Privacy by Design has evolved as the nucleus of the data protection framework being adopted across the world. It is the fundamental pre-requisite towards achieving the goal of developing next generation systems that provide robust protection to the data that these systems handle. It has also become a key element for privacy compliance for the organizations that are processing large volumes of personal data.
We believe that – Sanctity of data should be paramount consideration for the growth of digital economy, one that is free and fair and respects privacy of individuals.
The key elements that constitute Privacy by Design, its framework and its implementation in the Indian context are discussed below:
The Data Element
In the current digital world, our reliance on technology and systems has increased manifolds and technology is touching various aspects in our daily lives which were solely dependent on traditional approaches earlier. As the adoption of technology increased in our daily lives, it directly translated in the surge in humungous volumes of data that is being collected and processed continuously. Penetration of Smart phones and social networks deep into larger set of population in the world has been the key catalyst in this exponential consumption of data. IDC estimated that by 2025, 175 zettabytes of new data will be created across the world.
Data is the lifeline of the new digital world. Every passing second is witnessing millions and millions of transactions across globe generating mountains of data which has become a key driver of new age economy. For instance, every user action on the internet is generating a data record that is being captured and processed using Artificial Intelligence to track his or her preferences and recommend him products or services. With Internet of Things becoming the next normal, every touch point that user has with IOT devices will generate volumes of data which will be utilized by these devices through machine learning algorithms to respond intelligently to the end user.
While some of this data may not be directly related to any individual but there may be a set of data that can be directly classified as “Personal” data. This is the data that needs to be protected as any breach in this data can directly impact the individual as well as his privacy.
Privacy Element
The concept of Privacy which may be unheard of earlier has evolved significantly in last few decades in the North American and European Regions where through various enactments it is being protected. Adoption of European Union’s General Data Protection Regulation 2016 by member countries is considered as significant landmark in this area.
EU’s adoption of The General Data Protection Regulation and it coming into effect from May 2018 has set the benchmark for other nations to follow. This enactment is being considered as the most comprehensive legislation till date on individual data protection and comes with most stringent set of penalties in case of violations which may run into millions of dollars. Organizations like Facebook, Google and SAP have been involved in class action lawsuits under this act.
Since then, more and more nations across the globe have been acknowledging Privacy as a Fundamental Right akin to Right to Life and Liberty and have been creating laws for protection of this right.
In India, the apex court declared Privacy as fundamental right under Article 21 in its judgement in the case of Justice K.S Puttaswami and another Vs Union of India1.
The proposed “The Personal Data Protection Bill 2019” is a step forward towards safeguarding this fundamental right. The provisions in this bill are aligned to the EU’s General Data Protection Regulations and provide for a comprehensive legislation to address the Data protection area which was earlier covered under Section 43A of the Information Technology Act of 2000 and in related rules.
Article 25 in GDPR necessitates the implementation of Data Protection by Design and by Default and Section 22 of the proposed bill in India is analogous to this article. Both these clauses in separate legislations mandate the data processors to implement Privacy by Design in their systems.
Privacy by Design – Meaning and Framework
Privacy by Design (PbD) is a concept that brings in the element of privacy into the design phase of any system that is being envisaged. This would ensure that the data protection is not left as a post implementation activity but becomes part of the lifecycle of the product development. It warrants that PbD is given necessary focus right from the conception phase to end-of-life (cradle to grave approach) and it is embedded in the business processes and technologies.
As this concept evolved, framework for PbD was designed by renowned Privacy Expert Dr. Anna Cavoukian in the early 90s that seeks to proactively embed privacy into the design specifications of information technology systems, network infrastructure and business practices, thereby achieving the robust protection possible.
Regulators at the International Conference of Data Protection Authorities and Privacy Commissioners unanimously passed a Resolution in Oct 2010 recognizing Privacy by Design as an essential component of fundamental privacy protection. U.S. Federal Trade Commission’s followed this with inclusion of Privacy by Design as one of three recommended practices for protecting online privacy.
The framework provides for the following principals:
- Proactive not Reactive: Preventative not Remedial: PbD anticipates and prevents privacy invasive events before they happen.
- Privacy as the Default Setting: No action is required on the part of the individual to protect their privacy − it is built into the system, by default
- Privacy Embedded into Design: Privacy by Design is embedded into the design and architecture of IT systems and business practices. It is not bolted on as an add-on, after the fact.
- Full Functionality: Positive-Sum, not Zero-Sum: Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made.
- End-to-End Security: Full Lifecycle Protection Privacy by Design, having been embedded into the system prior to the first element of information being collected, extends securely throughout the entire lifecycle of the data involved — strong security measures are essential to privacy, from start to finish. This ensures that all data are securely retained, and then securely destroyed at the end of the process, in a timely fashion.
- Visibility and Transparency: Keep it Open: Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification.
- Respect for User Privacy: Keep it User-Centric Above all: Privacy by Design requires architects and operators to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options.
Privacy by Design – The Indian Context
In India, The Personal Data Protection Bill 2019 is step towards enactment of law, similar to GDPR, which aims to protect the personal data of its subjects and provides for penalties and punishments in case of breaches and non-compliance.
Section 22 of the proposed legislation mandates the organizations who came under the purview of this act to implement Privacy by Design policy. In the proposed Bill, it mandates the following activities:
- Preparation of Privacy by Design policy
- Implementing PbD in business practices and technical systems
- Submission of the PbD policy to the Authority for Certification
- Publishing of the Certified PbD policy by the data fiduciary as well as authority on their portals.
The PbD concept will be new to some of the Indian organizations who come under the purview of this new legislation. It would require them to make changes to their systems and align them in accordance with the proposed regulation as well as associated rules.
But the major change would be visible in the way new systems are designed henceforth by every organization that will come under this enactment irrespective of their size- whether it is Start-up or large conglomerate. The proactive steps taken by them at this juncture would definitely avoid them additional costs in future arising due to non-compliance or rework. Additionally, it will help in making their systems more robust and in conformance to global privacy standards.
It will be advisable for these organizations to engage Experts who have the right blend of knowledge of Information Technology Systems as well as Cyber and data privacy laws, who can guide them in policy implementation as well as certification approval and can be their trusted partners around the clock in resolving any unforeseen issues in this area that may impact their businesses.
- (2017) 10 SCC 1