The possibilities and limits of technology play an increasingly important role in our personal lives and in our societies. The extent to which humans can enjoy their fundamental rights depends not only on legal frameworks and social norms, but also on the features of the technology at their disposal. Recent discoveries of inappropriate use of personal data have driven the public debate on data protection to an unprecedented level. It is necessary that the shaping and the use of technology takes account of the need to respect the rights of individuals, rather than being driven exclusively by economic interests of few businesses. With the full applicability of the General Data Protection Regulation in the EU as of 25 May 2018, data protection by design and by default becomes an enforceable legal obligation. We need to keep the momentum going so that this new obligation can increase the effectiveness of the protection promised by the GDPR. This shall contribute to this target by raising awareness, promoting the creation of public value and societal wellbeing and by calling on all stakeholders to engage in a responsible discussion with a view to take the appropriate actions. This Opinion distinguishes between the general principle of “Privacy by Design” which encompasses an ethical dimension consistent with the principles and values of the EU Charter of Fundamental Rights, and the specific legal obligations provided by Article 25 of the GDPR to which we refer as “Data Protection by Design” and “Data Protection by Default”. The Opinion briefly recalls the history of the principle of privacy by design from the initial research on technologies for privacy until the GDPR. It also analyses the content of Article 25 and its relationship with other articles. It also considers other elements of EU legislation which refer to privacy by design. Furthermore, some implementations outside the EU are presented. In an overview of the state of the art, the Opinion provides examples of methodologies to identify privacy and data protection requirements and integrate them into privacy engineering processes with a view to implementing appropriate technological and organisational safeguards. Some of these methodologies define data protection goals directly from privacy and data protection principles, such as those of the GDPR, or derive them from operational intermediate goals. Other methodologies are driven by risk management. The design and operation process needs to consider the whole life cycle of a service or a product, from initial planning to service/product disposal. The technological overview includes also standardisation efforts to integrate privacy requirements in system design and the state of the art of privacy enhancing technologies. There is a need to advance the state of the art and the use of privacy enhancing solutions. While research has been increasing as well as initiatives dedicated to the development of the privacy engineering discipline, this is not yet enough to drive a change in the effectiveness of the protection of individuals and their personal data. Organisations can only have benefits from adopting a privacy by design approach. Policies promoting privacy enhancing technologies and strategies should be within the priorities of the EU agenda and public administrations must lead by example. The IPEN initiative will be a vehicle to promote privacy enhancing technologies among stakeholders at the international level. Initiatives for privacy by design should be seen in the broader context of integrating ethical considerations in technological design, following the conclusions of the recent report of the EDPS Ethics Advisory Group.
With this Opinion, the EDPS makes a number of recommendations to EU institutions: to ensure strong privacy protection, including privacy by design, in the ePrivacy Regulation. to support privacy in all legal frameworks which influence the design of technology, increasing incentives and substantiating obligations, including appropriate liability rules, to foster the roll-out and adoption of privacy by design approaches and PETs in the EU and at the Member States’ level through appropriate implementing measures and policy initiatives, to ensure competence and resources for research and analysis on privacy engineering and privacy enhancing technologies at EU level, by ENISA or other entities, to support the development of new practices and business models through the research and technology development instruments of the EU, to support EU and national public administrations to integrate appropriate privacy by design requirements in public procurement, to support an inventory and observatory of the “state of the art” of privacy engineering and PETs and their advancement. The EDPS will: continue to promote privacy by design, where appropriate in cooperation with other data protection authorities in the European Data Protection Board (EDPB), support coordinated and effective enforcement of Article 25 of the GDPR and related provisions, provide guidance to controllers on the appropriate implementation of the principle laid down in the legal base, and together with the DPAs of Austria, Ireland and Schleswig-Holstein, award privacy friendly apps in the mobile health domain. Coordination and joint efforts of the technological capabilities among the Data Protection Authorities are essential to promote data protection by design and by default. Cooperation in the EDPB, as well as the International Working Group on Data Protection and Telecommunications (IWGDPT, “Berlin Group”) is necessary. We welcome feedback to this preliminary Opinion. The 2018 International Conference of Privacy and Data Protection will be a milestone in the discussions about a digital ethics in general and an opportunity to better define the way forward for privacy by design.
See also the EDPS Opinion on online manipulation and personal data (March 2018)