The concept of privacy by design has been around for a few decades. Although it has been referred to in studies since the 1970s and present in legislation since as far as the early 1990s, it was consolidated only in 2009 with the work of Ann Cavoukian, the Information & Privacy Commissioner of Ontario, Canada
This author defined the seven foundational principles of privacy by design: (i) to be proactive not reactive, preventative not remedial; (ii) privacy as the default setting; (iii) privacy embedded into design; (iv) full functionality – positive-sum, not zero-sum; (v) end-to-end security – full lifecycle protection; (vi) visibility and transparency – keep it open; and (vii) respect for user privacy – keep it user-centric.
After being adopted as a privacy standard by the International Data Protection and Privacy Commissioners in 2010, privacy by design was also included in the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016). However, in the GDPR (article 25) it no longer remains as a mere principle. Instead, it has become a mandatory legal obligation and failure to comply can lead to severe administrative fines (article 83/4/a).
Regarding privacy by design, the GDPR establishes that the data controller shall implement the appropriate technical and organisational measures designed to implement data protection principles in an effective manner and to integrate the necessary safeguards into the processing. The appropriate technical and organisational measures are to be determined taking into account (i) the nature, scope, context and purpose of processing, (ii) the risks for rights and freedoms, (iii) the state of the art, and (iv) the cost of implementation.
Regarding privacy by default, the GDPR establishes that the controller shall implement the appropriate technical and organisational measures to ensure that, by default, (i) only the necessary data is processed, (ii) only to the necessary extent of processing, (iii) is only accessible by the necessary individuals, and (iv) is only stored by the necessary period of time.
Both privacy by design and privacy by default are established around the idea of the implementation of the appropriate technical and organisational measures to safeguard the personal data protection principles and rules. The GDPR provides some examples of these measures (such as pseudonymisation, encryption, anonymisation), but it is not a catalogue for these measures or other privacy enhancing technologies (PET) and the provided examples should not be seen as mandatory measures.
Clear guidance on privacy by design and by default is not to be found in the GDPR and it is a work in progress by all the community and parties involved. But the GDPR has the clear intention of impacting the core of the digital age system, reshaping its values regarding privacy.
The success of this ambition is uncertain, but some important challenges are already very clear, such as the role of the producers of products, services and applications, the integration of data protection principles in the design of User Experience (UX) and User Interface (UI) and also in the software development planning (agile and scrum, for instance).
In the meantime, examples of the real impact of privacy by design and by default are coming to light. In 2018, Valve changed the privacy settings of the users of the gaming platform Steam, making games owned private by default. As a direct consequence, the analytics activity provided by SteamSpy and other similar companies was severely damaged.
Privacy by design certainly is, for those closely involved in the design process of products, services and applications, one of the most interesting and challenging topics in personal data protection.