Does your jurisdiction impose requirements of data protection by design or default?
Data Protection & Cyber Security
Formally speaking, Russian laws do not explicitly introduce the concepts of data protection by design and data protection by default in the way they are set out, for example, by EU laws. However, general data protection principles and requirements (data minimization, purpose limitation, security etc.) imply that the company shall always consider the data protection aspects when designing and implementing certain solution/system, and from the scratch ensure privacy of individuals concerned. So, practically speaking, privacy by design and by default principles are implied in Russian data protection laws, not being mentioned directly though.
The Data Protection Law does not specifically address this issue. However, in 2015 the Data Protection Authority adopted Rule No. 18/2005, which sets out certain guidelines for software developers, who in most cases are not familiar with the principles of data protection of the Data Protection Law.
If approved, the Data Protection Bill (see question 1) would require data controllers to implement measures to ensure privacy by design and by default.
The LGDP establishes that processing agents shall adopt security, technical and administrative measures able to protect the personal data from unauthorized access and accidental or unlawful situations from the design phase of the product or service until its implementation.
The concept of privacy by default is implicit in the LGPD as companies are subject to the following principles:
- Purpose: processing for legitimate, specific and explicit purposes, previously informed to the data subject, with no possibility of subsequent processing incompatible with these purposes;
- Necessity: limitation of the processing to the minimum necessary to achieve its purposes, covering data that are relevant, proportional and non-excessive in relation to the purposes of the data processing.
GDPR applies directly. There are no local specific requirements within the Bulgarian data protection legislation in relation to the data protection ‘by design’ and ‘by default’ concepts. Data controllers are thus required to undertake data protection measures at the design stage, as well as to ensure these measures by default. With respect to the data protection ‘by design’ data controllers are obliged to introduce and implement both at the time of the determination of the means for processing and at the time of the processing itself, appropriate technical and organisational measures, designed to implement data protection principles (Article 25, para. 1 GDPR). Regarding data protection ‘by default’, data controllers have to implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed (Article 25, para. 2 GDPR).
Data privacy by design and by default are not explicitly mentioned. However, implicitly FADP requires such policies to a certain degree. Data privacy by default is a consequence of the principle of proportionality and data minimization. Data privacy by design may help to comply with the general data processing principles.
The controllers shall, in order to comply with the principle of privacy by design and by default, implement appropriate technical and organisational measures appropriate to the risk detected of loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
Moreover, the concept of "privacy by design" refers to the need to consider the guarantees of the RGPD from the start of any operation or process, planning ahead for the adoption of measures to ensure that only the necessary data are processed and for the time required. In this regard, the recital 78 of the GDPR states that Controllers which process personal data and creators of products, services and applications based on the processing of personal data, «should be encouraged to take into account the right to data protection […]and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.». On the other hand, "privacy by default" measures are intended to imply that organizations, by default, only process the necessary personal data for the fulfilment of the purposes for which they were gathered. This refers to the amount and the type of data collected, the processing organizations do, the time of retention of the same and the access allowed to them.
In Spain these principles imply a change of approach in the compliance with data protection regulations, since, with the previous regulations, the entities processing personal data had to follow a series of rigid guidelines regarding security measures which were established by the Administration. For the time being, no rules establishing minimum security measures or standards applicable to data processing have been established by Spanish regulations, although any organization processing personal data must justify the adequacy of the measures effectively applied.
In our jurisdiction there are no requirements imposed regarding “privacy by design” or “privacy by default; only the general requirements apply to data processing.
The GDPR imposes requirements of privacy by design and by default explicitly in Art. 25 GDPR.
Under Privacy by design controllers must implement appropriate technical and organizational measures to safeguard the processing of personal data. Therefore especially the cost of implementation and the nature, scope, context and purposes of processing as well as risks for the rights and freedoms of the natural person must be taken into account.
The taken measure could be the pseudonymization especially of the IP address or the name and address of a natural person, which is used for statistical purposes only. Furthermore, it could mean the splitting of databases for different purposes, e.g. one for order handling which is processing directly identifiable data and one for marketing and statistical purposes where pseudonymized data is processed.
Privacy by default is along the same lines, so the controller has to implement appropriate technical and organizational measures to ensure that only personal data is processed which is actually necessary for the specific purpose. This especially contains the amount and the retention period of the personal data.
For example, it could mean that a tracking technology automatically deletes personal logs of each visit after a particular period of time and does not store the full IP address because it is not actually necessary for this purpose. It could also mean to accept a Do Not Track option in the browser and do not track the user if it is activated. In Germany websites like the ones of the public broadcasting services ARD and ZDF do not display content of Twitter and Facebook by default, only if the user consents.
The Privacy Rules embody certain principles of data protection by default. These include purpose and storage limitations. Please refer to our response to Query 4 above for more details.
The Privacy Bill, while retaining these principles, also introduces the concept of privacy by design. For example, it proposes that: -
(a) the interest of the Data Subjects be accounted for at every stage of processing of PD;
(b) privacy is protected throughout processing - from the point of collection to deletion of PD; and
(c) legitimate interest of business is achieved without compromising privacy interests.
No provision in current binding data and privacy laws has imposed any requirements of privacy by design/default, albeit helpful for fulfilling the obligations imposed by the CSL.
Indonesian laws impose requirements of data protection both by design and by default. The data protection by design can be seen from the requirements imposed to ESO in operating its electronic system in accordance with the personal data protection principles. Meanwhile, the data protection by default can be seen from the mandatory requirements to only obtain and gather information which are relevant and conform with purposes specifically disclosed to the Data Subject during the collection of Personal Data.
Yes, article 25 of the GDPR imposes both requirements:
a) data protection by design by prescribing that the controller shall (taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing), both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures to be compliant with the data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing; and
b) data protection by default by establishing that the controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which is necessary for each specific purpose of the processing are processed (which is applicable to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility) and that by default personal data is not made accessible without the individual's intervention to an indefinite number of natural persons.
Yes, a business must put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. This is known as privacy by design. It means a controller should consider data protection in everything it does and in any new projects, systems and processes (or changes to existing ones).
In essence, this means a business has to integrate data protection into its processing activities and business practices, from the design stage right through the lifecycle.This pro-privacy methodology includes appropriate measures in order to safeguard data subjects, both when determining the means for processing and when processing personal data. These measures can include the encryption and pseudonymisation of personal data.
It also means that controllers must implement measures to ensure that only personal data which is necessary for each specific purpose is processed. This applies to the amount of personal data, extent of processing and period of storage.
Yes, the GDPR impose requirements of data protection by design or default. The requirements imply, amongst others, that the controller shall through the whole life cycle of a product/solution implement appropriate technical and organisational measures which are designed to implement data protection principles and integrate the necessary safeguards into the processing.
Regarding the protection of personal data by design and by default, the HDPA refers to article 25 of the GDPR in conjunction with Recital 78 of the GDPR’s Preamble.
According to the data protection by design principle, both while determining the means of processing and at the time of the processing itself, the data controller shall introduce and implement appropriate measures and use technology designed to implement data-protection principles. Such measures are pseudonymization of personal data which should take place as soon as possible (namely replacement of personal data with artificially identifying data), encryption (encryption of personal data so that only the authorized persons can read it), minimization of data processing and introduction of necessary safeguards, in a manner that the requirements set by the GDPR are met and the protection of the rights of the data subjects is ensured.
Moreover, according to the data protection by default principle, the data controller shall implement appropriate technical and organizational measures for ensuring that, by default, privacy is ensured and only personal data which necessary for each specific purpose of the processing are processed. This obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. Such measures shall ensure that by default, personal data are not made accessible without the individual’ s intervention to an indefinite number of natural persons.
In addition, the HDPA mentions two examples of measures designed to implement the data protection by design and by default principles. In particular:
a) A social networking platform should be encouraged to define user profile settings in order to protect privacy as much as possible. Such protection is ensured when the user profile is by default not accessible by indefinite number of people and
b) The need for transparency with regards to the functions and processing of personal data in order for the data subject to monitor data processing and for the controller to create and improve security features.
Data protection legislation in Turkey does not impose any requirements related to data protection by design or default specifically.
As a basic principle, the provisions of the GDPR also apply to these matters.
In practice, however, generally contracts once again explicitly state which requirements the processor is required to comply with.
Yes, a business must put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights (GDPR, Article 25). This is known as privacy by design. Data protection by design is about considering data protection and privacy issues upfront, that is to say at the design phase of any system, service, product or process, and then throughout the lifecycle. Consideration must be taken to all the rules and restrictions related to data protection upstream of each contemplated processing of personal data.
In essence, this means that controllers have to integrate or ‘bake in’ data protection into the processing activities and business practices. There are many ways to implement the principle of 'data protection by design' in practice including the implementation of data protection concepts such as data minimisation, storage limitation and transparency. From an organisational point of view, a good business practice is to ensure the effectiveness of the rights of data subjects. Data protection by design may also be reflected at the technical level. The choice of architecture (decentralized vs. centralized), the implementation of security measures to prevent misuse of data and pseudonymisation techniques are good examples of technical implementations of 'data protection by design'.
The pro-privacy methodology of 'data protection by design' help to ensure that compliance with the GDPR’s fundamental principles and requirements is effective, and forms part of the GDPR focus on accountability. According to the principle of 'accountability', data controllers must implement internal processes and procedures to enable them to demonstrate compliance with data protection laws.
The concept of 'data protection by design' is closely linked but different to the 'data protection by default' concept. In doing so, data controllers must only process data that is necessary to achieve the specific purpose that it determined. Data protection by default links with the fundamental data protection principles of data minimisation and purpose limitation.
The U.S. does not impose requirements of data protection by design or default. However, the FTC has recommended that companies consider both privacy and data security when designing and developing their products and services. In cases where a company is launching a novel product that raises unique privacy and data security issues, it is a best practice to take into consideration both privacy and data security impacts at the design stage.