The new GDPR and its new regulations: Privacy by design

Starting with May 2018, a new regulation on data protection will come into force and replace the current Data Protection Directive (95/46/EC). One change that comes with the new regulation is the requirement for data protection by design and by default. This can help reduce the risks identified in each stage of the development of the products and services. Now, the principles of privacy by design and privacy by default are not explicitly required by the DPD. However, the Directive did call in article 17 for the need of appropriate technical and organisational measures taken by the controller, which are the core of the principles.

What is privacy by design and how is it regulated by the GDPR?

Privacy by design is a concept founded by Ann Cavoukian which states that privacy should be incorporated in the design of ICT from the outset and not as an afterthought. According to its founder, the principles on which Privacy by Design is founded are the following: proactive, not reactive, preventative, not remedial; privacy by default; privacy embedded into design; full functionality; end-to-end security; visibility and transparency; respect for user privacy. Besides being one of these principles, privacy by default can also be understood as a separate concept which refers to the default settings that protect the individual from the start, as opposed to privacy as the default setting, how Cavoukian sees it.

Although the concept refers to privacy, the new General Data Protection Regulation (GDPR) introduces data protection by design, since the target of the regulation is data protection, not privacy. The difference is that privacy points out the relation between the individual and the collective, regardless if it is the state or other people. On the other hand, data protection is considered a tool which can be used to protect the individual against abuses on his privacy.

The GDPR provides the obligation to comply with the principles of privacy by design and privacy by default in recital (78). The recital requires that the producers of the products, services and applications to be encouraged to take into account the two principles to make sure that the controllers and processors are able to fulfill their obligations. According to article 25, the controller is the one that has to take the measures in order to comply with the regulation when he determines the means for processing and while the processing is taking place.

Therefore, in order to protect the rights and freedoms of the natural persons, the controller of the data has to take appropriate technical and organisational measures, such as:

– minimising the processing of personal data
– pseudonymising personal data
– Transparency with regard to the functions and processing of personal data
– Enabling the data subject to monitor the data processing
– Enabling the controller to create and improve security features

The problems that are bound to appear relate to the identification of the liable controller in the case of an advanced device which implies multiple controllers and processors. Additionally, considering the fact that there is no obligation mentioned for the producer of the product, service or application in article 25, what will happen when the producer of a certain service is encouraged to implement privacy by design, but he fails to do so, resulting in the inability of the controller to comply with the regulation? Since it is not clear yet, the jurisprudence will decide on a case by case basis how the principles will evolve.