Privacy by Design is a concept introduced by Ann Cavoukian, the former Ontario Information and Privacy Commissioner. It is a comprehensive approach to privacy that goes beyond simply meeting regulatory and legal requirements. It involves integrating privacy into all aspects of an organization, including its objectives, priorities, project management, and operations. Privacy Lawyers and IT professionals should understand the principles behind this important framework.
The Privacy by Design framework is based on seven principles. The first principle emphasizes the anticipation and prevention of potential privacy invasions, rather than waiting for them to occur and offering remedial measures afterwards. This approach adopts a preventative attitude towards privacy risks, rather than addressing them after they have taken place. In essence, Privacy by Design aims to stop privacy infractions from happening in the first place, rather than reacting after the fact.
The second principle aims to provide the highest level of privacy protection by integrating privacy measures into all aspects of IT systems and business practices. Regardless of the individual’s actions, their privacy is protected by default through the implementation of privacy-focused design and architecture. This means that personal data is automatically shielded from potential privacy breaches, eliminating the need for individuals to take any extra steps to safeguard their privacy.
The third principle indicates that privacy should be integrated into the very foundation of IT systems and business practices, rather than being added on as an afterthought. This results in privacy becoming a fundamental aspect of the system’s core functionality, without compromising its performance.
The fourth principle recognizes that organizations need not choose between privacy and security or between privacy and revenue, as both can be achieved. Positive-Sum, not Zero-Sum, takes a “positive sum” view of privacy.
The fifth principle requires organizations to implement end-to-end privacy and security measures covering the entire lifecycle of data once privacy has been embedded into the design of IT systems and business practices.
The visibility and transparency principle requires organizations to be transparent with users and ensure that all interested stakeholders have visibility into their privacy standards and practices. Organizations should also consider obtaining independent verification of the robustness of their privacy systems.
The last principle calls for organizations to adopt a user-centric approach and prioritize the privacy interests of individual users and customers. This can be demonstrated, for example, by offering strong privacy defaults, appropriate notice, and empowering user-friendly options.
In Canada, the CPPA (Canadian Personal Information Protection and Electronic Documents Act) contains no explicit reference to Privacy by Design or its seven foundational principles. However, the Standing Committee on Access to Information, Privacy, and Ethics has recommended that privacy by design be made a central principle and that its seven foundational principles be incorporated into Canadian privacy legislation, where possible.
In Quebec, on the other hand, privacy legislation (Bill 64) has incorporated Privacy by Design concepts. The legislation requires organizations that collect, use, or disclose personal information of individuals located in Quebec to implement privacy-by-default settings and ensure the highest level of confidentiality without any intervention by the individual concerned. Organizations must comply with these requirements, even if they do not have a physical presence in Quebec.
Canadian organizations operating in Europe should also be aware that Privacy by Design is an explicit legal obligation under the GDPR (General Data Protection Regulation). Article 25 of the GDPR imposes a duty on controllers to put in place technical and organizational measures that effectively implement data protection principles and integrate necessary safeguards into the processing of personal data to ensure protection of data subjects’ rights. Pseudonymization and data minimization are explicitly mentioned as examples of appropriate measures.
Privacy by Design is a comprehensive and proactive approach to privacy that recognizes the importance of embedding privacy considerations into all aspects of information technology, networked data, and all organization. It is important for organizations to understand these principles in order to protect the privacy rights and interests of individuals.