Privacy by Design

Content:

What is Privacy by Design?

• The privacy by design framework was published in 2009 and adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010.
• Privacy by design calls for privacy to be taken into account throughout the whole engineering process. The concept is an example of value sensitive design, i.e., taking human values into account in a well-defined manner throughout the process.
• Privacy by Design is an idea that the future of privacy cannot be assured solely by compliance with legislation and regulatory frameworks; rather, privacy assurance must become an organization’s default mode of operation.
• The approach suggests that privacy must be incorporated into networked data systems and technologies, by default.  It challenges the practice of enhancing privacy as an afterthought.
• The Privacy by Design framework employs an approach that is characterized by proactive rather than reactive measures. It anticipates and prevents privacy invasive events before they happen. 
• Privacy concerns must be embedded into a design in its initial stage and throughout the life cycle of the product
• While Privacy by Design is a conceptual framework, it’s application can change the way digital platforms are created and the way in which people interact with them.
• From devising a business model, to making technological decisions, Privacy by Design principles can make privacy integral to the processes and standards of a digital platform.
• Privacy by Design does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred.
• It aims to prevent privacy risks from occurring. In short, Privacy by Design comes before-the-fact, not after.

Privacy by design is based on seven “foundational principles”:

• Proactive not Reactive; Preventative not Remedial:  Privacy by design is conceptualised to occur before-the-fact, not after. It is intended to prevent privacy invasions before they occur and not after.

• Privacy as the Default Setting: Privacy by design is aimed to ensure maximum privacy by ensuring that personal data is automatically protected in any given IT system or business practice and no further action is required on the part of the individual to protect their privacy as it is built into the system, by default.

• • Privacy Embedded into Design: This principle involves building protection mechanisms for privacy protection while designing the hardware or software itself.

• Full Functionality — Positive-Sum, not Zero-Sum: Privacy by design intends to incorporate all legitimate situations or objectives and avoid questions such as privacy vs. security, by trying to cater to both interests.

• End-to-End Security — Full Lifecycle Protection: Privacy by design ensures that all data is securely collected, retained, and then securely destroyed at the end of the life cycle, in a timely fashion.

• Visibility and Transparency— Keep it Open: Privacy by design intends to make its operations and processes involved visible and transparent, to users and providers alike.
• Respect for User Privacy — Keep it User-Centric Above All: Privacy by design requires data processors and fiduciaries to incorporate protection measures for ensuring user privacy and accessibility, such as strong privacy defaults, appropriate notice, and empowering user-friendly options.

Advantages of Privacy by Design:

Creating systems, products, processes and projects with privacy at the outset can lead to numerous benefits, such as:

• Privacy by design is an essential tool to reduce privacy risk and build trust. 
• Identifying potential problems at early stage and address these problems easily promptly
• Increasing the awareness of data protection and privacy across organization
• Meeting legal obligations instead of breaching data protection act.
• Avoiding privacy intrusive actions that may have negative impacts on people.

Sri Krishna Committee Recommendations on Privacy by Design:

• The Justice Sri Krishna Committee Report on Data Protection commented upon incorporating organisational measures, broadly designed as ‘privacy by design’.
• It aimed to establish data handling practices in an organisation in a manner ensuring compliance with law by minimising or eliminating adverse impacts on privacy. 
• Further, the Committee suggested establishing an accountability framework for certain data fiduciaries, which may be making evaluative decisions through automated means, to set up processes to eliminate unlawful processing of data.
• The report urged the Data Protection Authority (DPA) to consider Privacy by Design and other best practices to lay down precise obligations for data fiduciaries so as to ensure strict compliance with the law. 
• It recommended that the DPA conduct capacity building exercises to create skilled professionals in order to implement a ‘design-thinking‘ approach. 

Provisions on Privacy By Design under the PDP Bill:

• The Personal Data Protection Bill, 2019 (“PDP Bill”) introduces the concept of privacy by design policy for the first time in the Indian legislation governing data protection and privacy laws.
• The PDP Bill was introduced in the Lok Sabha on December 11, 2019 by the Minister of Electronics and Information Technology. 
• The Bill aims to provide for protection of personal data of individuals, and establishes a Data Protection Authority for the same
• The PDP Bill, 2019 contains several clauses that have implications on the visual design of digital products. 
• These include the specific requirements for communication of notice and consent at various stages of the product. 
• The Bill also introduces the Privacy by Design policy.
• The PDP Bill provides for privacy by design policy under Chapter IV. Section 22(1) of the PDP Bill provides that every data fiduciary must prepare a privacy by design policy. 
• This policy must contain the following components:
  • the managerial, organisational, business practices and technical systems designed to anticipate, identify and avoid harm to the data principal;
  • the obligations of data fiduciaries;
  • the technology used in the processing of personal data in accordance with commercially accepted or certified standards;
  • the legitimate interests of businesses including any innovation is achieved without compromising privacy interests;
  • measures for protection of privacy throughout processing from the point of collection to deletion of personal data;
  • ensuring processing of personal data in a transparent manner; and
  • ensuring the interest of the ‘data principal’ (i.e. individual whose data is being used) is accounted for at every stage of processing of personal data.
• Section 22(2) of the PDP Bill provides that the data fiduciary must submit the privacy by design policy to the relevant authority for certification in the period and manner to be prescribed,  subsequent to which the said policy must be published on the website of the data fiduciary and the relevant authority.
• The PDP Bill states that data fiduciaries are required to prepare a Privacy by Design policy and have it certified by the Data Protection Authority. 
• According to the Bill, the policy would contain the managerial, organisational, business practices and technical systems designed to anticipate, identify and avoid harm to the data principal.
• Privacy by Design Policy would mention if the technology used in the processing of personal data is in accordance with the certified standards.
• It would also comprise of the ways in which privacy is being protected throughout the stages of processing of personal data, and that the interest of the individual is accounted for in each of these stages.
• Once certified by the Data Protection Authority, the data fiduciaries are also required to publish this policy on their website
• This forces the data fiduciaries to envision privacy as a fundamental requirement and not an afterthought. 
• Such a policy would have a huge impact in the way digital platforms are conceptualised, both from the technological and the design point of view. 
• The privacy by design policy provided in the PDP Bill in its present state, resembles the seven principles enunciated by the Privacy Commissioner of Ontario, Canada.