Privacy by design and by default – positive for customers and burdensome for businesses?
4 min to read

Privacy by design and by default – positive for customers and burdensome for businesses?

Date
15 January 2016

This is the second of a number of blog posts leading up to my keynote at the upcoming Computerworld conference on Data Security in Copenhagen 27 January 2016. 

The new General Data Protection Regulation aimed at giving EU citizens greater control of their personal data introduces the principles of Privacy by Design and Privacy by Default to keep in pace with technological developments .

Privacy by Design means that organisations must protect privacy by embedding it into the design specifications of technologies, business practices, and physical infrastructures. That means building privacy into the architecture of new systems and processes.

Privacy by Default means that organisations must implement mechanisms for ensuring that, by default, the only personal data that is processed is that which is necessary for each specific purpose of the processing and especially that it is not collected or retained beyond the minimum necessary for those purposes and only be kept for the amount of time necessary to provide the product or service.

Privacy by Design and Privacy by Default apply at all levels, including the manufacturers of the devices, application developers and social platforms. Privacy and security have to be embedded, by default and design, from the very foundation of eg. an application.

For example, to successfully publish your profile on a new social media service, it may be a requirement to give your name and e-mail address. However, this service might also automatically and without your legal consent process other personal information such as your location, gender and make it visible publicly and not just to your connections.

This would be a classic example of a breach of the data protection principles, and thereby Privacy by Default principle, as more information is published than is necessary for the service. This situation could have been avoided by using the Privacy by Design concept where the manufacturer would have implemented technical and organisational measures to foresee and avoid this breach, before the new social media was even introduced.

How the Privacy by Design and Privacy by Default principles will be enforced is not at all clear. However, it is clear that the data protection agencies in the member states will demand from the businesses that they provide documentation that they are in compliance with the principles. And organisations that break the rules face tough penalties; organisations responsible for more serious violations could be fined up to four percent of their turnover.

Some customers are very concerned about what happens with the information they disclose to companies – especially online. The requirement of Privacy by Design and Default is supposed to give customers, the data subjects, increased control of their personal data and to assist in building trust in organisations, including online services.

From another point of view, much criticism has been expressed by organisations, not regarding the increased control Privacy by Design and Default will give to their customers, but regarding the high cost of implementation. Businesses may have to make substantial investments to ensure they are compliant, both inside and outside Europe.

Much focus has been on large web based businesses such as Google, Facebook and Microsoft, due to the number of third parties they use who also process the data, and which requires significant administrative cooperation in order to achieve conformity and cost to run and monitor.

The burdens, however, are especially onerous on small and medium sized businesses. When creating a new product or service, for example, the entire development process needs to be compliant. This together with ongoing monitoring can drive up the cost of a new product or service significantly. This could mean a huge financial burden for companies on a smaller budget, in particular startups.

From the organisations point of view, it might be worth it to look at the requirements of Privacy by Design and Default from a different perspective. The fact that customers are increasingly concerned about disclosing their personal data can be seen as a new business opportunity. It is important to make your customers feel safe and trust the service/product, so complying with the new regulations allows a business to create a product or service that a customer will feel safe using and thereby adding to the attraction and differentiation of the service/product.

According to the General Data Protection Regulation, an organisation will be able to acquire certification from the EU data protection authorities which will allow the organisation to communicate to customers that they meet the requirements and thereby can be trusted with the customers personal data, all potentially adding to the competitive edge of the organisations.

(Thanks to my colleagues Amalie Langebæk and Kamilia Mondrup at Bird & Bird Copenhagen Office for help with writing this blog post.)

Share
Written by
Martin von Haller
Martin von Haller
Martin is recognised for his solid legal skills and as an innovative thought leader and strategist within the IT industry. He is a partner in Bird & Bird's International Tech and Comms Group and is based in Denmark. Martin is one of Denmark’s leading IT lawyers with almost 20 years’ experience of advising Danish and international organisations, including large blue chip companies on legal and commercial matters in connection with IT in a wide sense. He is considered a pioneer with respect to legal aspects of Online Technology Solutions (Ecommerce, internet and web services), Cyber and IT security, open source and open data and use of other open licence forms such as Creative Commons.
Related articles
Smart Contracts – Recognising and Addressing the Risks
4 min to read
29 December 2021
Smart Contracts – Recognising and Addressing the Risks
Smart contracts, where some or all of the contractual obligations are defined in and/or performed automatically by a computer program, are expected to have a significant impact on the way business is...
Technology Projects: Managing the Risks of Innovation and Change Part 3: Contract Reset and Dispute Resolution
Technology Projects: Managing the Risks of Innovation and Change Part 3: Contract Reset and Dispute Resolution
Customers in long-term technology projects can find that while they have been working towards their chosen solution a more advanced, cheaper, or simply more desirable technology has become available....
Digital dispute resolution rules to facilitate rapid and cost-effective resolution of disputes involving novel digital technologies
Digital dispute resolution rules to facilitate rapid and cost-effective resolution of disputes involving novel digital technologies
While some saw the development of products using blockchain technology leading to the demise of disputes, the reality is that disputes in the arena of digital technology are increasing in number. Lawtech’s...
Technology Projects: Managing the Risks of Innovation and Change Part 2: During the Life of the Project
Technology Projects: Managing the Risks of Innovation and Change Part 2: During the Life of the Project
Customers in long-term technology projects can find that while they have been working towards their chosen solution a more advanced, cheaper, or simply more desirable technology has become available....
Cookies
We use analytics cookies to help us understand if our website is working well and to learn what content is most useful to visitors. We also use some cookies which are essential to make our website work. You can accept or reject our analytic cookies (including the collection of associated data) and change your mind at any time. Find out more in our Cookie Notice.