Internet has revolutionized
various sectors of economy. And with its rise, it has become indispensible for
smoothly carrying out day to day functions. Prevalent times are often termed as
‘Age of Data’ which often leads to parting of personal data while using various
internet services. With the exponential rise in users incidents of identity
theft, unauthorised access and other such breaches have increased.
Privacy concerns exist
wherever personally identifiable information or other sensitive information is
collected, stored, used and finally destroyed or deleted in digital for or
otherwise. The challenge of data privacy
is to utilise data and at the same time protecting individual’s privacy
preferences and their personally identifiable information.
The Right to Privacy is a
highly developed area of law in Europe and all the member states of the European
Union are also signatories of the European Convention on Human Rights. An
important part of EU privacy and human rights law is the data protection
directive. It is a European Union directive adopted in 1995 which regulates the
processing of personal data within the European Union.
The General Data
Protection Regulation (GDPR) which was adopted in April 2016 will replace the
Data Protection Directive and will be enforceable from May 2018. GDPR is a
regulation by which the European Parliament, the Council of the European Union
and the European Commission intend to strengthen and unify data protection law for
all individuals within the European Union. It will also look into the export of
personal data outside the EU. The GDPR aims primarily to give control back to
citizens and residents over their personal data and to simplify the regulatory
environment for international business by unifying the regulation within the
EU. It does not require national governments to pass any enabling legislation
and is thus directly binding and applicable, unlike the current directive which
needs legislations to be passed. GDPR extends the scope of the EU data
protection law to all foreign companies processing data of EU residents. It
also brings a new set of digital rights for EU citizens in an age when the
economic value of personal data is increasing in the digital economy.
The GDPR is the most
significant piece of European Privacy legislation in the last twenty years
seeking to unify data protection laws across Europe.
Under this regime companies
must keep a thorough record of how and when an individual gives consent to
store and use their personal data. When somebody withdraws consent at any point
of time, then their details must be permanently erased, and not just deleted
from a mailing list. GDPR gives individuals the right to be forgotten.
Privacy by Design and Default is
the cornerstone of the GDPR. Privacy by design is a fundamental component in
the design and maintenance of information systems and mode of operations for
each organisation. This mandates that from the initial stages onwards
organisation must consider the impact that processing data can have on an individual’s
privacy. This means that every new business process or product that could
involve personal data or impact the privacy of an individual must be designed
in accordance with data protection requirements.
Article 25 of the GDPR
codifies the concept of privacy by design. According to this, a data controller
is required to implement appropriate technical and organisational measures both
at the time of determination of the means for processing itself in order to
ensure data protection principles such as data minimisation are met.
The concept of privacy by
design promotes compliance with data protection laws and regulations from the
earliest stages of initiatives involving personal data. It puts more strain on
the conception and development of new initiatives, following privacy by design
principles can be used as a mean to help ensure full compliance with data
protection principles issues being identified at an earlier and less costly
stage and to the increase of awareness of privacy and data protection related
matters throughout an organisation. Under the current regime no specific
requirement to implement privacy by design by default exits but under GDPR
which will come into force it’s inherent.
The data controller while
implementing privacy by design needs to take into account the state of the art,
cost of implementation and the nature, scope, context and purposes of
processing as well as the likelihood and severity of risks of the rights and
freedoms of natural persons posed by the processing of their personal data.
Privacy by design is a
technical approach. While the incentives and will to invade privacy may be
social problems, the actual ability to do so is a technical problem in many
instances. Thus, dealing with it at technology level is necessary.