EDPS Issues Privacy by Design Preliminary Opinion
Privacy by Design was the focus of a Preliminary Opinion by the European Data Protection Supervisor (EDPS) this week. The aim of the opinion is to contribute to the success of General Data Protection Regulation (GDPR) Article 25 by raising awareness, promoting debate and suggesting action on the obligations of data protection by design and default.
The office of the European Data Protection Superviser serves as an ambassador on EU privacy and data protection. The EDPS is tasked with supporting the European Data Protection Board, the various member states and their supervisory authorities, the Court of Justice, and others. The European Data Protection Supervisor is currently Giovanni Buttarelli. He was appointed by the European Parliament and the Council at the end of 2014 to a five year term.
The Executive Summary to the Preliminary Opinion speaks to the creation of an enforceable legal obligation on May 25, 2018 with the obligations of privacy by design and privacy by default as a result of the implementation of GDPR and the “need to keep the momentum going so that this new obligation can increase the effectiveness of the protection promised by the GDPR.” The foreward to the Opinion notes that the “effective implementation of the principle of privacy by design and by default can represent an outstanding milestone towards a human values based technology design.”
The EDPS specifically recommends that EU institutions, among other things:
ensure strong privacy protection, including privacy by design, in the ePrivacy Regulation;
- support privacy in all legal frameworks which influence the design of technology;
- foster the roll-out and adoption of privacy by design approaches and privacy enhancing technologies (PETs); and
- ensure competence and resources for research and analysis on privacy engineering and privacy enhancing technologies.
Why is the EDPS talking about privacy by design?
The paper notes how the public debate about privacy has reached unprecedented levels but the public is only aware of “the tip of the iceberg” with respect to tracking and targeting. Nevertheless, there is hope that technology development will not only be a cause of privacy concerns but can also be a part of the solution through privacy by design. The full potential of technology to protect the fundamental rights of individuals has yet to unfold.
The Obligation for Data Protection by Design
The four dimensions of this obligation involve:
1. The protection of individuals and their personal data should be a project requirement from the beginning of the design project and throughout the whole project lifecycle.
2. Risk management in the project should include selecting and implementing measures for effective protection of the privacy rights and freedoms of individuals.
3. A goal to achieve should be the effective implementation of data protection principles set out in Article 5.
4. Integration of the identified safeguards into the processing.
The Obligation for Data Protection by Default
The EDPS statement notes two values of this principle:
1. It is important to only have data processed in a way that is strictly needed and to not have data processed for other purposes by default.
2. There need to be measures to prevent personal data from being made public by default.
Other Highlights from the Preliminary Opinion
Controllers have a duty to choose processors that are able to support them in their obligations of data protection by design and by default.
Article 25, in conjunction with Recital 78, requires technology providers to design their products in a way that enable the controller to protect individuals and their data in accordance with data protection by design and by default.
Looking Back at the EDPS 5 Year Plan for 2015-2019
It is the first Friday in June, which means the General Data Protection Regulation (GDPR) has completed its first week in effect. We are a long way in the privacy world from where we were at the end of 2014 when the current EDPS took office. So we thought it worthwhile to take a look at another paper put together by the EPDS some years ago: the EDPS Strategy 2015-2019. Te Supervisor set forth three strategic objectives and 10 priority actions to make the EU a leader in the digital age.
The three strategic objectives were:
1. Data Protection Goes Digital
2. Forging Global Partnerships
3. Opening a New Chapter for EU Data Protection
The ten priority action items were:
1. Promoting technologies to enhance privacy and data protection.
2. Identifying cross-disciplinary policy solutions.
3. Increasing transparency, user control and accountability in big data processing.
4. Developing an ethical dimension to data protection.
5. Mainstreaming data protection into international agreements.
6. Speaking with a single EU voice in the international arena.
7. Adopting and implementing up-to-date date protection rules.
8. Increasing the accountability of EU bodies processing personal information.
9. Facilitating responsible and informed policymaking.
10. Promoting a mature conversation on security and privacy.
Looking back on these priorities, it is amazing to reflect on how much things have changed even in the last year. In the span of a few months, privacy became a dining room table issue and a daily topic featured in newspapers and other media outlets.
Discover the Benefits of Privacy Management Software with Clarip
The Clarip data privacy software and team are available to help improve privacy and trust at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, try our modular GDPR software. Start with our automated GDPR data mapping software, enhance your privacy program with DPIA software, and meet ePrivacy requirements with the cookie consent manager.
If CCPA compliance in 2020 is on your radar, ask us about our California Consumer Privacy Act software. Improve efficiency of responses to data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with our consent software.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.