130
PRIVACY AND SURVEILLANCE 2013
3.2. Privacy by Design – Privacy by Default
As emphasized also in the Digital Agenda 2010, the future of privacy cannot be
assured solely by ex-post compliance with regulatory frameworks and “ticking
off” compliance boxes. In discussions about the new regulatory framework in Eu-
rope several new tools, concepts and principles that have been less formally em-
bedded in privacy legislation are now central objectives and tools. Such a critical
principle is the so-called “privacy by design”.
When initially introduced, in 1995, the term privacy enhancing technology re-
ferred mainly to applications that would be ‘bolted on’ to privacy invasive systems.
Recently, however, data protection has been more holistically approached and em-
phasis is placed on the effort to address privacy concerns in all stages of systems
development. The need to offer comprehensive solutions to privacy issues, not just
technological add-ons, is emphasized by scholars as well as by regulatory bodies
and organisations promoting data privacy. Privacy by Design is a principle for sys-
tems engineering which requires that respect for individuals’privacy and protection
of their personal data are taken into consideration at all stages of systems lifecycle,
namely from early inception and initiation, to development and implementation
and finally to operations, maintenance and disposition.
Applying the Privacy by Design principle at all stages of systems development en-
tails including privacy enhancing technologies, devices and tools that can protect
data privacy. According to the European Commission, “the use of PETs can help
to design information and communication systems and services in a way that mi-
nimises the collection and use of personal data and facilitates compliance with
data protection rules. The use of PETs should result in making breaches of certain
data protection rules more difficult and / or helping to detect them”
13
.
In order to embed privacy enhancing mechanisms into information processing
systems, it is essential to elicit and assess privacy requirements at all stages of in-
formation systems’ lifecycle. For instance, one should take into consideration the
applicable privacy laws and regulations, such as the EU Data Protection Directive
or the US Safe Harbour agreement as early as the project initiation stage, when
a general idea of what the ICT project will entail and what information assets
will be involved. Available technological solutions should also be evaluated to
ensure that appropriate privacy controls can be implemented and which will be
13. European Union. Press release: Privacy enhancing technologies (PETs).
/
rapid/pressReleasesAction.do?reference=MEMO/07/159&format=HTML&aged=0
&language=EN&guiLanguage=en.%20Reference:%20MEMO/07/159 (last accessed
on June 2013).
