India as it contemplates and pushes for its own data protection regime there is a huge opportunity to re-design and design the products and services which will if not eliminate reduce the data privacy risks. And when the world look at you as the pioneers of IT industry some of the key challenges are competitive advantages for India.
“Privacy by Design” and “Privacy by Default” have been frequently-discussed topics related to data protection. The first thoughts of “Privacy by Design” were expressed in the 1970s and were incorporated in the 1990s into the RL 95/46/EC data protection directive. According to recital 46 in this Directive, technical and organisational measures (TOM) must be taken already at the time of planning a processing system to protect data safety.
Privacy by Design is a concept Dr. Ann Cavoukian developed back in the 90’s, to address the ever-growing and systemic effects of Information and Communication Technologies, and of large-scale networked data systems.
In October 2010, regulators at the International Conference of Data Protection Authorities and Privacy Commissioners unanimously passed a Resolution recognizing Privacy by Design as an essential component of fundamental privacy protection. Since then, Privacy by Design has developed a global presence and has been translated into 37 languages.
The term “Privacy by Design” means nothing more than “data protection through technology design.” Behind this is the thought that data protection in data processing procedures is best adhered to when it is already integrated in the technology when created. Nevertheless, there is still uncertainty about what “Privacy by Design” means, and how one can implement it. This is due, on the one hand, to incomplete implementation of the Directive in some Member States and, on the other hand, that the principle “Privacy by Design” which is in the General Data Protection Regulation (GDPR), that the current approach in the data protection guidelines, which requires persons responsible already to include definitions of the means for processing TOMs at the time that they are defined in order to fulfil the basics and requirements of “Privacy by Design”. Legislation leaves completely open which exact protective measures are to be taken. As an example, one only need name pseudonymisation. No more detail is given in recital 78 of the regulation. At least in other parts of the law, encryption is named, as well as anonymisation of data as possible protective measures. Furthermore, user authentication and technical implementation of the right to object must be considered. In addition, when selecting precautions, one can use other standards, such as ISO standards. When selecting in individual cases, one must ensure that the state of the art as well as reasonable implementation costs are included.
Privacy by Design advances the view that the future of privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organization’s default mode of operation.
Initially, deploying Privacy-Enhancing Technologies (PETs) was seen as the solution. Then, we realized that a more substantial approach is required — extending the use of PETs to a complete Privacy by Design framework. Replacing the existing zero-sum model of either/or with a doubly-enabling positive-sum (win/win) paradigm will be essential.
Privacy by Design extends to a trilogy of encompassing applications:
- IT systems;
- accountable business practices; and
- networked infrastructure.
Principles of Privacy by Design may be applied to all types of personal information, but should be applied with special vigour to sensitive data such as medical information and financial data. The strength of the privacy measures implemented tends to be commensurate with the sensitivity of the data.
The objectives of Privacy by Design — ensuring strong privacy and gaining personal control over one’s information, and, for organizations, gaining a sustainable competitive advantage — may be accomplished by practicing the PDF file7 Foundational Principles, which are intended to serve as the foundation of one’s privacy practices.
- Principle 1: Proactive not reactive: preventative not remedial
- Principle 2: Privacy as the default setting
- Principle 3: Privacy embedded into design
- Principle 4: Full functionality: positive-sum, not zero-sum
- Principle 5: End-to-end security: full lifecycle protection
- Principle 6: Visibility and transparency: keep it open
- Principle 7: Respect for user privacy: keep it user-centric