< Back

Share |

Privacy by design and default

November 2016

The concepts of privacy by design and privacy by default promote compliance with data protection laws and regulations from the earliest stages of initiatives involving personal data. Originally introduced by the Canadian Privacy Commissioner of Ontario back in the 90s, the concepts of privacy by design and privacy by default have, in recent years, seen adoption by regulators from around the world as essential components of privacy protection.

Though potentially putting more strain on the conception and development of new initiatives, following privacy by design principles can be used as a means to help ensure full compliance with data protection principles as required by law (see our article on data protection principles). It can lead to potential privacy issues being identified at an earlier and less costly stage and to the increase of awareness of privacy and data protection related matters throughout an organisation.

Under the current EU Data Protection Directive (DPD), no specific requirement to implement privacy by design and privacy by default exists. While data controllers are required to implement technical and organisational measures under the DPD to protect data against unlawful processing, this is merely an afterthought as it only relates to data which has already been processed.

Privacy by design under the GDPR

In choosing to include privacy by design and privacy by default as key principles in the GDPR, the legislator has acknowledged that privacy cannot be ensured only by means of legislation, but that it should be a fundamental component in the design and maintenance of information systems and mode of operation for each organisation.

Article 25 of the GDPR codifies both the concepts of privacy by design and privacy by default. Under this Article a data controller is required to implement appropriate technical and organisational measures both at the time of determination of the means for processing and at the time of the processing itself in order to ensure data protection principles such as data minimisation are met. Any such privacy by design measures may include, for example, pseudonymisation or other privacy-enhancing technologies.

In addition, the data controller will need to ensure that, by default, only personal data which is necessary for each specific purpose of the processing is processed. In particular, such measures need to ensure personal data is not automatically made available to third parties without the individual’s intervention. By way of practical example: when creating a social media profile, privacy settings should, by default, be set on the most privacy-friendly setting. Setting up profiles to be public by default is no longer allowed under the GDPR.

Privacy by design in practice

The GDPR takes a flexible approach to privacy by design. This means that in implementing privacy by design a data controller needs to take into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the likelihood and severity of risks to the rights and freedoms of natural persons posed by the processing of their personal data.

Though the envisaged, flexible approach gives data controllers the ability to determine their level of compliance based on the privacy risks involved, it also gives rise to uncertainty as to the required level of compliance and this takes on a degree of urgency given the statutory fines of up to EUR 10,000,000, or up to 2% of annual worldwide turnover, whichever is higher. It is, therefore, important to regularly assess privacy compliance, by, for example, conducting regular Privacy Impact Assessments (PIAs).

The UK Information Commissioner’s Office (ICO) has issued a PIA code of practice, outlining the principles which form the basis for a PIA and giving practical guidelines for identifying and minimising privacy risks created by new projects or policies. This code of practice has been endorsed by the Dutch Data Protection Authority (Dutch DPA) among others. Integrating the PIA principles into a privacy by design approach may significantly reduce the organisational strain associated with privacy by design and also create more internal awareness around GDPR compliance.

Current developments in the Netherlands

Although the concept of privacy by design is not present in the DPD, national regulators are already actively pursuing its adoption and enforcement. The Dutch DPA, for example, recently imposed an order subject to a penalty on Bluetrace, a company supplying Wi-Fi-tracking technology in order to track mobile devices in and around stores.

The Bluetrace technology collected and stored personal data including the MAC address of each mobile device within its Wi-Fi range, but in doing this was not able to make a distinction between customer mobile devices situated inside a particular store, and mobile devices of passers-by outside a store. Therefore, the MAC address of every mobile device in reach, regardless of whether or not it was used by a store customer, was, in principle, stored for an indefinite period and without informing the data subject. According to the Dutch DPA, Bluetrace was in breach of a number of data protection principles including data-minimisation, data retention and of its information obligations to data subjects.

Adhering to the concept of privacy by design from the outset would likely have resulted in Bluetrace identifying the risks at a much earlier and less costly stage in the development of the technology, and would probably have avoided DPA enforcement.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Privacy by design and default
Frederick Leentfaar

Frederick Leentfaar      


Frederick looks at the formalisation of the concepts of privacy by design and default under the GDPR.

"…following privacy by design principles can be used as a means to help ensure full compliance with data protection principles as required by law."