Privacy by design has been part of data protection law for a while. However, the practical need to apply it is growing. Let’s discuss what it is and how the relevant authorities have used it in the context of data protection. This will help us understand why it is increasingly necessary to implement privacy by design when it comes to data protection law.

What is privacy by design in terms of data protection law?

Privacy by design is a kind of value-sensitive design. It calls for the designer to consider privacy throughout the entire design process. It also sets out a structure for developing products, services or systems. This structure emphasises the importance of privacy and data protection from the beginning. Ann Cavoukian, the former head of the relevant data protection supervisory authority in the Canadian province of Ontario, came up with the idea in the 90s. It has since become a core part of specific data protection laws. The concept demands combining privacy concerns into the design, development, and deployment of products and services, including:

  • Using technologies and taking actions that help keep personal data free from unauthorised access and other kinds of harm.
  • Giving users information about the personal data your organisation collects from them and using them to provide your goods or services.

How have the relevant authorities applied it?

Over the years, there have been a handful of legal cases and regulatory actions related to privacy by design — including:

  • EU’s GPDR (General Data Protection Regulation) — requires organisations to implement privacy by design.
  • US FTC (Federal Trade Commission) — took action against specific organisations that failed to implement appropriate information security measures, which is part of privacy by design.
  • OPC (Office of the Privacy Commissioner) in Canada — issued guidance on implementing privacy by design and investigated organisations that had failed to implement appropriate security measures to protect personal data.

Why is it increasingly necessary to implement privacy by design when it comes to data protection law?

The Irish Data Protection Commission (DPC) fined Meta (previously Facebook) 265 million euros in November 2022. This was for failure to comply with the provision of the GDPR related to data protection by design and by default. Article 25.1 says that to meet the GDPR’s requirements and protect the rights of data subjects, the controller must implement appropriate technical and organisational measures designed to:

  • Effectively implement data-protection principles.
  • Integrate the necessary safeguards into the processing.

The DPC found that Meta had breached this article of the GDPR related to privacy by design. They said this because Facebook and Instagram tools did not have sufficient technical and organisational measures to protect personal data.

This shows how the concept is evolving. It used to be a theoretical nice-to-have regarding relevant data protection laws. Now it is something that relevant supervisory authorities insist upon. They are increasingly likely to take an organisation to task for failing to implement it correctly.

Actions you can take

  • Conduct a privacy or data protection impact assessment at the beginning of each project to infuse privacy into your design.
  • Understand how privacy by design applies in your industry by asking us to draft a legal opinion.
  • Explore how your organisation could comply by consulting with us.