İlayda Anaç

Legal Intern

Data Protection By Design And By Default

In paralel with the fast-growing development in technology, the need for adapting technological developments to legal requirements is also increasing day by day. In this context, some of the existing concepts and notions are likely to become more important. Similarly, the concepts of "data protection by design" and "data protection by default" (or commonly used as "privacy by design" and "privacy by default") which have been used in the field of data protection law for a long time, have become more of an issue in recent years with excessive integration of data protection and technology.

I.Privacy by Design

The concept of privacy by design, which has initially been developed in late nineties by Ann Cavoukian, information and privacy commissioner of Ontario, basicly means the act of taking into account data protection rules at the very beginning of an application, service or products's design and architectural studies and developing the application, service or product with this vision.

Privacy of design is regulated under the Article 251 of General Data Protection Regulation ("GDPR") and set forth as an obligation for the data controller by emphasizing the principles of data protection. Accordingly,

"the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects."

Privacy by design is based on seven (7) foundational principles which have been set forth by Ann Cavoukian and used globally eversince.2 The principles are as listed and summarized below:

i.Proactive not reactive; preventive not remedial

It should be aimed to predict the architectural or technical data protection problems that may arise during the use of a service/product and prevent them from occurring.

ii.Privacy as the default

It should be ensured that the default settings of a service/product are compatible with the data protection rules. Thereby, the users' privacy should be protected even when he/she does not take any action hereof.

iii.Privacy embedded into design

Confidentiality should be integrated into every stage of information systems and workflows.

iv.Full functionality

The user should not be obliged to give up some issues in terms of efficiency, data security or aesthetic taste in order to ensure the privacy factor and the user should be ensured to benefit from other issues at the highest level.

v.End-to-end security

Data must be secured throughout the entire life cycle, from the moment of collection to the moment of destruction.

vi.Visibility and transparency

The data processing action should be transparent at every stage, the users should be informed and accounted for these processing actions where necessary.

vii.Respect for user privacy

A user-oriented approach should be adopted when designing applications/products.

II.Privacy by Default

As briefly mentioned above, the concept of privacy by default means ensuring that the strictest privacy settings will apply by default to a product or service, without any manual input from the user. In addition, according to the consept of privacy by default, any personal data provided by the user to enable a product's optimal use should only be kept for the amount of time necessary to provide the product or service. The obligation of privacy by default of the data controller is also set forth under Article 25 of GDPR by emphasizing the principle of data minimisation.

Accordingly, "The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons."

h2>III.The Breach of Privacy by Default and Privacy by Design Obligations

Since the concepts of privacy by design and privacy by default are regulated as obligations of the data controller, in case of a breach of such obligations, the controllers would be subject to sanctions within the scope of GDPR provisions. At this point, the question of whether the manufacturer or designer of a product will also be subject to sanction for such data breach could arise. According to the statement of European Data Protection Board ("EDPB" or "Board") disclosed in the 32nd Plenary Session dated June 10, 2020,3 the product/application manufacturers would only be liable for data breaches when they are also data controllers or data processors.

In the aforesaid Plenary, the Board has disclosed the letter drafted in reply to MEP Moritz Körner's letter regarding the laptop cameras. Accordingly, Körner suggested that new laptops should be equipped with camera covers and the Board has clarified that while laptop manufacturers should be encouraged to take into account the right to data protection when developing and designing such products, they are not responsible for the processing carried out with those products and the GDPR does not establish legal obligations for manufacturers, unless they also act as controllers or processors.

Finally, along with the obligation regulated under GDPR, complying with the concepts of privacy of design and default are highly important for companies that are willing to have a data-based competitive advantage. Complying with data protection rules at the earliest steps of the creation of a product or services would eliminate the risk of data protection incompatibility that may occur after the product or service is presented to the user. Thus, it would be possible for the companies to gain advantage among competitor companies by preventing customer trust and loss of money and time by means of privacy by design and default.

Footnotes

1. https://www.privacy-regulation.eu/en/article-25-data-protection-by-design-and-by-default-GDPR.htm

2. https://iapp.org/media/pdf/resource_center/Privacy by Design - 7 Foundational Principles.pdf

3. https://edpb.europa.eu/news/news/2020/thirty-second-plenary-session-statement-interoperability-contact-tracing-applications_en

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.