Internet has revolutionized
various sectors of economy. And with its rise, it has become indispensible for
smoothly carrying out day to day functions. Prevalent times are often termed as
‘Age of Data’ which often leads to parting of personal data while using various
internet services. With the exponential rise in users incidents of identity
theft, unauthorised access and other such breaches have increased.
Privacy concerns exist
wherever personally identifiable information or other sensitive information is
collected, stored, used and finally destroyed or deleted in digital for or otherwise. The challenge of data privacy is to utilise
data and at the same time protecting individual’s privacy preferences and their
personally identifiable information.
The Right to Privacy is a
highly developed area of law in Europe and all the member states of the
European Union are also signatories of the European Convention on Human Rights.
An important part of EU privacy and human rights law is the data protection
directive. It is a European Union directive adopted in 1995 which regulates the
processing of personal data within the European Union.
The General Data
Protection Regulation (GDPR) which was adopted in April 2016 will replace the
Data Protection Directive and will be enforceable from May 2018. It will
strengthen and unify data protection law for all individuals within the
European Union and will also look into the export of personal data outside the
EU. The GDPR aims to give control to citizens and residents over their personal
data. It will simplify the regulatory environment for international business by
unifying the regulation within the EU. It does not require national governments
to pass any enabling legislation, and is thus, directly binding and applicable,
unlike the current directive which needs legislations to be passed. The
regulation extends the ambit of the law to all foreign companies processing data
of EU residents or individuals. It also brings a new set of digital rights for
EU citizens in an age when the economic value of personal data is increasing in
the digital economy.
The GDPR is the most
significant piece of European Privacy legislation in the last twenty years
seeking to unify data protection laws across Europe.
Under this, companies
must keep a detailed record of how and when an individual gives consent to store,
and use their personal or private data. When somebody withdraws consent at any
point of time, then their details must be permanently erased, and not just
deleted from a mailing list. GDPR gives individuals the right to be forgotten
Privacy by Design and Default is
the cornerstone of the GDPR. Privacy by design is a fundamental component in
the design and maintenance of information systems and mode of operations for
each organisation. This mandates that from the initial stages onwards,
organisation must consider the impact that processing data can have on an
individual’s privacy. This means, that every new business process or product
that could involve personal data or impact the privacy of an individual must be
designed in accordance with data protection requirements.
Article 25 of the GDPR
codifies the concept of privacy by design. According to this, a data controller
is required to implement appropriate technical and organisational measures both
at the time of determination of the means for processing itself in order to
ensure data protection principles such as data minimisation are met.
The concept of privacy by
design promotes compliance with data protection laws and regulations from the
earliest stages of initiatives involving personal data. It puts more strain on
the conception and development of new initiatives, following privacy by design
principles can be used as a mean to help ensure full compliance with data
protection principles issues being identified at an earlier and less costly
stage and to the increase of awareness of privacy and data protection related
matters throughout an organisation. Under the current regime (data protection
directive which is in force currently) no specific requirement to implement
privacy by design by default exits, but under GDPR which will come into force it’s
The data controller while
implementing privacy by design needs to take into account the state of the art,
cost of implementation and the nature, scope, context and purposes of
processing as well as the likelihood and severity of risks of the rights and
freedoms of natural persons posed by the processing of their personal data.
Privacy by design is a
technical approach. While the incentives and will to invade privacy may be
social problems, the actual ability to do so is a technical problem in many
instances. Thus, dealing with it at technology level is necessary.