Pioneering Privacy: Understanding the Essence and Impact of Privacy by Design

By Akshayy S Nanda

The legislation of the Digital Personal Data Protection Act, 2023 (DPDP Act) heralds a momentous shift in India’s data privacy landscape, promising significant and dynamic changes in the near future. The enforcement of this pivotal law is pending, awaiting the notification of several accompanying rules. Adhering to the DPDP Act will be an ongoing endeavor, demanding periodic evaluations and audits to ensure steadfast compliance. The legislation entails severe penalties for non-compliance, with no ceiling on the cumulative penalty amount. It is imperative for organizations to accord paramount importance to this legislation, as failure to comply not only invites legal repercussions but also jeopardizes consumer trust. In this digital age, consumers are increasingly aware of their data privacy rights, considering a company’s privacy standards when choosing a product or service. Implementing privacy by design can assist businesses not only in achieving efficient compliance with the personal data protection law but also in fostering consumer trust and becoming a competitive advantage.

Privacy by Design (PbD) stands as a fundamental approach to safeguarding privacy in the ever-evolving digital landscape. Rooted in principles advocating proactive measures to embed privacy into systems, PbD has gained profound importance in the wake of increasing personal data breaches and privacy concerns. Understanding its history, principles, and exemplifying its relevance in contemporary times underscores its imperative nature for Indian businesses.

Dr. Ann Cavoukian, former Information and Privacy Commissioner of Ontario, Canada, pioneered the concept of PbD in the 1990s. Initially conceptualized to address challenges arising from the lack of inherent privacy measures in technological systems, it has evolved into a globally recognized framework. This concept has gained significance in the recent years, especially since the introduction of legislations like the GDPR, which makes it obligatory on organizations to adhere to the principles of data protection by design and default. Even the Personal Data Protection Bill, 2019 included the requirement of privacy by design. However, the DPDP Act does not make it mandatory for organizations processing personal data to comply with the principles of privacy by design. Even though under the DPDP Act, data fiduciaries are not mandated to adopt ‘privacy by design’, yet it is highly recommended as it will aid in efficient compliance with the provisions of the law and emerge as a competitive advantage for businesses in the market.

The concept of PbD provides that privacy or personal data protection must be embedded throughout the entire lifecycle of a product or service which involves processing of personal data, i.e., privacy must be given due consideration right from the early design stage, throughout the use of the technology and till the ultimate disposal of the personal data. The PbD framework provides that privacy must be a forethought and not an afterthought and privacy needs to be directly embedded into the technology. This means that businesses must consider privacy concerns at the very early design stages of new products/services rather than looking for ways to embed privacy measures at a much later stage of the developmental process.

The framework of PbD consists of seven foundational principles:

Principle 1: Proactive not reactive; preventative not remedial

This implies that organizations must have a privacy first attitude and incorporate preventative measures to protect privacy rather than wait for privacy violations to emerge before putting in the requisite measures and safeguards. Rather than addressing privacy as an afterthought, PbD advocates for its integration from the outset of any system’s development.

Principal 2: Privacy as the default setting

Products or services that process personal data should be designed in such a manner that they prioritize privacy by automatically setting the highest privacy settings by default, i.e., without requiring user intervention. This implies that the highest degree of privacy should be built into the system by default without any action being required by the individuals to set their privacy settings.

Principle 3: Privacy embedded into design

This principle provides that privacy measures must be embedded in the core functionality of the products or services being designed and be implemented throughout the entire lifecycle of processing of personal data, from collection to deletion. This does not mean that privacy measures must be simply included into the design process but that such measures must be integral to the core of the technology in question. Privacy must be embedded in the system rather than being an added-on feature which can be switched on or off at the discretion of the organization.

Principle 4: Full functionality — positive-sum, not zero-sum

Privacy measures should not impede system functionality but instead operate symbiotically to enhance user experience. This principle provides that the privacy measures must address all legitimate interests/objectives rather than making unnecessary trade-offs. Designers of new products or services that process personal data must look for solutions which addresses both the functional objectives of the product/service as well as the privacy measures. Businesses must avoid developing a functional solution first and then look for ways to address the privacy concerns.

Principle 5: End-to-end security — Full lifecycle protection

Organizations must ensure that strong safety safeguards are incorporated and maintained throughout the lifecycle of processing of personal data, i.e., from collection, throughout use and till deletion of personal data. Due consideration regarding privacy must be given to each and every stage of the processing operation, i.e., starting from the collection of personal data, use of personal data and till deletion of personal data. Businesses must assess and anticipate the privacy risks at each stage and accordingly, implement security safeguards to mitigate such risks.

Principle 6: Visibility and transparency

Users should have clear visibility into how their personal data is collected, used, and stored, fostering trust and informed decision-making. The aim of the personal data protection legislation is to ensure that individuals have genuine choice and control to determine the manner in which their personal data is being processed. Accordingly, unless and until the individuals do not have visibility over the processing of their personal data, the aims and objections of the new law cannot be met. As such, organizations must be completely transparent on the collection and use of personal data so that individuals can make an informed decision regarding the extent of processing of their personal data. Businesses must not attempt to mislead the users or limit the disclosure required to be made to prevent the individuals from making an informed decision.

Principle 7: Respect for user privacy

Organizations must respect the privacy of individuals and must design and deploy products/services in a manner that allows users to have genuine control and choice over the processing of their personal data. It is important for businesses to understand that they have a fiduciary duty towards the individuals in respect of processing their personal data. As such, the right and interests of the individuals must be a priority for the designers right from the early design stage and throughout the complete lifecycle of the product/services that processes personal data.

The adoption of Privacy by Design represents a paradigm shift in how companies can approach personal data processing and user privacy. It helps organizations to establish a culture of privacy compliance thereby reducing privacy related risks. In an era where personal data is a critical asset, integrating privacy measures into the core of products and services not only safeguards users but also fortifies the long-term viability and trustworthiness of businesses in an increasingly privacy-conscious world. Embracing these principles isn’t merely a compliance checkbox—it’s a strategic imperative fostering ethical practices and sustainable growth. It helps in reducing the probability of personal data breaches, avoiding monetary penalties, complying with the personal data protection legislation as well as becoming a competitive advantage for businesses.

Akshayy S Nanda is a partner at Saraf & Partners, heading the data privacy and competition law practice of the law firm.