Article 25 of the General Data Protection Regulation requires parties who process personal data to protect personal data through ‘privacy by design’ and ‘privacy by default’. In this sixth episode of our blog series ‘Exploring the GDPR’, we will focus on these terms.
Privacy by design
Article 25 of the General Data Protection Regulation requires every party who is responsible for the processing of personal data to comply with ‘privacy by design and ‘privacy by default’ The terms ‘privacy by design’ and ‘privacy by default’ are often mentioned together and sometimes mixed up. This is not correct, given that there is a fundamental difference between privacy by design and privacy by default.
Privacy by design implies that the controller must already pay attention to privacy when developing new products and services (such as information systems). The GDPR compels the controller to build in safeguards already in the design of a service or product for the best possible protection of the privacy of data subjects and to implement technical and other privacy-enhancing measures. There, an important role is reserved for data minimization: the controller should ask himself whether it is necessary for the service or the product to process specific personal data. If this is the case, the controller should take the necessary privacy protection measures, such as access security, pseudonymisation, encryption and limitation of retention periods and the group of persons who have access to the system. Such privacy-enhancing measures are also known as ‘Privacy Enhancing Technologies’.
Privacy by default
It is necessary to make a distinction between ‘privacy by default’ and ‘privacy by design’. Privacy by default implies that the controller must offer a product or service standard in such a way that breach of the privacy of the user will be limited as much as possible. In other words, the obligation of privacy by default is met if the standard settings of (for example) a website or application are such that the chance of a breach of the privacy of users of that website or application is as small as possible. Users can then decide for themselves whether or not they wish to change these default settings by checking one or more empty boxes and by making the processing of more of their personal data possible (‘opt-in’). Privacy by default is not at stake if boxes in a website or application have already been pre-checked or pre-completed by the controller and the user must ‘switch off’ correctly in order to prevent specific processing of personal data (‘opt-out’). After all, action by the user is required in order to achieve an even higher level of protection, while privacy by default requires that a minimum level of processing of personal data is the standard. The underlying reason for this is that practice has shown that users of a website or application simply accept the default settings chosen by the controller in all haste, ease or blind trust without having read any of them at all. Privacy by default is not limited to checking and un-checking of boxes in websites, but also implies that general terms and conditions may not contain hidden clauses with adverse consequences for the privacy of the users of a service or product. Software must also be developed in such a way that users are informed about the processing of personal data and that they are made aware of their rights. A system may be envisaged whereby the users must declare by checking boxes that they are familiar with such information before the service can be used.
What does this mean for you?
With an administrative fine that may amount to a hefty EUR 10,000,000 or 2% of the worldwide annual turnover, the consequences of a violation of the obligations of privacy by design and privacy by default are no joke. This is why organizations had better pay special attention during the development of new services, products and information systems to the manner in which the breach of privacy of users can be limited as much as possible and to possibly obtain legal and technical advice with respect to privacy-enhancing technologies and other privacy-enhancing measures. By recognizing the privacy risks of a service, product or information system well in time, organizations who process personal data can also save costs in other ways. If the privacy risks of a service or product are only recognized when their development is already well advanced or when the service or product is already on the market, adjustments will be far more complex, time-consuming and costly. Prevention is better than cure. The obligation of privacy by default requires all organizations who process personal data, but in particular organizations who do so with the help of a website or other application – for example a web shop – to check whether their standard settings are sufficient to ensure the best possible protection of personal data. These organizations have until 25 May 2018 to map out whether or not they are processing more personal data than necessary for the service, and to ‘uncheck’ any pre-checked boxes.