New legal requirements under EU data protection law.
(Written by Dr. Catherine Di Lorenzo, Counsel at Allen & Overy SCS / Photo by Matthew Henry on Unsplash)
In which context have these principles been included into law?
On 25 May 2018, the EU general data protection Regulation (GDPR) will come into force. This European legislation is aimed at harmonising the rules regarding the processing of personal data, i.e. data by which individuals (so-called “data subjects”) may be directly or indirectly identified, across the EU member states. It will impose more stringent obligations on controllers (i.e. persons or entities that determine the means and purposes of the processing of personal data) and processors (i.e. persons or entities that process personal data on behalf of a controller).
This legislation applies to controllers and processors established in the EU, or that are not established in the EU but offer goods and services to individuals in the EU or monitor the behaviour of individuals in the EU.
The law provides for stricter rules to ensure better protection of EU citizens with respect to the processing of their personal data. These rules include, besides the enhancement of data subjects’ rights (more transparent and complete information, stricter conditions for valid consent, the right to be forgotten, etc.), the accountability principle, which replaces the current obligation to systematically notify data processing operations in Luxembourg. The GDPR places onerous accountability obligations on data controllers to demonstrate compliance. The accountability obligations include obligations to: (i) maintain certain documentation; (ii) conduct a data protection impact assessment for more risky processing; and (iii) implement data protection by design and by default.
What is “privacy by design”?
Privacy by design is an approach to projects and a way of running one’s business that promotes privacy and data protection compliance from the start. In practice, these issues are often looked into at the end of a project or ignored altogether.
A controller should, at an early stage of any project (i.e. when he decides what data will be collected and for which purpose) assess which technical and organisational measures (such as encryption, employee training, etc.) should be implemented to ensure compliance with data protection principles, such as data minimisation, purpose limitation, limited storage periods, data quality, legal basis for processing, processing of special categories of personal data (e.g. health data), measures to ensure data security, and the requirements in respect of transfers of personal data to third parties.
In practice, a data controller should think about how the requirements of the GDPR can be best implemented; this includes for instance the creation of functionalities or procedures that enable data subjects to be easily informed about the processing of their data and to withdraw consent for a specific processing. It should also be considered from the outset for how long specific data is really needed and how to delete or anonymise it once the purpose of a data processing is achieved. Today, the deletion of specific portions of data in a database for instance is in practice rather difficult or for archives almost impossible. This issue should be addressed and avoided in new projects.
The assessment on which privacy by design measures need to be taken should take into consideration the state of the art, the nature, scope, context and purposes of data processing as well as the risks for the rights and freedoms of natural persons. The cost of implementation measures is also a factor to be considered, and while in practice it will often be one of the most important factors, it would not be from a legal perspective.
Privacy by design should be a key consideration in the early stages of any project, and then throughout its lifecycle. For example when:
- building new IT systems for storing or accessing personal data;
- building new devices (e.g. connected devices such as smart home solutions); or
- adding new functionalities in existing devices (such as smart phones).
What is “privacy by default”?
Privacy by default means that the standard for a new product or service should be that the strictest privacy settings automatically apply. Only personal data which are necessary for each specific purpose of the processing should be processed.
For instance with respect to connected devices such as smart watches, the geolocation function on the tool should by default be disabled and data on the location of the individual should only be collected if the individual actively activates this function.
In general, the privacy by default function should apply to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility (no data should notably be accessible to an indefinite number of persons).
Which measures should be taken in practice?
This depends on the nature of the product or the service. Measures can include the adoption of internal policies, determining which data is really needed to offer the product or service and only collecting such data (data minimisation), pseudonymisation of personal data as soon as possible (e.g. by encrypting it during transition and at rest), transparency towards the user regarding the purpose and extent of the processing, giving the user control over the processing by offering choices and creating and improving security features to prevent unauthorised access, alteration or other unauthorised use of personal data.
Are there benefits to taking a “privacy by design” approach?
Yes, there are. Of course the compliance with privacy by design and by default principles will be a legal obligation under the GDPR and should therefore be respected.
But beyond that, the application of these principles can minimise the risks for the controller not only in terms of legal compliance but also in costs. It will be much easier to identify and address potential problems at an early stage rather than when the product or service is close to final: adapting it later on will often be more costly and complicated.
Finally, applying the principles of privacy by design and by default, and putting the users of products or services in control of the processing of their data will help build or foster user trust in the products and services offered to them. Also, if users feel that their data is being processed in a trustworthy way, then actions against a controller are less likely to occur.