Understanding The Concept of Privacy By Design

By Danijela Obradovic, Lawyer at Roberts & Obradovic

“Privacy by Design,” a concept first introduced by former Ontario Information and Privacy Commissioner Ann Cavoukian, is a comprehensive approach to privacy that goes beyond simply meeting regulatory and legal requirements. It involves incorporating privacy into all aspects of an organization, including its objectives, priorities, project management, and operations. Privacy Lawyers and IT professionals should understand the principles behind this important privacy framework.

The Privacy by Design framework is based on seven (7) principles:

The aim of these principles is to promote privacy as an integral aspect of organizational objectives, priorities, project management, and operations. We will discuss these seven principles in more detail below:

 Proactive, Preventative Approach 

The first principle emphasizes the anticipation and prevention of potential privacy invasions, rather than waiting for them to occur and offering remedial measures afterwards. This approach adopts a preventative attitude towards privacy risks, rather than addressing them after they have taken place. In essence, Privacy by Design aims to stop privacy infractions from happening in the first place, rather than reacting after the fact.

Privacy as Default Setting 

The second principle, aims to provide the highest level of privacy protection by integrating privacy measures into all aspects of IT systems and business practices. Regardless of the individual’s actions, their privacy is protected by default through the implementation of privacy-focused design and architecture. This means that personal data is automatically shielded from potential privacy breaches, eliminating the need for individuals to take any extra steps to safeguard their privacy.

 Embedded in Design 

The third principle indicates that privacy should be integrated into the very foundation of IT systems and business practices, rather than being added on as an afterthought. This results in privacy becoming a fundamental aspect of the system’s core functionality, without compromising its performance.

Full Functionality, Positive-Sum Approach 

Positive-Sum, not Zero-Sum, takes a “positive sum” view of privacy and recognizes that organizations need not choose between privacy and security or between privacy and revenue, as both can be achieved.

End-to-End Security 

The fifth principle requires organizations to implement end-to-end privacy and security measures covering the entire lifecycle of data once privacy has been embedded into the design of IT systems and business practices.

Visibility and Transparency 

The visibility and transparency principle requires organizations to be transparent with users and ensure that all interested stakeholders have visibility into their privacy standards and practices. Organizations should also consider obtaining independent verification of the robustness of their privacy systems.

 User-Centric Approach 

The last principle calls for organizations to adopt a user-centric approach and prioritize the privacy interests of individual users and customers. This can be demonstrated, for example, by offering strong privacy defaults, appropriate notice, and empowering user-friendly options.

In Canada, the CPPA (Canadian Personal Information Protection and Electronic Documents Act) contains no explicit reference to Privacy by Design or its seven foundational principles. However, the Standing Committee on Access to Information, Privacy, and Ethics has recommended that privacy by design be made a central principle and that its seven foundational principles be incorporated into Canadian privacy legislation, where possible.

In Quebec, on the other hand, privacy legislation (Bill 64) has incorporated Privacy by Design concepts. The legislation requires organizations that collect, use, or disclose personal information of individuals located in Quebec to implement privacy-by-default settings and ensure the highest level of confidentiality without any intervention by the individual concerned. Organizations must comply with these requirements, even if they do not have a physical presence in Quebec.

Canadian organizations operating in Europe should also be aware that Privacy by Design is an explicit legal obligation under the GDPR (General Data Protection Regulation). Article 25 of the GDPR imposes a duty on controllers to put in place technical and organizational measures that effectively implement data protection principles and integrate necessary safeguards into the processing of personal data to ensure protection of data subjects’ rights. Pseudonymization and data minimization are explicitly mentioned as examples of appropriate measures.

Privacy by Design is a comprehensive and proactive approach to privacy that recognizes the importance of embedding privacy considerations into all aspects of information technology, networked data, and all organization.

About the Author

Danijela is a lawyer with significant experience in solving complex business challenges. She has a general corporate practice, with expertise in privacy law, regulatory compliance, risk management and corporate governance. Her clients range from medium size businesses to multi-national conglomerates. Danijela holds an engineering degree, having graduated with distinction from University of Waterloo, and has significant experience as an engineer at a top-tier energy corporation. She earned her Juris Doctorate degree from Osgoode Hall Law School. Danijela’s commercial insight and technical know-how allow her to deliver practical solutions to clients. She is currently based in Toronto, Canada.