as unequally prominent 'accept or reject' choices on cookie banners with the “accept” buttons being more visually prominent, or by providing misleading or deceptive information to users;
• avoid the use of cookie walls or making access to the website service conditional on user's acceptance to data processing or cookies; and
• ensure personal data is not automatically made publicly available.

7 Foundation Principles

The fundamental principles underpinning the privacy-by-design and privacy-by-default approaches are specified in the '7 Foundational Principles' ¹² of privacy-by-design, as developed by the Information and Privacy Commissioner of Ontario in 2009.¹³

These principles should serve as the bedrock of any policy, product, or system an organization may develop in relation to data privacy.

1. 'Proactive not reactive; preventative not remedial'

An organization should take proactive measures to ensure the privacy of users' data and not merely act post-facto, that is, upon the occurrence of breaches or other privacy issues.

2. 'Privacy as the default setting'

Any system, service, product, or business practice should have privacy-friendly options as the default setting, and users should not have to make any additional interventions to protect their data.

3. 'Privacy embedded into design'

The design of all systems, services, products and business practices should be such that all applicable privacy requirements are catered and adhered to.

4. 'Full functionality – positive sum, not zero sum'

No trade-offs should be made in relation to protecting the rights of data subjects, and any false dichotomies such as privacy or security should be avoided. All systems and products should have full functionality while complying with all legitimate objectives under the data protection framework.

5. 'End-to-end security – full lifecycle protection'

Appropriate privacy measures should be incorporated in a system's design before the collection of data, and the same should extend securely throughout the lifecycle of data, thus ensuring that data is securely collected, retained, and destroyed in a timely manner.

6. 'Visibility and transparency – keep it open'

All components of any business practice or technology that may be utilized in relation to the collection, storage and processing of users' data, should remain visible and transparent to all stakeholders.

7. 'Respect for user privacy – keep it user-centric'

All systems and processes should keep the privacy of users in paramount consideration, offer privacy defaults, provide users with appropriate and timely notices, and ensure that the data subject rights are fulfilled.

Codification under the GDPR

Article 25 of the GDPR  codifies the principles of data protection by design and by default. It requires all data controllers to implement appropriate technical and organizational measures for the effective implementation of data protection principles and integration of necessary safeguards into the processing of data.¹⁴  Having adequate security measures is necessary for complying with the applicable legal requirements and protecting the rights of data subjects.¹⁵

While identifying appropriate technical and organizational measures, organizations should take into account the available technological tools and best organizational practices, cost-friendly options (where available), the backdrop of the processing activity such as the nature, scope, context and purposes of processing, and the risks posed to the rights of the data subject, so appropriate measures can be identified to mitigate the same.¹⁶  In accordance with Article 25, the data controller should identify such measures at the time of determining the means and method of processing, so as to ensure that effective solutions are incorporated at the design phase of a particular product or system.¹⁷ 

Furthermore, once the processing starts, the data controller has a continued obligation to monitor the potential changes in the nature, scope or context of the processing, or the risks posed to the data subjects, so as to ensure the continued effective implementation of data protection principles in order to protect the rights of the data subjects.¹⁸

Article 25 further mandates that as part of the privacy-by-default approach, organizations should, by default, ensure that only personal data, which are requisite for each specific purpose of the processing, are collected, stored, processed, and made accessible. The term 'by default' refers to making choices regarding configuration values or processing options that are prescribed in a processing system.¹⁹

Under Article 25, the controller is responsible for implementing such default processing settings which limit the processing to that which is necessary for specified purposes,  as pre-determined by the controller.²⁰  In determining the appropriate technical and organizational measures for the implementation of the privacy-by-default approach, organizations should take into account the same factors as applicable for the privacy-by-design approach, but focus their application towards achieving data minimization and purpose limitation.²¹

Article 25 concludes that approved certification mechanisms, as allowed under the GDPR, may be used to demonstrate compliance with the privacy-by-design and privacy-by-default requirements. It is worth noting that while Article 25 only refers to data controllers, it is essential that an organization chooses data processors that provide sufficient guarantees to comply with the requirements of the GDPR, including privacy-by-design and privacy-by-default. This requirement stems under Article 28 of the GDPR, which mandates a controller to only use those processors that provide sufficient guarantees of implementing appropriate technical and organizational measures, to ensure that any processing activities are compliant with the requirements of the GDPR. It further follows that any sub-processor engaged by the processor should also remain compliant with the foregoing requirements.²²

Furthermore, as per Recital 78 of the GDPR, organizations that are developing, designing, selecting and using applications, services and products that are based on the processing of personal data are encouraged to take into account data protection in consideration, and implement privacy-by-design and privacy-by-default. As a natural corollary, in order to fulfill their data protection obligations, controllers should also select and use those applications, services and products in relation to data processing activities, which incorporate privacy-by-design and privacy-by-default requirements.

It is important to note that whilst deciding whether to impose an administrative fine and deciding on the amount of the administrative fine under the GDPR, due regard is required to be given to the degree of responsibility of the controller or processor, taking into account technical and organizational measures implemented by them pursuant to Article 25. Moreover, if a controller or processor fails to comply with the obligations imposed by Article 25, they are liable to administrative fines up to 10,000,000 EUR, or in the case of an organization, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Privacy Impact Assessment (“PIA”) and Data Protection Impact Assessment (“DPIA”)

In order to comply with the privacy by design and privacy by default requirements, organizations may conduct PIAs and DPIAs to identify, analyze and mitigate any privacy and data protection risks associated with their processing activities during the design stage and preempt any foreseeable harms to the privacy of the users or the public at large.²³

Such assessments also help organizations in determining the appropriate technical and organizational measures required to ensure legal and regulatory compliance and allow them to embed these controls.²⁴  In certain instances, conducting a DPIA may also be a legal requirement. For example, as per Article 35 of the GDPR, a DPIA is considered to be mandatory where the proposed processing activities are likely to result in a “high risk” to the rights of individuals, processing of special categories of data on a large scale, processing of data relating to criminal offenses or convictions on a large scale, systematic monitoring of publicly accessible area on a large scale, or in the case of use of new technologies.

Conclusion

Privacy-by-design and privacy-by-default approaches are two integral aspects of data privacy frameworks. Therefore, it is imperative for organizations to implement effective measures which enable them to comply with their legal obligations. These measures should first be incorporated at the time of design of any system, and thereafter woven throughout its lifecycle to ensure that the users' data is protected, and their rights are not violated. Further, organizations should conform their data processing activities to a 'privacy first' approach, while minimizing and mitigating the risks posed to data subjects and granting them sufficient autonomy and controls.

1. European Data Protection Board, ‘Guidelines 4/2019 on Article 25 - Data Protection by Design and by Default’ v 2.0 (20 October 2020) 6 https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201904_dataprotection_by_design_and_by_default_v2.0_en.pdf accessed 19 October 2022.

2. European Data Protection Supervisor, ‘Preliminary Opinion on privacy by design – Opinion 5/2018’ https://edps.europa.eu/sites/edp/files/publication/18-05-31_preliminary_opinion_on_privacy_by_design_en_0.pdf accessed 15 October 2022.

3. Jaap-Henk Hoepman, ‘Privacy Design Strategies (The Little Blue Book)’ (19 April 2022) 3 https://www.cs.ru.nl/~jhh/publications/pds-booklet.pdf accessed 20 October 2022.

4. Ibid.

5. Ibid.

6. Ibid.

7. (n 1) 11.

8. Ibid.

9. Information Commissioner’s Office, ‘Data protection by design and default’ https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-by-design-and-default/ accessed 13 October 2022.

10. General Data Protection Regulations, 2018, Article 5(b) and (c).

11. European Commission, ‘What does data protection ‘by design’ and ‘by default’ mean?’ https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-does-data-protection-design-and-default-mean_en accessed 13 October 2022.

12. Ann Cavoukian, ‘Privacy by Design – The 7 foundational Principles’ (Information and Privacy Commissioner of Ontario, 2009) https://www.ipc.on.ca/wp-content/uploads/resources/7foundationalprinciples.pdf accessed 13 October 2022.

13. (n 9)

14. (n 1) 6-7.

15. Ibid.

16. Ibid, 7-10.

17. Ibid, 10.

18. Ibid, 10-1.

19. Ibid, 11.

20. Ibid.

21. Ibid, 12.

22. (n 9); General Data Protection Regulations, 2018, Recital 78.

23. (n 9).

24. Ibid.