EDPB’s first Guidelines for Data Protection by Design

The European Data Protection Board (EDPB) came out with initial clarification on how the GDPR rules for data protection by design should be interpreted and implemented

Introduction

On November 20th, the European Data Protection Board (EDPB) announced for public discussion its first version of the Guidelines on the Implementation of Article 25 GDPR – Data Protection by Design / by Default (DPbDD) or in other words – Data Protection at the stage of design and by default.

Context

DPbDD is a relatively new rule of law for the European legal world, introduced as mandatory by the GDPR in 2018. Although known as a theoretical concept and policy under the name Privacy by Design since the 1990s, as a rule of law in Article 25 of the GDPR, it hides unknown factors to the community of professionals. Therefore, the interpretation of the EDPB is welcome as it clarifies some controversial points.

In 2018, another European authority, the European Data Protection Supervisor (EDPS), also issued an opinion on DPbDD. The Guidelines further develop this view in the scope of Art. 25, as well as the concept of “efficiency” as a key legal fact, but the EDPS’s view is more focused on the technological engineering of DPbDD, which is a distinctive characteristic of this European body.

Importance

Even in preliminary form, these Guidelines contain incredibly useful information. Some of the topics in the guidelines are addressed and developed in the book Privacy by Design, Principles, Practices and Technologies, in writing of which I also took part.

1. From the very beginning, Art. 25 indicates and defines the exclusively obliged entities – the Controllers of Personal data. For IT processors and developers, there is an indirect obligation that stems from the purely factual ground, that they must offer the Controller solutions so that the later can be compliant with the GDPR.
2. The Guidelines make a distinction between the terms “measures” and “safeguards”. According to the EDPB, measures are “first-level” protection that must be “appropriate” enough to reduce the risks posed by the activity of processing. Even limited, the risks are still present and given this, the safeguards come into place. According to the EDPB, they are necessary for data breach prevention throughout the whole life cycle of the data. 
3. Particular attention has been paid to the effective implementing of the GDPR principles and the rights of the Data subjects as the primary importance of DPbDD. It is clearly stated that Art. 25 does not prescribe the taking of specific measures/safeguards, which the Controllers should apply formally and thus consider that their obligations are met. It is important whether the necessary actions are taken so that the chance of infringement of the principles and rights of the subjects will be reduced.
4. In terms of Data Protection by default EDPB gives an interpretation of what “default” means, which is the same as understanding a predefined configuration of a program or device. The EDPB’s view is that the rules of Article 25, paragraph 2 of the GDPR and the relevant measures and safeguards are primarily aimed at minimizing data from different perspectives.
5. The Guidelines point out key elements and give examples of the specific application of DPbDD to each of the principles in Article 5 of the GDPR.

Conclusion

In summary – The Guidelines are extremely useful as they validate and even build on existing concepts for the DPbDD implementation. However, we cannot answer one essential question from their content: Which are the applicable provisions when an action violates both the DPbDD rules and other, more specific GDPR rules? This question is going to be asked quite often because of the nature of Article 25, which sounds like a general guideline that covers almost the entire text of the GDPR. This comes from the fact that infringing Art. 25 results in violation of either the principles of Article 5 or the rights of the Data subject under Articles 15-22.

For example, if the privacy notice to the entities is not in a “concise, transparent, intelligible and easily accessible form, using clear and plain language” (such as one example in the Guidelines), then which provision is violated? Art.12 or Art. 25, para.1? And this is not some legal claim without depth, but rather an issue of great importance:

• Depending on the qualification, the sanction will be in two different groups and with different maximum size – under Art. 83, paragraphs 4 and 5.
• In some EU legal systems, such as the Bulgarian one, for example, it may be possible to lift the sanction if the qualification of the violation is incorrect.

In my opinion, DPbDD should be taken ambiguously:

• As a meta-rule or sub-principle that serves to specify the violation and individualize the sanction – Article 83, paragraph 2 GDPR
• As a subsidiary rule that applies when the GDPR principles are infringed but there are no violations of a specific rule of conduct in the Regulation.

We will continue to follow and update you in the progress of this topic on our blog.