Data protection by design and default – the EU perspective

The most influential guidance on data protection by design and default (DPDD) comes from the European Data Protection Board, the EDPB. As we discussed here, the UK's ICO has published separate guidance but the approach to additional guidance varies across the EU as you can see from the examples below.

EDPB draft guidance

The EDPB published draft guidance for consultation on DPDD in November 2019. In most cases, there are few changes between draft and confirmed guidance and we don't anticipate significant differences in the final version.

The EDPB guidance is more detailed than the UK ICO's which cross refers to it, although it is not necessarily easier to digest. It focuses initially on how to interpret the wording of the DPDD requirements – in particular, on the factors which need to be taken into account when assessing what constitute appropriate technical and organisational measures, necessary safeguards and their effectiveness. This is useful background information; for example, it helps to know that when assessing the 'cost of implementation', you should consider resources in general rather than simply financial cost or economic advantage.

More practical suggestions come in the second half of the guidance, which provides suggestions of key design and default elements in relation to each of the data protection principles. As the point of the design and default requirement is to help implement the data protection principles effectively, the suggestions are useful, not least in terms of accountability. They can help demonstrate that particular design and default measures have been instituted in order to implement particular principles rather than having been applied in a generic way – a requirement which is emphasised in the guidance.

An interesting focus of the EDPB guidance is the emphasis it places on the role of processors and technology providers. The DPDD obligations under the GDPR are placed on controllers and the EDPB guidance is written primarily but not exclusively for them. The ICO reminds controllers in its guidance that controllers are required to select processors which provide sufficient guarantees to meet GDPR requirements including DPDD, and Recital 78 touches on the issue of processors, but the EDPB guidance places a greater emphasis on the role of processors and technology providers in the recommendations it makes at the end of the guidance.

It recognises them as distinct from controllers and says they are "key enablers" for DPDD, particularly with regard to 'state of the art' of technology. This really underlines the symbiotic role between controllers and processors and technology providers when developing design and default measures. The EDPB stresses the competitive advantage technology providers and processors can gain by ensuring they not only implement DPDD themselves, but can advise controllers on how best to do so.

What are other EU regulators saying about DPDD?

For many regulators, the EDPB guidance is seen as sufficient and there are no plans to produce further guidance but others are more proactive on the issue as you can see from the examples below. Possibly the ICO has taken a more holistic approach to its guidance given Brexit.

France

The French data protection authority (CNIL) regularly looks at DPDD. Two recent publications from the CNIL and its think tank LINC are worth noting.

The first of these, an April 2019 LINC report Shaping Choices in the Digital World, provides a thorough reflection on privacy by design and by default, including from a psychological and ethical standpoint. It also contains a non-exhaustive typology of potentially deceptive design practices classified in four categories:

• Pushing the individual to accept sharing more than what is strictly necessary: includes using customisation and the promise of improved user experience to encourage the user to share more data, and default sharing (ie pre-checking information sharing options).
• Influencing consent: includes seeking consent for the collection of data at a specific moment where we know that the individual is vulnerable and may be in a hurry or impatient to complete a process, and sending a "wrong signal" (eg adding a padlock to an interface which is not secure to give a false impression of the level of security).
• Creating friction on data protection actions: includes blocking access to a service by using a cookie wall or requiring unnecessary account creation, and making it complicated to adjust privacy settings.
• Diverting the individual: includes "camouflage advertising" where advertising is disguised as another type of content or element of the interface, in the hope that the user clicks without realising they are clicking on an advert.

Read more about dark patterns here.

The second publication, recently published by CNIL, is a practical guide for developers intended to help them ensure GDPR compliance throughout their design process, from design preparation to analytics (only available in French for the moment). The guide explains GDPR core principles and obligations and covers elements of DPDD. Where appropriate, links to other useful publications are provided for a more in-depth analysis of specific topics including CNIL guidelines on security measures, DPIAs and cookies.

The LINC also launched the Data and Design website to "federate designers who want to integrate the protection of personal data and freedom in their interfaces, services and products". The website contains practical examples on how to implement DPDD around the three key concepts of information, consent and exercise of rights, as well as case studies. The website also features a community enabling anyone interested to discuss their own experiences, and propose alternative UX and UI to build user journeys that respects privacy.

Germany

The German regulators in contrast provide very limited if any guidance on compliance with DPDD. They did, however, recently introduce a so-called standard data protection model to support risk assessments and selection of measures required by the GDPR, including those under Article 25. Controllers can use the model to help with planning, implementation and operation of processing activities.

The model serves as a tool to ensure compliance by laying out the different steps (analysing the processing operations and the level of necessary protection, defining measures, assessing these measures) without providing guidance on the implementation of specific measures. Explicit recommendations on DPDD are limited to few instances, for example, ensuring "unlinkability" of data by separating domains or providing data subjects with greater control through opt-out options.

While there may not be much guidance from German regulators on how to comply with Article 25, the Berlin regulator took failure to implement it into account when it fined Deutsche Wohnen EUR 14.5m in October 2019. The decision itself has not been published but based on the available information, the authority had conducted an onsite audit, during which it found that the business used an archiving system that did not allow for data deletion. As a consequence, tenant data was retained, regardless of whether or not there was a legal basis to do so. The regulator found that the use of the archiving system violated the principle of data protection by design under Article 25 GDPR as it prevented compliance with the obligation of timely data deletion. The regulator described the system as having a "structural violation".

Austria & Netherlands

Some regulators have said even less on DPDD. The Austrian regulator (the DSB) tends not to provide detailed GDPR guidance. While it has published general Guidelines including Q&As, these don't deal with DPDD and nor is there relevant case law to date. The Netherlands regulator has produced guidance on other subjects but not so far on DPDD.

Enforcement

Enforcement action in respect of Article 25 compliance tends to be bound up with compliance with the data protection principles in general and with a failure to take sufficient organisational and technical measures, for example, with regard to security. Failure to comply with DPDD has been cited in a number of enforcement actions, including the Deutsche Wohnen case (subject to appeal). Cases in Romania and Greece have also featured enforcement around Article 25 and when the CNIL fined Google EUR 50m last year, the design of its user interface was clearly a factor in the decision.

What does this mean?

Essentially, DPDD is a vital part of GDPR compliance. Getting it right can give you a competitive advantage and help demonstrate accountability. Getting it wrong can, conversely, lead to adverse publicity and sanctions from regulators.

Contributors: Debbie Heywood, Wiebke Reuter, Marc Schuler, Andreas Schütz and Otto Sleeking.