Privacy by Design (PbD) is a concept developed by Dr. Ann Cavoukian, the then Information and Privacy Commissioner of Ontario, Canada in the midnineties, when she documented the 7 Foundational Principles [FOU]. PbD began to be acknowledged by data protection professionals and Regulatory bodies in North America and beyond.
In October 2010, PbD was unanimously adopted as an international privacy standard at the International Conference of Data Protection and Privacy Commissioners in Jerusalem. PbD is included in the U.S Commercial Privacy Bill of Rights Act. It has now been included in the GDPR of the EU and accepted by data protection commissioners worldwide as a concept that will ensure adequate privacy protection in a world of constantly evolving IT systems with capacity to collect and process massive amount of data.
PbD aims to embed privacy into the design of systems or products right from the start of their development and throughout its lifecycle, including the use of the system. The aim is to protect personal data in every phase of its lifecycle, in collection, processing, disclosure, storage and disposal. The PbD framework can be applied not only in IT, but also in business practices and Networked Infrastructure.
Integrating data protection safeguards into processing is part of the description given to the concept of data protection by design in the GDPR. Actualising PbD involves the use of both technical and organisational measures.
Jeroen Van Rest et al. defined PbD extensively in [vRBE+12]:
“The principle of ‘Privacy by Design’ envisions that privacy and data protective
20 3. BACKGROUND
measures are operative throughout the entire life cycle of technologies: from the early design stage to their deployment, use and ultimate disposal. This is done by applying a design process that covers all life cycle stages and by applying privacy and data protection design patterns which are well understood and are the known best-practice for the particular purpose they are used for, and domain they are used in. The resulting design documents and systems should limit all the privacy invading activities to the minimum according to the foundational principles of privacy by design.”
3.3.1 Data Protection by Design and by Default
The GDPR mentions data protection by design and data protection by default.
The principle of privacy/data protection by design revolves around engineering privacy features from the beginning into the design of systems, instead of doing this at a later stage.
The principle of privacy/data protection by default means that the default state of system, business practice or networked infrastructure, protects a data subject from a privacy breach. The user or data subject should not need to carry out any actions to turn on privacy.
Article 20 of the GDPR describes data protection by design and by default. However, the concept of PbD covers both principles.
3.3.2 Foundational Principles of PbD
Many a times when privacy is implemented into systems at the end of their devel-opment cycle, there is usually a tradeoff between adding some functionality of the system and adding some privacy feature. PbD seeks to eliminate tradeoffs yielding a win-win situation. This is one of the 7 foundational principles of PbD created by Ann Cavoukian. These principles were only meant to serve as a reference framework, they were not detailed enough to allow direct application or engineering into systems.
This meant there was still a long way to go in making these principles operational in the development lifecycles of systems. The 7 foundational principles are described by Ann Cavoukian as follows [FOU]:
1. Proactivenot Reactive;Preventativenot Remedial
The Privacy by Design approach is characterised by proactive rather than reactive measures. It anticipates and prevents privacy invasive events before they happen. PbD does not wait for privacy risks to materialise, nor does it offer remedies for resolving privacy infractions once they have occurred it
3.3. PRIVACY BY DESIGN 21 aims to prevent them from occurring. In short, Privacy by Design comes before-the-fact, not after.
2. Privacy as theDefault
We can all be certain of one thing the default rules! Privacy by Design seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice. If an individual does nothing, their privacy still remains intact. No action is required on the part of the individual to protect their privacy it is built into the system, by default.
3. PrivacyEmbeddedinto Design
Privacy by Design is embedded into the design and architecture of IT systems and business practices. It is not bolted on as an add-on, after the fact. The result is that privacy becomes an essential component of the core function-ality being delivered. Privacy is integral to the system, without diminishing functionality.
4. Full Functionality –Positive-Sum, not Zero-Sum
Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum “winwin” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made. Privacy by Design avoids the pretence of false dichotomies, such as privacy vs. security, demonstrating that it is possible, and far more desirable, to have both.
5. End-to-End Security– Lifecycle Protection
Privacy by Design, having been embedded into the system prior to the first element of information being collected, extends securely throughout the entire lifecycle of the data involved — strong security measures are essential to privacy, from start to finish. This ensures that all data are securely retained, and then securely destroyed at the end of the process, in a timely fashion. Thus, Privacy by Design ensures cradle to grave, secure lifecycle management of information, end-to-end.
6. Visibility andTransparency
Privacy by Design seeks to assure all stakeholders that whatever the busi-ness practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification. Its
compo-22 3. BACKGROUND
nent parts and operations remain visible and transparent, to both users and providers alike. Remember, trust but verify!
7. Respect forUser Privacy
Above all, Privacy by Design requires architects and operators to keep the in-terests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options. Keep it user-centric!
Cavoukian also mapped each foundational principle to the related Fair Information Practices.
3.3.3 PbD in the EU GDPR
Article 20(1)of the GDPR dictates the embedding of appropriate technical and organisational measures such as pseudonymisation and data minimisation and other data protection principles into processing. It also encourages processing personal data based on the principle of purpose limitation.
Article 20(2) reads: “Member States shall provide for the controller to implement appropriate technical and organisational measures ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons”.
Data protection/Privacy impact assessmentis also made mandatory for con-trollers in situations “where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context and purposes of the processing is likely to result in a high risk to the rights and freedoms of natural persons” [EUR].
PIAs will be needed to detect analyse privacy risks, propose privacy solutions and demonstrate compliance with the privacy regulations.
Consent as stated in the GDPR must be explicit, and a request for consent to a data subjet must be clearly stated to allow for lawful processing. The data subject should also be able to withdraw consent to the processing of the data subject’s personal data at any given time. The GDPR clarifies that if a particular processing has different purposes, consent should be given by the data subject for each individual purpose. In the same vein, Notification and awareness is should be clear and in plain language. A notification can not be hidden among other information.
Notification of data breach should also be in clear and plain language. Recital 39
3.3. PRIVACY BY DESIGN 23 of the regulation states that “In order to enable him or her to exercise his or her rights, any information to the data subject should be easily accessible, including on the website of the controller, and easy to understand, using clear and plain language”
[EUR].
24 3. BACKGROUND