PDP Bill & The Concept of Privacy by Design

PDP Bill & The Concept of Privacy by Design

This Essay is submitted by –

  • Ifrazunnisa Khan, LLM, University of Cambridge Professiona

The Personal Data Protection Bill, 2019 (“PDP Bill”) introduces the concept of privacy by design policy for the first time in the Indian legislation governing data protection and privacy laws. This article examines the concept of privacy by design and the manner in which the PDP Bill attempts to incorporate the said concept in strengthening privacy and data protection by data fiduciaries in India.

The Concept

Privacy by Design as a concept was codified initially in Recital 46 of the RL 95/46/EC data protection directive by the European Union. Recital 46 provided that protection of the rights and freedoms of data subjects with regard to the processing of personal data requires that appropriate technical and organizational measures be taken, not only at the stage of processing of personal data but also at the designing stage of the processing system.[1]

The RL 95/46/EC was repealed by Regulation (EU) 2016/679 on April 27, 2016. Article 25 of Regulation (EU) 2016/679 also continues to emphasise privacy by design by stating that the controller at the time of designing the means of data processing should implement measures and safeguards to enable data protection and protect the rights of individuals whose data is being collected. The key factors to be kept in mind while selecting such measures and safeguards include the state of the art, the cost of implementation, nature, scope, context and purposes of the processing, and risks of data processing to individuals’ rights.[2]

Essentially, privacy by design is based on the principle that privacy protection should be embedded into the technological design of a product or service itself, and that privacy and data protection considerations should be taken into account from the outset itself and throughout the lifecycle of a product or service, rather than as a remedial afterthought.[3] 

Principles of Privacy by Design

The  Privacy Commissioner of Ontario, Canada, advanced the concept of privacy by design with the view that the future of privacy cannot be assured solely by compliance with legislation and regulatory framework. [4] Rather, privacy assurance must become an organization’s default mode of operation. By employing privacy by design, privacy infractions can be prevented before they occur. It laid down seven principles forming the cornerstone of privacy by design namely:

Proactive not Reactive; Preventative not Remedial

Privacy by design is conceptualised to occur before-the-fact, not after. It is intended to prevent privacy invasions before they occur and not after.

Privacy as the Default Setting

Privacy by design is aimed to ensure maximum privacy by ensuring that personal data is automatically protected in any given IT system or business practice and no further action is required on the part of the individual to protect their privacy as it is built into the system, by default.

Privacy Embedded into Design

This principle involves building protection mechanisms for privacy protection while designing the hardware or software itself.

Full Functionality — Positive-Sum, not Zero-Sum

Privacy by design intends to incorporate all legitimate situations or objectives and avoiding questions such as privacy vs. security, by trying to cater to both interests.

End-to-End Security — Full Lifecycle Protection

Privacy by design ensures that all data is securely collected, retained, and then securely destroyed at the end of the life cycle, in a timely fashion.

Visibility and Transparency— Keep it Open

Privacy by design intends to make its operations and processes involved visible and transparent, to users and providers alike.

Respect for User Privacy — Keep it User-Centric Above All

Privacy by design requires data processors and fiduciaries to incorporate protection measures for ensuring user privacy and accessibility, such as strong privacy defaults, appropriate notice, and empowering user-friendly options.

The PDP Bill

The Justice Sri Krishna Committee Report on Data Protection commented upon incorporating organisational measures, broadly designed as ‘privacy by design’, to establish data handling practices in an organisation in a manner ensuring compliance with law by minimising or eliminating adverse impacts on privacy. Further, the Committee suggested establishing an accountability framework for certain data fiduciaries, which may be making evaluative decisions through automated means, to set up processes to eliminate unlawful processing of data.

The PDP Bill provides for privacy by design policy under Chapter IV. Section 22(1) of the PDP Bill provides that every data fiduciary must prepare a privacy by design policy. This policy must contain the following components:

1. the managerial, organisational, business practices and technical systems designed to anticipate, identify and avoid harm to the data principal;

2. the obligations of data fiduciaries;

3. the technology used in the processing of personal data in accordance with commercially accepted or certified standards;

4. the legitimate interests of businesses including any innovation is achieved without compromising privacy interests;

5. measures for protection of privacy throughout processing from the point of collection to deletion of personal data;

6. ensuring processing of personal data in a transparent manner; and

7. ensuring the interest of the data principal is accounted for at every stage of processing of personal data.

Section 22(2) of the PDP Bill provides that the data fiduciary must submit the privacy by design policy to the relevant authority for certification in the period and manner to be prescribed,  subsequent to which the said policy must be published on the website of the data fiduciary and the relevant authority.

The privacy by design policy provided in the PDP Bill in its present state, resembles the seven principles enunciated by the Privacy Commissioner of Ontario, Canada as aforesaid. Compared to the existing regime of privacy policy under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, the privacy by design policy aims to bring a more comprehensive framework by way of a policy, in order to ensure that privacy protection is ensured from collection till end of its life cycle, while making the process more user-centric and transparent. It further brings to fore the notion compounded by its very concept, that privacy protections should be adopted by organisations in their conception and ordinary course of business rather than as an afterthought or only in compliance with legal regulations.

Edited by Pragash Boopal

Approved & Published – Sakshi Raje

Reference

[1] OJ L 281, (1995, November)

[2]Regulation (Eu) 2016/679 of the European Parliament and of the Council

[3] European Union Agency for Network and Information Security (ENISA), (2014, December).

[4] Privacy Commissioner of Ontario, Canada, Privacy by Design, (2009)