Privacy by design and by default. What is it and what does it consist of?

Organic Law on Personal Data Protection:
privacy by design and by default. What is it and what does it consist of?
By Juliana García Scandizzi

On May 26, 2021, Ecuador’s Organic Law for the Protection of Personal Data was published, the purpose of which is to provide greater protection to the personal data of all citizens, imposing certain obligations on the public and private sector to that end. Ecuadorian regulations have been fully received from the European Union Regulation 679/2016 on personal data protection.

The main objective of this regulation is to generate a total change of paradigm regarding personal data traffic, committing both the public and private sectors to generate a real awareness of protection and safeguarding in each of the agents involved in these sectors.

In short, these sectors will have to carry out more and more actions to provide real compliance with the protection of personal data, until they reach the maximum protection expected, as well as a high degree of internal culture and commitment.

In this sense, one of the obligations imposed by the regulations is to implement the principle of privacy by design and by default.

We will now answer the most frequently asked questions about this concept.

What is privacy by design and by default?

The concept of privacy by design and by default, was created in the 1990s by Dr. Ann Cavoukian, Information and Privacy Commissioner of Ontario, Canada under the Anglo-Saxon term “Privacy by design”.

It consists of the methodology of: “including privacy in the requirements specification of a technology”.

The background of this methodology lies in the fact that the actors incorporate it in each of their products or services, taking it as a central axis from its creation, until it finally manages to transcend to their own values and ethical conduct.

What are the principles that govern privacy by design and by default?

Within the privacy by design and by default principle itself, there are other guiding subprinciples, including:

• Preventive not corrective: This implies that all necessary measures must be taken to prevent any conflict in privacy matters, with anticipation as the central axis.

The Spanish Data Protection Agency, a forerunner in the study of privacy by design and by default, understands that this contemplates:

• A clear commitment on the part of the organization that must be driven from the highest echelons of management.
• The development of a culture of commitment and continuous improvement on the part of all employees, since a policy is useless if it does not translate into concrete actions that feed back on its results.
• Definition and assignment of specific responsibilities, so that each member of the organization is clear about his or her role in privacy matters.
• Develop systematic indicator-based methods for the early detection of processes and practices that are providing poor privacy assurance results.
• Privacy in design par excellence: It implies that privacy must become the guiding principle of the product or service to be provided and is in the process of development.

It is not an additional layer or module to be added to something pre-existing, but must be integrated into the set of non-functional requirements from the very moment it is conceived and designed.[1] It is not an additional layer or module to be added to something pre-existing, but must be integrated in the set of non-functional requirements from the very moment it is conceived and designed.

From the early stages of design, then, the following aspects should be considered:

• The existence of the principle as a necessary requirement in the life cycle of products and services, as well as in the design of the organization’s processes.
• Conduct a risk analysis of all personal data subjects’ rights, and impact assessments corresponding to the protection of such data, as an integral part of the design.
• Privacy within the user’s reach: It implies that the user of the product or service will not have to take any action to protect his privacy, but that it will already be incorporated beforehand.

“The default configuration should be set from the design at the level that is as privacy friendly as possible. In the event that the subject does not take any configuration action, their privacy should be guaranteed and kept intact, as it is integrated into the system and configured by default.

This principle, put into practical terms, is based on the minimization of data at all stages of processing: collection, use, storage and dissemination.”[1] This principle is based on the principle of data minimization at all stages of processing: collection, use, storage and dissemination.

• Full functionality: implies that both privacy and goods and services can be guaranteed in full, without the achievement of the goods or services jeopardizing the privacy of the users.

“To this end, from the earliest stages of product and service conception, the organization must:

• Assume that different and legitimate interests may coexist: those of the entity and those of the users it serves; and that it is necessary to identify, evaluate and balance them appropriately.
• Establish communication channels to collaborate and consult with stakeholders in order to understand and converge multiple interests, which at first glance may appear to be divergent.
• If the proposed solution poses threats to privacy, look for new solutions and alternatives to achieve the different functionalities and interests pursued, but always without losing sight of the fact that the risks to user privacy must be adequately managed.”[1]
• End-to-end security: Involves the total protection of data throughout the entire information lifecycle, encompassing its collection, processing and disposal in a consistent and efficient manner.
• Visibility and transparency: It implies complying with the duty of information due to the user, clearly and completely informing the treatment and the agents that will have access to the information provided by the user.

This principle is used as a pillar to demonstrate diligence and proactive responsibility before the corresponding control authorities, as well as to generate confidence in the subjects of society who provide their personal data.

• Respect for users’ privacy: This implies that exclusive priority must be given to the total protection of users’ data, including both the products or services provided, as well as the entire business practice surrounding them.

In short, this means that processes, products and services must be designed “with the user in mind”, thus anticipating the needs of all those who provide their personal data.

• Data minimization: This implies that only the data that is strictly necessary for the products or services offered should be collected and processed, keeping them only as long as they are necessary, and prohibiting their availability to the general public.

Following such intelligence, what is privacy by design and by default?

Privacy by design and by default, then, consists of the adoption of security measures in both technical and legal aspects, from the very beginning of the design of the product or service, to ensure the protection of the users’ data in an integral manner and during the entire life cycle of the processing of the information provided.

The Spanish Data Protection Agency in its “Guide to Privacy by Design” mentions that: “Privacy by Design (hereinafter, PbD) involves using a risk management and proactive responsibility oriented approach [9] to establish strategies that incorporate privacy protection throughout the life cycle of the object (whether it is a system, a hardware or software product, a service or a process). (…) The ultimate goal is for data protection to be present from the earliest stages of development and not to be an added layer to a product or system. Privacy must be an integral part of the nature of such a product or service.”[1][1

It is essential then, for all those actors who intend to carry out projects that include the processing of personal data, to have a solid and specialized work team in the technical and legal aspects, so that they can collaborate and provide support from the design of the procedure, the execution of the initial analysis of the products and services to be offered, as well as the necessary support during the entire life cycle of the information to be collected.

So, what are the measures that should be adopted by the actors involved?

First of all, stakeholders should have well identified which personal data they will process in line with the goods and services offered, and seek ways to keep these to a minimum.

Secondly, to comply with the duty of information to its users regarding the treatment that will be made to such data, to whom they may be transferred and / or the period of conservation of these.

Thirdly, and no less important, it must be clearly understood that privacy must be protected from the very beginning, and that the greatest possible number of technical and legal security measures must be implemented to this end.

Lastly, to carry out internal monitoring and audits to ensure that privacy is truly safeguarded at all stages of the process, i.e., from the inception of the idea, the start-up of the project, its development and its conclusion.

Consequently, data protection by design and by default is an obligation of the actors who are going to use the personal data provided by citizens, and therefore they must be the ones who actively participate in privacy engineering, helping to define all the aspects that must be contemplated, carrying out an adequate and permanent follow-up of its correct implementation and operation, so that ultimately the data that are the object of processing are protected and their privacy is safeguarded.

In short, what is the purpose of implementing the concept of “privacy by design”?

The application of this concept will help public and private sector actors to generate a paradigm shift within their systems, both at a technical and social level, understanding the protection of personal data as a concept that must be safeguarded, in order to not only avoid the sanctions that the corresponding bodies may impose on them, but also to understand the importance and responsibility involved in the treatment and traffic of personal data provided by society.

[1] SPANISH DATA PROTECTION AGENCY. “GUIDE TO PRIVACY BY DESIGN”, OCTOBER 2019 EDITION.