Privacy by design is an engineering principle that has been around for some time now. It's even been incorporated into legal frameworks since the 1990s (most prominently in the EU GDPR), and is a simplified term for "data protection through technology design". It means that privacy is a part of the entire systems design concept, implemented even before hard- or software is built. In other words, it ensures that privacy is part of the DNA of the product. However, to truly understand the full scope of privacy by design, we have listed the seven principles established by Ann Cavoukian below.
In 2009, Ann Cavoukian published the privacy by design framework, which has since been adapted and also at times criticised for being too vague. However, in order to truly understand the nature of the privacy by design engineering principle, we lay it out for our readers anyway:
Privacy by Design does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred — it aims to prevent them from occurring.
No action is required on the part of the individual to protect their privacy — it is built into the system, by default.
It is not bolted on as an add-on, after the fact. The result is that privacy becomes an essential component of the core functionality being delivered.
Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made.
Strong security measures are essential to privacy, from start to finish. This ensures that all data are securely retained, and then securely destroyed at the end of the process, in a timely fashion.
Its component parts and operations remain visible and transparent to users and providers alike. Remember, trust but verify.
Keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options.
Privacy by design is an important engineering principle that ensures better privacy protection of digital service users. We believe that only those programs, apps and other digital services that follow the 'privacy by design' principle can truly be called privacy apps. Two opposite examples are Facebook and Signal. Signal is privacy by design, while Facebook is not. There are many other examples for privacy by design systems. A decentralised storage may be, for instance, a system that follows privacy by design, or an app that does not undertake any data tracking. Xayn follows both approaches.
The notion of privacy by design is anchored in the Art. 25 GDPR 'Data protection by design and by default'. There are two main points to the article, which we will summarise here:
As you can see, the article is relatively vague when it comes to what privacy by design means. While an absolute milestone in privacy laws, the GDPR has widely been criticised for its broad scope and legal 'wiggle room'. Therefore, we recommend users to not have a false sense of security when it comes to the EU directive.