The public debate on the online manipulation and misuse of personal data for tracking and profiling has received unprecedented attention in recent weeks. This debate highlights the need for the kind of comprehensive and effective legislation outlined in the General Data Protection Regulation (GDPR) in order to enforce respect for fundamental rights, the European Data Protection Supervisor (EDPS) said today, as he published his preliminary Opinion on the principle of Privacy by Design.
One element of the debate concerns the role of technology in society, in particular whether companies should be able to take advantage of it exclusively as a means to increase their profits, or whether they should be obliged to use it to further the interests of users and the common good. From this ethical perspective, the principle of privacy by design is an efficient way to reconcile economic interests and social objectives. It involves planning for the integration of personal data protection into new technological systems and processes from the initial design stage of a project, as well as throughout its whole lifecycle.
Giovanni Buttarelli, EDPS, said: “With the GDPR now fully applicable, our preliminary Opinion looks to build upon and encourage the discussion between policy makers, regulators, industry, academia and civil society on how new technologies can be designed to benefit the individual and society. Technology should serve the interests of those who use it. We should therefore develop and encourage a common approach to technological development aimed at ensuring that technology cannot be exploited to serve the interests of only a select few companies, nor used to create a surveillance state.”
Privacy by design and the complementary principle of privacy by default, which involves ensuring that privacy protection is integrated into all technological services and products as a default setting, are both cited in the GDPR. What has previously been considered only as good practice, will now, therefore, become a legal obligation for all organisations responsible for processing personal data. This fits into the wider accountability principle defined in the GDPR, which requires organisations to implement appropriate technical and organisational methods to ensure and demonstrate data protection compliance.
The preliminary Opinion on Privacy by Design follows the publication on 19 March 2018 of the EDPS Opinion on online manipulation and personal data, in which the EDPS advocated an extension of the scope of protection afforded to individuals’ fundamental rights in the digital society. The successful implementation of the principles of privacy and data protection by design and by default is essential in order to guarantee effective protection for individuals. It is also an important step in the development of digital ethics. The conclusions of the recent report of the EDPS Ethics Advisory Board reinforce this idea, citing privacy by design within the broader context of integrating ethical considerations into technological design.
With this preliminary Opinion, the EDPS offers a first contribution to the dialogue on the role and development of technology in society, which should provide the basis for further debate. He recalls the history of the principle of privacy by design within and outside the EU, from the initial research on privacy enhancing technologies (PETs) to the GDPR, provides examples of engineering methodologies and standardisation efforts and explores the meaning of privacy by design within the GDPR. As we approach the beginning of a new era in data protection, the EDPS calls on all stakeholders to join the dialogue on this important issue.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EC) No 45/2001. The EDPS is a relatively new but increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.
Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are the members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014.
The EDPS has played an active part in the discussion between policy makers, regulators, industry, academia and civil society on how new technologies can be designed to benefit the individual and society. The 2018 IPEN workshop, which will take place in Barcelona on 15 June 2018, will focus on initiatives and case studies relating to privacy engineering and the use of privacy enhancing technologies, while the 40th International Conference of Data Protection and Privacy Commissioners, which will take place in Brussels during the week of 22 October 2018, will address digital ethics in general, helping to identify the way forward for privacy by design.
Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Processing of personal data: According to Article 2(b) of Regulation (EC) No 45/2001, processing of personal data refers to "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction." See the glossary on the EDPS website.
EU Data Protection Reform package:
On 25 January 2012, the European Commission adopted its reform package, comprising two legislative proposals:
• a general Regulation on data protection which was adopted on 24 May 2016, applicable as of 25 May 2018; and
• a specific Directive on data protection in the area of police and justice, adopted on 5 May 2016, applicable as of 6 May 2018.
The official texts of the Regulation and the Directive are now recognised as law across the European Union (EU) and became fully implementable in all EU countries on 25 May 2018.