“Privacy by design” (“PbD”) is not a new concept but one that has been receiving increasing attention and legal clout in Canada, Europe, and around the world. Broadly speaking, it requires designing a system or process in a manner that protects the privacy rights of individuals, rather than considering the associated privacy implications of a system or process only after deployment. It is a principle that many consider to be a, if not the, crucial element in protecting privacy rights meaningfully. Importantly, it is now an explicit legal obligation under the European General Data Protection Regulation (“GDPR”).
The European Data Protection Board recently released new guidelines on Data Protection by Design and By Default. These guidelines will be up for consultation until January 16, 2020 and will form an important part of how privacy by design will be interpreted and implemented in Europe, with a downstream effect on any technology company who’ll be supplying Data Controllers.
Canadian organizations should understand PbD as a legal obligation under the GDPR and as a Canadian privacy principle, as well as PbD’s implications for operations and impact on relationships with suppliers, customers and the public at large.
PbD is a marriage of two ideals: (i) protection of personal information; and (ii) its coinciding sustainable commercial use, centred around seven foundational principles. The European Data Protection Supervisor (“EDPS”) in the recent Opinion 5/2018 on privacy by design draws an interesting distinction between data protection “by design” and privacy “by design.” The latter is seen as a wider concept including an “ethical dimension,” whereas the former is more explicitly tied to the legal obligations created by the GDPR (more on this below).
PbD as a Legal Obligation
While not currently an explicit legal obligation under Canadian privacy law, PbD has traditionally been regarded as the gold standard of privacy protection but it was never a directly enforceable aspect of the regulatory regime in Canada, the US or Europe. It had been given some degree of legislative validation by receiving mention in the recitals of the predecessor to the GDPR, the European Data Protection Directive (95/46/EC); but under EU law, this inclusion is not equal to legal enforceability, serving instead as an interpretive aid to direct obligations in the Directive rather than a stand-alone (enforceable) principle.
This changed in May 2018 with the coming into force of the GDPR, which now explicitly incorporates PbD principles into the European data protection regime (Article 25). Importantly, it provides a legal basis for the connection of PbD with “privacy by default,” which is, in and of itself, a principle of data protection law. It also mandates organizations be able to demonstrate compliance with these provisions. This includes having appropriate documentation of efforts expended to consider privacy rights from “Day 1” of a project.
Under the GDPR, PbD and its related principles are key elements in ensuring meaningful protection of privacy. It is important to note that in the European context, privacy rights are fundamental rights, which fact underscores the potential significance of PbD as a legal concept in Europe and, by further extension, in Canada. Article 25 is not, however, an absolute requirement applicable to all organizations in the same manner. It is qualified by a risk-based approach and reasonableness standard. That is, the more sensitive the information or the higher the risk to rights of individuals, the greater the obligation on the data controller to take measures to protect that data and to show this was considered and effected at the time of design. According to the EDPS, it is also “seriously” limited by its application to controllers (and to a certain extent processors) of personal information and not directly to manufacturers of the technology. Nonetheless, in practice, controllers will likely be much more comfortable choosing suppliers who will allow them to comply with the law. This preference places an indirect or commercial obligation on manufacturers of technology, including Canadian organizations who supply technology to others subject to the GDPR.
In Canada, the recent Report of the Standing Committee on Access to Information, Privacy and Ethics recommended that PbD become an explicit part of Canadian privacy law, stating that it “believes that [PbD] is an effective way to protect the privacy and reputation of Canadians”; and that PbD should become a “central principle” of the Personal Information Protection and Electronic Documents Act (PIPEDA). It is also apparent from the report that the underlying rationale for including PbD in the GDPR was highly influential. It would not be a stretch to say that PbD will also play an important role in the determination of whether the Canadian privacy regime will continue to be considered “adequate” under European data transfer rules.
- PbD is no longer just a best practice or principle unlikely to be legally enforceable under previous European data protection regime, It is now an established part of EU law (Article 25 of GDPR).
- The GDPR has been and will continue to be highly influential on Canadian privacy law, which means it is very probable that PbD will form an integral part of future PIPEDA review (as recommended by the Standing Committee).
- The practical consequences for data controllers and manufacturers of technology are evolving, as is the enforcement of PbD as a legal obligation in Europe. Canadian companies with operations or customers in Europe need to be cognizant of European PbD-related legal obligations and related requirements from a commercial and reputational perspective.
 Principle 1 – Proactive not reactive: preventative not remedial. Principle 2 – Privacy as the default setting. Principle 3 – Privacy embedded into design. Principle 4 – Full functionality: positive-sum, not zero-sum. Principle 5 – End-to-end security: full lifecycle protection. Principle 6 – Visibility and transparency: keep it open. Principle 7 – Respect for user privacy: keep it user-centric.
 “[…] appropriate technical and organizational measures [must be implemented] both at the time of the design of the processing system and at the time of the processing itself, […] in order to maintain security and […] prevent any unauthorized processing.”
 “Art 25 (1) Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. (2) The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. 2That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. 3In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.”
 Under the GDPR, the “controller” is the person who determines the means and processing of personally identifiable information.
(This article was originally published in November 2018)