Dec 32019

European Data Protection Board Adopts Data Protection by Design and by Default Guidelines

William RM Long and Lauren Cuyvers
, , , , ,

On 13 November 2019, the European Data Protection Board (“EDPB”) adopted guidelines on the GDPR’s data protection by design and by default principle (“Guidelines”).  The Guidelines provide further guidance into the technical and organizational measures and safeguards that data controllers must take into account when designing their processing activities.  The EDPB encourages early consideration of data protection by design and by default principles (“DPbDD”) and considers DPbDD to be at the forefront of GDPR compliance.  Data controllers, processors and technology providers should consider re-assessing their processing operations and products against the standards put forward in the Guidelines.

DPbDD Principles

DPbDD means that the GDPR’s data protection principles must be designed into and set as a default in processing activities through means of “appropriate measures and safeguards.”  Data protection by design measures range from the implementation of advanced technical solutions, to the basic training of personnel and data access restrictions.  The measures must be suitable to safeguard the individual’s rights under the GDPR and other fundamental freedoms.  Data protection by default refers to the setting of pre-selected values in software, applications or devices that lead to GDPR compliance.  Adequate default settings will limit data collection, retention and overall processing to that which is strictly necessary.

Critically, once implemented, data controllers must be able to demonstrate the efficacy of the measures and the specific safeguards that they provide for.  For instance, controllers might be able to point to a reduction in response time when handling individual rights requests, a lower number of complaints, or expert assessments that demonstrate efficacy.  Controllers may also seek certification of their DPbDD practices pursuant to an approved certification mechanism issued under Art. 42 GDPR.  No such certification has been approved so far.

Different Actors Involved

The responsibility for compliance with the DPbDD principles lies with the data controller, but the EDPB recognizes that processors and technology providers play an essential role in facilitating compliance.  Controllers will often outsource a given processing activity to a processor (e.g., a cloud service provider) or purchase a product for data processing (e.g., a mobile device that allows the processing of biometric data).  These actors are best placed to identify the data protection risks that a particular service or product may involve, and should use their expertise to design products that embed the DPbDD principles.  They may, for instance, set the product for an automatic deletion of the data after a certain period of time or implement the immediate pseudonymization of data after collection.

Next Steps

The EDPB recommends that controllers do not engage providers that are unable to offer products allowing the controller to comply with DPbDD, and calls for controllers to contractually bind providers to demonstrate compliance with these principles (e.g., by strictly laying down key performance indicators).  This is a strong incentive for product developers and service providers to reconsider their practices and ensure their products meet the Guidelines’ thresholds.  If not, they are likely to lose market share to competitors who are able to offer data controllers more comfort around DPbDD.  Data controllers may want to revisit their data processing agreements to verify whether these include sufficient safeguards on DPbDD, and consider adding in specific contractual safeguards to their purchase orders with technology providers.

The EDPB welcomes public consultation submissions to the Guidelines until 16 January 2020.

William RM Long

London

wlong@sidley.com

Lauren Cuyvers

Brussels

lcuyvers@sidley.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.