Data protection by design and by default
(78) The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.
There is no recital in the Directive related to article 25.
Article 25 defines the obligations of the controller resulting from the principles of data protection by design and data protection by default.
The objective of European legislature is to make the protection of fundamental rights more effective and more dynamic, by strengthening the classic principles of necessity, proportionality, purpose and transparency with new principles such as data protection by design (see Article 25 (1)) and data protection by default (see Article 25 (2)).
The purpose of these principles is to take into account the rights and the interests of individuals since the very data processing design and the settings by default.
According to paragraph 1 of article 25, the principle of data protection by design requires the controller to implement appropriate technical and organizational measures, both at the time of the determination of the means for processing and at the time of the processing itself, to make it complying with the Regulation, taking into account the processing-related risks.
The measures to be adopted must take account of available technologies, the costs associated with their implementation as well as the nature, the scope, the context and the purpose of the processing as well as the probability and the severity of the risk presented by the processing with respect to the rights and freedoms of individuals.
Among these measures, paragraph 1 indicates minimisation and pseudonymisation. The notion of pseudonymisation must be understood as "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person" (Art.. 4 (5)). On the other hand, the notion of minimisation is not subject to any definition in the Regulation but is explained in Article 5 (c).
Pursuant to this principle, new innovative and responsible techniques need to be developed to facilitate the exercise of individual rights to object, to access, to opt-out, to rectification and the right to data portability (see EDPS, Opinion 7/2015 of 19 November 2015, p. 14 et seq.).
The second paragraph addresses the principle of data protection by default. This principle requires the controller to adopt measures to limit by default the personal data processing to what is strictly necessary, with regard to the amount of data processed, their accessibility and the period of their storage. For example, when the processing is not intended to provide information to the public, the principle of data protection by default requires the implementation of mechanisms guaranteeing that by default, the data is rendered inaccessible to an undetermined number of individuals, without intervention by the subject data. It is actually a strict application of the principle of necessity already contained in the principle of purpose itself.
Finally, article 25 in its paragraph 3 provides in fine that controller may use a certification mechanism approved in accordance with article 42 in order to demonstrate compliance with the aforementioned obligations.
No provision of the Directive specifically covers the protection of data by design and the protection of data by default.
Two new obligations for data protection by design and default will pose difficulties in the implementation in that they involve consideration of the data protection at all levels of the process - and of all involved categories of said process of processing. They need to be properly implemented in close collaboration between the different position within the organization of the controller and awareness, or even a true knowledge of the principles involved: technical data processing staff (programmers, analysts, statisticians, etc.), staff related to the legal and compliance field and, as appropriate, other operational staff (marketing, etc.).
The task is even more difficult as we are facing delicate assessments (principles of necessity, taking into account the risk, etc.) which actually require know-how and experience.
European data protection board
Guidelines 4/2019 on Article 25 Data Protection by Design and by Default (20 octobre 2020)
In an increasingly digital world, adherence to Data Protection by Design and by Default requirements plays a crucial part in promoting privacy and data protection in society. It is therefore essential that controllers take this responsibility seriously and implement the GDPR obligations when designing processing operations.
These Guidelines give general guidance on the obligation of Data Protection by Design and by Default (henceforth “DPbDD”) set forth in Article 25 in the GDPR. DPbDD is an obligation for all controllers, irrespective of size and varying complexity of processing. To be able to implement the requirements of DPbDD, it is crucial that the controller understands the data protection principles and the data subject’s rights and freedoms.
The core obligation is the implementation of appropriate measures and necessary safeguards that provide effective implementation of the data protection principles and, consequentially, data subjects’ rights and freedoms by design and by default. Article 25 prescribes both design and default elements that should be taken into account. Those elements, will be further elaborated in these Guidelines.
Article 25(1) stipulates that controllers should consider DPbDD early on when they plan a new processing operation. Controllers shall implement DPbDD before processing, and also continually at the time of processing, by regularly reviewing the effectiveness of the chosen measures and safeguards. DPbDD also applies to existing systems that are processing personal data.
The Guidelines also contain guidance on how to effectively implement the data protection principles in Article 5, listing key design and default elements as well as practical cases for illustration. The controller should consider the appropriateness of the suggested measures in the context of the particular processing in question.
The EDPB provides recommendations on how controllers, processors and producers can cooperate to achieve DPbDD. It encourages the controllers in industry, processors, and producers to use DPbDD as a means to achieve a competitive advantage when marketing their products towards controllers and data subjects. It also encourages all controllers to make use of certifications and codes of conduct.
1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.
3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.
1st proposal close
1. Having regard to the state of the art and the cost of implementation, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
2. The controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures and mechanisms referred to in paragraph 1 and 2, in particular for data protection by design requirements applicable across sectors, products and services.
4. The Commission may lay down technical standards for the requirements laid down in paragraph 1 and 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2)
2nd proposal close
1. (...) Having regard to available technology and the cost of implementation and taking account of the nature, scope, context and purposes of the processing as well as the likelihood and severity of the risk for rights and freedoms of individuals posed by the processing, the controllers shall implement (...) technical and organisational measures appropriate to the processing activity being carried out and its objectives, such as data minimisation and pseudonymisation, in such a way that the processing will meet the requirements of this Regulation and protect the rights of (...) data subjects.
2. The controller shall implement appropriate measures for ensuring that, by default, only (...) personal data (...) which are necessary for each specific purpose of the processing are processed; this applies to the amount of (...) data collected, the extent of their processing, the period of their storage and their accessibility. Where the purpose of the processing is not intended to provide the public with information, those mechanisms shall ensure that by default personal data are not made accessible without human intervention to an indefinite number of individuals.
2a. An approved certification mechanism pursuant to Article 39 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2.
No specific provision