Privacy By Design - Wikipedia

From Wikipedia, the free encyclopedia
  (Redirected from Privacy by Design)
Jump to: ,

Privacy by Design is an approach to systems engineering which takes privacy into account throughout the whole engineering process. The concept is an example of value sensitive design, i.e., to take human values into account in a well-defined manner throughout the whole process and may have been derived from this. The concept originates in a joint report on “Privacy-enhancing technologies” by a joint team of the Information and Privacy Commissioner of Ontario, Canada, the Dutch Data Protection Authority and the Netherlands Organisation for Applied Scientific Research in 1995.


Foundational principles

Privacy by Design is not about data protection but designing so data doesn't need protection. The root principle therefore is based on enabling service without data control transfer from the citizen to the system (the citizen become identifiable or recognizable).

One simple example is Dynamic Host Configuration Protocol where devices based on random identifiers gets an IP address from the server and thus is enabled to communicate without having leaked personal identifiers per se.

A more advanced example is Global Positioning System where devices client-side can detect their geographical location without leaking identity or location.

Another example in Internet of Things is RFID where citizens' ability to communicate with their devices without leaking identifiers can be achieved using Zero-knowledge proof.

A way to link digital Privacy with Security, is to consider Privacy as "Security from one stakeholder perspective". More advanced Privacy by Design therefore acknowledge that transaction often involve mutual security requirements to maintain security for all stakeholders or what we can call Security by Design. In Security by Design each stakeholder security requirements on counter-parties are established without transferring control, i.e. at least one stakeholder, the citizen, remain non-identifiable or only identifiable specially restricted to conditions negotiated and established in the process.

Such outcomes can be established using for instance blinded cryptography where each stakeholder can prove assertions about himself signed by some third party without breaching the root principle of remaining non-identifiable within the group. For instance a citizen can prove to have a certain nationality, being over 18 or not-a-fugitive without leaking data to pinpoint the citizen in the group.

How Privacy by Design or Security by Design is achieved depends on the application, technologies and choice of approach.

One approach was based on Kim Cameron's 7 "Laws of Identity" which were rephrased into 7 "foundational principles":.

  1. Proactive not reactive; Preventative not remedial
  2. Privacy as the default setting
  3. Privacy embedded into design
  4. Full functionality – positive-sum, not zero-sum
  5. End-to-end security – full lifecycle protection
  6. Visibility and transparency – keep it open
  7. Respect for user privacy – keep it user-centric

Another approach based on deconstructing Identity into building blocks and from these building Contextual Identity was suggested by Stephan Engberg and published by the Danish Ministry of Research & It

Whether the methodology actually achieve Privacy by Design is not to be evaluated based on intent or approach, but outcome. I.e. if data do not need protection to not represent a risk to the citizens, the principle of Privacy by Design can be said to be achieved.

The wide principle of European Data Protection establish a good definition. In there e.g. even "anonymized" data are still personal data if data are derived from personal data outside the control of the individual citizen in question or any means to re-identify or recognize citizens or citizen devices exist. Also, since the sources still exist so derived data will enrich personal data (create more personal data that did not exist before) and inside reversal of "anonymity" through any of a range of means is mostly trivial, e.g. the "anonymization" process can be rerun adding an identifier.

Privacy by default

Privacy by default means that by default (without user interaction) only personal data which are necessary for each specific purpose of the processing are processed. The default applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.

Global adoption

Germany released a statute (§ 3 IV TDDG) already in July 1997. In October 2010, regulators from around the world gathered at the annual assembly of International Data Protection and Privacy Commissioners in Jerusalem, Israel, and unanimously passed a resolution recognizing Privacy by Design as an essential component of fundamental privacy protection.

This was followed by the U.S. Federal Trade Commission’s recognition of Privacy by Design in 2012 as one of its three recommended practices for protecting online privacy in its report entitled, Protecting Consumer privacy in an Era of Rapid Change – a major validation of its significance.

Data protection by Design has been incorporated into the European Commission plans to unify data protection within the European Union with a single law – the General Data Protection Regulation. However, since the latest proposal does not define or give references for definitions of either data protection by design or privacy by design, it is not clear what is meant by the concepts. There are some initiatives that try to address this issue like the OWASP Top 10 Privacy Risks Project for web applications that gives hints on how to implement privacy by design in practice. The core technology neutral principle in GDPR is that it is up to manufacturers to document compliance including Privacy by Design according to state-of-the-art (article 25) based on the principle "If you can, you shall".


Privacy by Design in the meaning of "Fundational" has been critiqued as "vague" and leaving "many open questions about their application when engineering systems." It has also been pointed out that Privacy by Design is similar to voluntary compliance schemes in industries impacting the environment, and thus lacks the teeth necessary to be effective, and may differ per company. In addition, the evolutionary approach currently taken to the development of the concept will come at the cost of privacy infringements because evolution implies also letting unfit phenotypes (privacy invading products) live until they are proven unfit. Some critics have pointed out that certain business models are built around customer surveillance and data manipulation and therefore voluntary compliance is unlikely.

Another criticism is that current definitions of privacy by design do not address the methodological aspect of system engineering, such as using decent system engineering methods, e.g., which cover the complete system and data life cycle. The concept also does not focus on the role of the actual data holder, but on that of the system designer. This role is not known in privacy law, so the concept of Privacy by Design is not based in law. This in turn undermines the trust by data subjects, data holders and policy makers.

Since the concept is part of active research and policy development, biases may occur in the definitions used. An example is the tendency of North American legislation to let business themselves work out what this concept should mean (evolutionary approach) while EU tends to take a more regulatory approach, although this has not yet instantiated in this case.

See also


  1. Hes, R. "Privacy Enhancing Technologies: the path to anonymity" (PDF). 
  2. Hustinx, Peter. "Privacy by design: delivering the promises.". 
  3. Engberg et all, Stephan (2004). "Zero-knowledge Device Authentication: Privacy & Security Enhanced RFID preserving Business Value and Consumer Convenience". Second Annual Conference on Privacy, Security and Trust, October 13–15, 2004, Wu Centre, University of New Brunswick. 
  4. Cameron, Kim. "The Laws of Identity" (PDF). 
  5. Cavoukian, Ann. "7 Foundational Principles" (PDF). 
  6. Danish Ministry of Research & It. New Digital Security Models (PDF). 
  7. EU. "General Data Protection Regulation". 
  8. Privacy by default in the GDPR on
  9. Privacy by design versus privacy by default on
  11. "Resolution on Privacy by Design" (PDF). 32nd International Conference of Data Protection and Privacy Commissioners (October 2010). 
  12. "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Business and Policy-makers." (PDF). FTC Report (March 2012). 
  13. "REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)". European Commissioner (January 2012). 
  14. ^ van Rest, Jeroen. "Designing Privacy by Design". 
  15. "Engineering Privacy by Design" (PDF). Seda Gurses, Carmela Troncoso, and Claudia Diaz. 
  16. "Privacy by Design: A Counterfactual Analysis of Google and Facebook Privacy Incidents". Ira Rubinstein and Nathan Good. SSRN 2128146Freely accessible.