PRIVACY BY DESIGN AND BY DEFAULT UNDER THE GDPR

by MC PÉROUX, LL. M January 14, 2019

WHY PRIVACY BY DESIGN UNDER THE GDPR IS IMPORTANT FOR COMPANIES (1)

MC PÉROUX, LL. M

January 22, 2019

A QUICK RECAP OF THE 7 FOUNDATIONAL PRINCIPLES (2)

They have been developed and conceptualised since the 90’s by Ann Cavoukian, Ph.D., and for the first time, a mandatory legal text has included its tenets, the GDPR.

➔ purpose limitation (GDPR, art 5-1 b), data minimisation (GDPR, art 5-1 c))

1. Proactive not Reactive; Preventative not Remedial -> purpose limitation (GDPR, art 5-1 b), data minimisation (GDPR, art 5-1 c))
2. Privacy as the Default Setting
3. Privacy Embedded into Design -> GDPR art 25
4. Full Functionality – Positive-Sum, not Zero-Sum -> “Privacy by Design avoids the pretense of false dichotomies, such as privacy vs. security, demonstrating that it is possible to have both. “  -> See the current discussions on different business models of free information services accessibility without a paywall (personal information given of exchange of free information) (4)
5. End-to-End Security – Full Lifecycle Protection -> GDPR: art 5-1 f), art 25 and art 32 (“ level of security appropriate to the risk “)
6. Visibility and Transparency – Keep it Open -> Accountability, GDPR art 5-2, art12
7. Respect for User Privacy – Keep it User-Centric -> Accuracy GDPR art 5-1 d), Rights of the Data Subjects, GDPR Chapter III

WHY SHOULD COMPANIES REALISE THE IMPORTANCE OF PRIVACY BY DESIGN ?

The GDPR introduces a change in paradigm. 

It is not centered on the processors but on the individuals’ fundamental rights.  (5)

The gauge to assess an envisaged personal treatment remains the risk it represents to the data subjects’ fundamental rights, the right to privacy being one of them. 

NO RIGHT IS ABSOLUTE AND THE GDPR IS A BALANCING ACT BETWEEN THE RIGHT TO PRIVACY AND OTHER RIGHTS

See the current issue on the right to erasure (art 17) where the CJEU Attorney General, M. Maciej Szpunar, recommends a limitation of this rights balancing it with the right to information: §57 “ En revanche, et c’est en quelque sorte le nœud de la présente affaire, le « droit à l’oubli » doit être mis en balance avec d’autres droits fondamentaux. “  (6)

When designing any process on personal data the very first question of the processor should be “do I respect and embed the fundamental rights of the persons when I use their personal data? “

I know this is still too rare an attitude especially among the internet personal data giants like the (in)famous GAFAM (7).  Their entire business model is based on the gathering of as much personal data (under the GDPR extensive definition) as possible with too often very deceptive opaque methods.

NEW TRENDS AMONG COMPANIES PROCESSING PERSONAL DATA 

Some companies, more forward looking, realise that the users, real persons with real interest in protecting their physical life from intrusive data hogging methods, demand that something has to change in the handling of their private information.

They have perhaps understood the general move towards more respect for the individuals’ privacy.

Look at the legal trend towards the respect of private information from the upcoming Californian Legislation (8), the success of Convention108 in bringing privacy considerations into many jurisdictions (9) , even the president of Apple, Tim Cook, is asking for a legislation on privacy (10).

At the recent 2019 edition of the CES, privacy made an entrance but it remains to be seen whether the companies do really apply Privacy By Design or if they are just surfing on the trends.

Too often, companies with a business model based on processing personal data or selling software allowing it, announce that they are “100% GDPR compliant “ but when one looks more into the process they use, it is clear that the GDPR principles have been overlooked or interpreted wrongly… (11)

On the other end of the spectrum, one finds even some American companies that communicate on privacy as a feature embedded from the start in their business model.

For example: 

Info: I have no affiliation, no interest in the companies, I do not endorse their products

➔ HUMU  (12)

Although I do not like behavioural analysis in general, finding it extremely invasive on privacy, this company’s communication seems ahead of others on Privacy By Design  

“That’s why we built with the GDPR in mind from day one, and we extend the rights from the GDPR to every user no matter where in the world they live. This includes transparency, control, and data portability. “ (13)

➔ SNIPS (14)

“Snips Global Communications Director Genia Shipova said the focus on privacy by design is what makes Snips a GDPR-friendly solution. »  She said Snips wants to avoid data-centric business models used by larger tech companies by focusing on contracts with its customers.“  (15)

➔ Q-Branch Labs (16)  and their Vektor (17) product

” We start with the assumption that everything we send out of this device has to be GDPR-cleared. We just don’t want to deal with the problems. All of the logs and security alerts that we send out, we still rip out all of the private information.” Says the founder Jim McCoy 

➔ OEKON SAS and its device ASK-HAROLD  (19) developed in France 

Based on an AI that searches for you information on Internet

CONCLUSION

I hope that companies realise how important it is to understand the principles to protect and respect the ever-growing mass of personal data they handle. They could start reading Art 5 of the GDPR relating to its founding principles.

Google just learned the hard way what Privacy By Design means for the French DPA, the CNIL. 

In its last decision,  the CNIL clearly states that the users are not properly informed before consenting due to the numerous steps they have to take in order to find information in the process. The decision is a lesson on what is bad and opaque design to lure the users to consent to vague descriptions of processing.

To respect Privacy By Design is just to respect the persons at the end of the process.

• Maybe by showing respect, some companies could even gain trust from their customers.
• Place yourself in the shoes of the person when you design any personal data treatment.
• Imagine that this person is someone important to you and see how it really feels to you that her personal data, her life, is processed by your envisaged treatment.
• Educate the developers to the values of privacy during their studies.
• Hire people who understand the value of their own privacy to develop your processes.

Yes business is important but ethics, respect should not be lost. 

A person who trusts a company’s handling of her data will give the information needed, it is a trust that companies should gain, not steel away by opaque processes and algorithms.

MC PÉROUX, LL. M

Blog in French to help SMB’s to understand privacy https://mementosafe.com/

LinkedIn

Twitter

(1) More details on PBD “Privacy and security by design, data security, and GDPR compliance“, MC Péroux, dec.12, 2018 on LinkedIn
(2) Privacy By Design The 7 Foundational Principles– January 2011
(3) Ibid.
(4) “Austrian DPA Issues Decision on Validity of Cookie Consent Solution“ , Hunton Andrews, Kurth LLP, Posted on January 7, 2019,
“The differing approaches taken by the Austrian DPA and the UK ICO demonstrates a lack of alignment on this issue, and it remains to be seen how other DPAs will decide on the issue “

(5) Charter of Fundamental Rights of the European Union, art 8(1)
(6) In French, Conclusions de l’avocat général M. Maciej Szpunar présentées le 10 janvier 2019, Affaire C-507/17, Google LLC, venant aux droits de Google Inc. Contre Commission Nationale de l’Informatique et des Libertés (CNIL),
(7) GOOGLE, AMAZON, FACEBOOK, APPLE, MICROSOFT
(8) AB-375 Privacy: personal information: businesses. (2017-2018), Assembly Bill No. 375 CHAPTER 55, An act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy. [Approved by Governor June 28, 2018. Filed with Secretary of State June 28, 2018.]
(9) Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Strasbourg, 28.I.1981, “This Convention is the first binding international instrument which protects the individual against abuses which may accompany the collection and processing of personal data and which seeks to regulate at the same time the transfrontier flow of personal data. “ https://www.coe.int/fr/web/conventions/full-list/-
/conventions/rms/0900001680078b37

(10) “This Is Surveillance.’ Apple CEO Tim Cook Slams Tech Rivals Over Data Collection“ “ Cook also reiterated calls for federal privacy laws in the U.S., similar to those unveiled in Europe, called the General Data Protection Regulation.“ Natalia Drozdiak and Stephanie Bodoni / Bloomberg October 24, 2018 via TIME,

(11) An example among many “How did we get here? “Twitter feed @gaeel
(12) https://humu.com/
(13) “Data Privacy at Humu: Building Systems for Trust to Make Work Better “, January 9, 2019, Bryan Zimmer

(14) https://snips.ai/
(15) “CES 2019: GDPR talk fills halls of Eureka Park “, Ryan Chiavetta, CIPP/US, Jan.9, 2019,
(16) https://www.q-branch.net/index_d/
(17) https://getvektor.com/
(18) Above note 15

(19) http://minim-e.com/ and https://play.google.com/store/apps/details?id=fr.oekon.harold
https://itunes.apple.com/us/app/ask-harold/id1332599364