‘Privacy by design’: leveraging technology to ensure data privacy

Gaurav G Arora
JSA, Gurugram
gaurav.arora@jsalaw.com

Aditi Richa Tiwary
JSA, Gurugram
aditi.tiwary@jsalaw.com

Introduction

With the world incrementally embracing technology in all its identifiable facets, the surge in data privacy breaches and cybersecurity concerns is not surprising.

If statistics are relied on, the average cost of a data breach is US$4.45m.

With jurisdictions tightening their regulatory grip over data privacy and cybersecurity breaches, corporations across jurisdictions can be observed to recalibrate their data processing infrastructures to ensure data privacy and cybersecurity compliances.

Privacy by design comes as one of the most efficient methods to ensure data privacy compliances as it integrates privacy principles to data processing systems, leading to a reduction in external engagement required to ensure such compliances.

Understanding privacy by design

The globally accepted data privacy principles, including notice, consent, data minimalism, purpose limitation and accountability, can be observed to find place in data privacy legislations and regulations across the globe. Privacy by design requires accommodation of such principals within the technological infrastructure of data processing systems of corporations during their incubation or at any stage of their upgrade or development.

Simply put, privacy by design stands for integration of larger privacy principals within the data processing systems of corporations, causing automated protection of users’ data through inbuilt mechanisms within such systems. Privacy by design can be materialised in a multitude of ways including end-to-end encryption concerning data inputs by users, default consents taken for each action concerning data processing, automated deletion of users’ data post for a specific duration or event, storage of data in anonymised or pseudonymised form, etc.

While the ideation of privacy by design is a technological construct, it sources itself in data privacy legislations including the European Union’s General Data Protection Regulation and the UK Data Protection Act 2018, as ‘privacy by design and default’, requiring the implementation of technical and organisational measures aimed at ensuring privacy through technological design of user interfaces (UIs).

India’s journey with privacy by design

While India awaits the implementation of Digital Personal Data Protection Act 2023 (the ‘Act’) aiming to exclusively regulate digital personal data of its citizens, a sudden departure of the provisions of the Act from some of its predecessor iterations is noteworthy. Absence of provisions concerning privacy by design is one of such departures. While the Personal Data Protection Bill 2019 and the Data Protection Bill 2021 included the provisions concerning framing of a privacy by design policy by corporations, such provisions do not find place in the Act.

The commercial and practical benefits associated with inculcation of privacy by design are considerable, as the concept materialises itself as a privacy-oriented layer of the technological foundation of UIs, regardless of it being a regulatory compliance or a statutory mandate.

Functionality of privacy by design for corporations vis-à-vis legal compliances

As privacy by design ensures data privacy through technological design, its functionality rests in the technological response to data privacy concerns of users.

It is imperative to realise that privacy by design should not really be construed as an instrument to ensure data privacy compliances. It should rather be seen as an assistive tool in making such compliances more defensible through objectively verifiable algorithms proving the privacy-oriented structure of technology. As privacy by design is not directly associated with ensuring data-privacy compliances, corporations are generally reluctant to incorporate it in their technological design, assuming the concept to be more ethical than practical. Absence of a robust regulatory force mandating inculcation of privacy by design as an independent compliance in data protection regulations of most jurisdictions further adds to such reluctance of corporations.

However, numerous corporations can be increasingly observed to build their UIs on the edifice of privacy by design. Given the enormous cost associated with every data privacy breach, corporations must realise the necessity of incorporation of privacy by design as an element in the fundamental structure of their technology, making their compliances more defensible. Additionally, privacy by design contributes to the reduction of risk of non-compliance associated with the technologically-driven UIs of corporations through strategically placed algorithms including automated anonymisation, pseudonymisation and end-to-end encryption, thereby leading to a privacy driven ecosystem within the technological design of UIs.

The way forward

As corporations across the globe advance ahead, data accumulation and privacy increasingly become larger concerns. While privacy by design may not necessarily find a legislative pedestal in all the jurisdictions, incorporation of such a concept assists corporations in increasing the probative value of their compliances, as it provides for objectively verifiable algorithms proving compliance of data privacy regulations through technology. As jurisdictions rely on increasingly stricter statutory regulations to ensure data privacy compliances, corporations can adopt innovative mechanisms such as privacy by design to make such compliances more defensible, thereby leading to an overall reduction in data privacy breaches and the legal, regulatory, commercial and practical costs associated with such breaches across jurisdictions.