The public debate on the online manipulation and misuse of personal data for tracking and profiling has received unprecedented attention in recent weeks. This debate highlights the need for the kind of comprehensive and effective legislation outlined in the General Data Protection Regulation (GDPR) in order to enforce respect for fundamental rights, the European Data Protection Supervisor (EDPS) said today, as he published his preliminary Opinion on the principle of Privacy by Design.

One element of the debate concerns the role of technology in society, in particular whether companies should be able to take advantage of it exclusively as a means to increase their profits, or whether they should be obliged to use it to further the interests of users and the common good. From this ethical perspective, the principle of privacy by design is an efficient way to reconcile economic interests and social objectives. It involves planning for the integration of personal data protection into new technological systems and processes from the initial design stage of a project, as well as throughout its whole lifecycle.

Giovanni Buttarelli, EDPS, said: With the GDPR now fully applicable, our preliminary Opinion looks to build upon and encourage the discussion between policy makers, regulators, industry, academia and civil society on how new technologies can be designed to benefit the individual and society. Technology should serve the interests of those who use it. We should therefore develop and encourage a common approach to technological development aimed at ensuring that technology cannot be exploited to serve the interests of only a select few companies, nor used to create a surveillance state.”

Privacy by design and the complementary principle of privacy by default, which involves ensuring that privacy protection is integrated into all technological services and products as a default setting, are both cited in the GDPR. What has previously been considered only as good practice, will now, therefore, become a legal obligationfor all organisations responsible for processing personal data. This fits into the wider accountability principle defined in the GDPR, which requires organisations to implement appropriate technical and organisational methods to ensure and demonstrate data protection compliance.

The preliminary Opinion on Privacy by Design follows the publication on 19 March 2018 of the EDPS Opinion on online manipulation and personal data, in which the EDPS advocated an extension of the scope of protection afforded to individuals’ fundamental rights in the digital society. The successful implementation of the principles of privacy and data protection by design and by default is essential in order to guarantee effective protection for individuals. It is also an important step in the development of digital ethics. The conclusions of the recent report of the EDPS Ethics Advisory Board reinforce this idea, citing privacy by design within the broader context of integrating ethical considerations into technological design.

With this preliminary Opinion, the EDPS offers a first contribution to the dialogue on the role and development of technology in society, which should provide the basis for further debate. He recalls the history of the principle of privacy by design within and outside the EU, from the initial research on privacy enhancing technologies (PETs) to the GDPR, provides examples of engineering methodologies and standardisation efforts and explores the meaning of privacy by design within the GDPR. As we approach the beginning of a new era in data protection, the EDPS calls on all stakeholders to join the dialogue on this important issue.