PRIVACY AS A DEFAULT SETTING UNDER THE GDPR
By Marija Boskovic Batarelo, LL.M
Privacy Counsel, Batarelo Dvojkovic Vuchetich Law Firm
Privacy by Default principle is a part of Privacy by Design concept which consists of a set of seven foundational principles, developed back in the ‘90s. Privacy by Design stipulates privacy that takes into account all the privacy features beforehand and promotes privacy, not only as a matter of compliance with legislation and regulatory frameworks, but as default mode of operation. During the last ten years, Privacy by Design has been widely accepted all over the world and most recently it was introduced as a part of the General Data Protection Regulation (EU Regulation 2016/679, hereinafter: GDPR) as data protection by design and by default.
REGULATION OF CODE
Since Directive 95/46/EC demonstrated that the law cannot successfully keep track with fast technological developments and global digital market, the GDPR implemented rules regarding data protection by design and by default as a way of regulating behaviour by code. The code, as a system of rules used in information and communication technologies (hereinafter: ICT) to convert information, has no particular architecture that cannot be changed. By imposing obligation to integrate privacy into ICT settings, the code could equip data subject (identified or identifiable natural person) with more powers than law alone. This code can change, either because it evolves in a different way, or because governments or businesses push it to evolve in a particular way. It is up to national legislations to balance between privacy of individual, public security, and economic interests. Competition between different stakeholders (consumers, businesses, and governments) could develop. Authors of code might develop code that displaces law, while authors of law might respond with law that displaces code.
DATA PROTECTION BY DEFAULT UNDER THE GDPR
Ensuring privacy through default settings seek to foster data subject’s rights and deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given ICT system. Thus, no action is required on the part of the individual to protect their privacy – it is built into the system, by default. The GDPR in Article 25 paragraph 2 prescribes: “The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”
Such general provision can create lots of debates and we can expect many discussions and interpretations until the GDPR will be fully applicable and certification mechanism for compliance with data protection by design and default will be in place. Obvious question that pops out after reading this provision is – should any data ought to be collected without consent or data controllers should decide upon the level of collection of personal data that is necessary for each specific purpose of the processing? This question is particularly interesting with regards to smartphones, in which case there are many applications that collect various personal data and certain personal data is necessary for actual functioning of the application (for example, location).
Data protection by default puts a significant liability burden on developers of ICT platforms and applications. According to this principle all the ICT should be developed and implemented with mechanisms for ensuring data protection by default and the minimum necessary for collection purposes should be preciously defined. The technology should provide an opportunity for explicit consent and data subject must choose to share certain data. The law shall set limitations and grounds for the processing of data and contracts shall define precise scope of default settings. However, at this point we do not have clear guidelines prescribed by law and many ICT solutions usually have terms and conditions that are quite general.
What could be recommended as a good practice is that ICT should be developed as a mechanism that, by its initial settings, allows only minimum of collection of personal data along with minimum time of storage and defined circle of personal authorised to access the data. Only upon consent of data subject those settings would be changed, allowing more scope regarding data processing. This would mean, for example, that data controller would initially perform only such processing of data that is necessary for the core functionality of an application or service. Also, processing data that is prescribed by law, pursues legitimate interest, is necessary for vital interest of data subject or public interest, could be initially justified, whereas for all the processing of data outside of the limited scope, data controller would need additional consent and such consent would then change the default settings.
 Lawrence Lessig “The Law of the Horse: What Cyberlaw Might Teach”, Research Publication No. 1999-05 12/1999, p. 532.
 A. Cavoukian, Ph.D., Comments on the European Commission’s Comprehensive Approach on personal Data Protection in the EU – Public Authority, 13 January 2011, p. 2.