Personal data and Anglicism in Brazil: after all, what is privacy by design and privacy by default?

This text intends to demystify some of the anglicisms frequently used when the issue of data protection is on the agenda. Despite Brazil being a continental country, with about 214 million inhabitants, in other words, a huge number of native Portuguese speakers, it is very common to find English language terms incorporated into the technical vocabulary of the area.

To start talking about the subject, I want to ask you if you know that classic phrase “tell me who you hang out with and I’ll tell you who you are?”. Well then, I believe so, right!? Not that I really believe in it, but I’m going to use it to make an analogy and approach the theme of the text.

When we refer to the collection of personal data on the internet, we could transform this sentence into “tell me what you access and I will tell you who you are”. This is because several organizations, both public and private, process personal data and, sometimes, the collection of information takes place from the user’s access to a certain online site. Privacy by design and privacy by default have been identified as positive elements in the face of respect for the user’s informational self-determination, preserving the protection of their information and their privacy. Read on and find out what they mean!

Personal data as raw material

According to the report released by the UN in 2019, entitled “The Age of Digital Interdependence”, today’s society is more connected than ever as a result of information and communication technologies (ICTs). document, at the same time, there is the realization that the global community is facing difficulties in managing the economic, social, cultural and political impacts of digital transformations.

In view of this connected reality, it is important to mention the importance of personal data, since information related or related to natural persons has been considered, in recent decades, as a crucial raw material of the global economy. This is one of the reasons why data protection has become a major concern for individuals, governments and the private sector.

The importance of processing personal data for economic development and the provision of services, private and public, leads to the increasing use of personal information for various types of activities. It is important to emphasize that its use is not the problem itself, however it is essential that there is a limit to this collection, processing and storage. The processing of personal data must be guided by human rights, providing protection and security to the data subject.

It is worth noting that assigning the user to have control over all the data he makes available is a practically impossible task. This is because there are many entities collecting, sharing and using personal data, which makes it very difficult for people to manage their own available information. In addition, many of the damages arising from the improper treatment of personal data are the result of processes over a long period of time, where different entities may be inserted.”

In Brazil, the protection of personal data is structured in specific legislation. As of Law No. 13,709, of August 14, 2018, known as the General Data Protection Law (LGPD), the country has specific rules on the processing of personal data. As an external and accelerating factor of the LGPD, is the approval, on May 25, 2018, of the General Data Protection Regulation (GDPR). Regulation 2016/679 deals with rules regarding the protection of natural persons with regard to the processing of personal data and the free movement of such data and repealed Directive 95/46/EC.

The rules applied to data protection in the regulatory context: European Union and Brazil

In the Brazilian scenario, it refers to some measures that must be taken by treatment agents in relation to the design and execution phase of the product or service in view of data protection. According to chapter VII, entitled “On Data Security and Confidentiality”, in art. 46:

Art. 46. ​​Processing agents must adopt security, technical and administrative measures capable of protecting personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication or any form of inappropriate or illicit treatment.

• 1 The national authority may provide for minimum technical standards to make the provisions of the caput of this article applicable, considering the nature of the information processed, the specific characteristics of the treatment and the current state of technology, especially in the case of sensitive personal data, as well as the principles provided for in the caput of art. 6 of this Law.

• 2 The measures mentioned in the caput of this article must be observed from the product or service conception phase until its execution.

In the context of the European Union, the GDPR expressly introduced the concepts. In chapter IV, “Data controller and processor”, the topic is addressed in article 25, entitled “Data protection by design and by default”:

Article 25. 

Data protection by design and by default

1. Taking into account the most advanced techniques, the costs of their application, and the nature, scope, context and purposes of data processing, as well as the risks arising from the processing to the rights and freedoms of individuals, whose probability and severity may vary, the controller applies, both at the time of defining the means of processing and at the time of the processing itself, the appropriate technical and organizational measures, such as pseudonymisation, aimed at effectively applying the principles of data protection. data, such as minimization, and to include the necessary guarantees in the treatment, in a way that it complies with the requirements of this regulation and protects the rights of data subjects.

2. The controller applies technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose of the treatment are processed. This obligation applies to the amount of personal data collected, the extent of its processing, its retention period and its accessibility. In particular, these measures ensure that, by default, personal data are not made available without human intervention to an indefinite number of natural persons.

It is also worth mentioning that in Directive 95/46/EC, a legal diploma that dealt with data protection in the European Union before the GDPR, the topic was addressed in recital 46. According to the wording of the provision:

(46) Whereas the protection of the rights and freedoms of data subjects with regard to the processing of personal data requires that appropriate technical and organizational measures be taken both when designing the processing system and when carrying out the processing itself, in order to keep in especially security and thus prevent any unauthorized processing; whereas it is for the Member States to ensure that controllers comply with these measures; whereas these measures must ensure an adequate level of security, taking into account the technical knowledge available and the cost of their application, depending on the risks involved in the processing and the nature of the data to be protected.

User privacy as a priority: Privacy by Design and Privacy by Default

In the online environment, only a small percentage of users of websites and online applications have changed pre-established privacy standards. By itself, this is enough to understand that this is not the proper way for people to have their information protected.

The concept of Privacy by Design was developed in the mid-1990s by the Ontario, Canada Information and Privacy Commissioner, Dr. Ann Cavoukian. The author argues that the future of privacy could not be secured only by compliance with legislation and regulatory frameworks and that, instead, ensuring privacy should become the standard mode of operation of organizations. Therefore, the concern with privacy should come before any possible problem that may arise due to its lack.

The idea that companies apply the Privacy technique from Conception involves the development of internal projects, products and services and also that the strategic planning is aligned with the idea of ​​privacy. In particular, it is reflected in the requirement that processing agents design their offerings in a minimizing way with regard to personal information.

Privacy by Default means that a product or service, when launched on the market, must come with the privacy settings in the strictest possible way by default, and that, if deemed necessary, the user must allow access to collect more information. However, most companies do just the opposite, that is, they collect as much information as possible by default, allowing the user to opt out of data collection.

Privacy by Default is one of the principles presented by Privacy by Design, which means that all stages of a company’s product or service development process must have privacy first. In other words, the concept of privacy must be fully embedded in the project, not just applying to initiatives where privacy is discussed only in the final phase.

The 7 Principles of Privacy by Design:

In 2010, at the annual meeting of the International Data Protection and Privacy Commissioners, a resolution was unanimously approved recognizing Privacy by Design as an essential component of the right to the protection of personal data. In 2012, the Federal Trade Commission of the United States of America recognized the technique as one of its three best practices for protecting online privacy, in a report entitled “Protecting Consumer Privacy in an Era of Rapid Change – an important validation of its importance” (Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers). In 2014, it was incorporated into the European Commission’s plans to unify data protection in the European Union with a single law – the GDPR.

Since 2010, the 7 Fundamental Principles of Privacy by Design, which have been translated into 31 official languages, have been disseminated internationally. Are they:

1. Proactive not reactive; preventive not remedial

It is characterized by proactive rather than reactive measures. The item anticipates and prevents privacy invasive events before they happen. Protection by Design does not wait for privacy risks to materialize, nor does it offer remedies to resolve privacy breaches once they have occurred, as it aims to prevent them from occurring. In short, privacy by design comes before the fact, not after.

2. Privacy as the default setting

Privacy by Design seeks to deliver the maximum degree of privacy, ensuring that personal data is automatically protected, that is, by default in any service or product offered. No action is required on the part of the individual to protect their privacy, it is built into the system by default.

3. Privacy embedded into design

Privacy by Design is embedded in the design and architecture of products, services and business practices. The result is that privacy becomes an essential component of the core functionality being delivered. Privacy is an integral part of the system, without diminishing functionality.

4. Full functionality—positive-sum, not zero-sum

Privacy by Design seeks to accommodate all legitimate interests and goals in a positive sum, where both parties benefit (the user and the processing agent). It provides that exchanges take place only when necessary (positive sum) and that unnecessary exchanges are not carried out (zero sum). Avoiding the pretense of false dichotomies such as privacy or security, demonstrating that it is possible, and much more desirable, to have both.

5. End-to-end security—full lifecycle protection

Privacy is built into the system before the first piece of information is collected, it securely spans the entire lifecycle of the data involved—strong security measures are essential for privacy from start to finish. Ensuring that all information is securely retained and safely destroyed at the end of the process, in a timely manner. Privacy by Design ensures serious and secure management of the information lifecycle, from end to end.

6. Visibility and transparency – keep it open

All interested parties are assured that whatever business practice or technology is involved, it must operate in accordance with stated purposes and objectives. Issues relating to the processing of personal data remain visible and transparent, both for users and for processing agents. Transparency with the user is essential to establish a relationship of responsibility and trust.

7. Respect for user privacy—keep it user-centric

Above all, it requires that the user’s interests be taken to the maximum level, offering, among other security measures, strong privacy standards, appropriate notices and options that enhance their informational self-determination. In short, it’s about keeping the system user-centric.

Data protection: respect for the data subject from beginning to end

Undoubtedly, concern for data protection must become an integral part of planning services and products, as well as organizational priorities, project objectives, processes and operations. It must be incorporated into all standards and protocols that affect the life of the user. Likewise, business operations and physical architectures must demonstrate the same degree of consideration for the individual.

Respect for data protection goes beyond the application of the 7 principles or the application of the laws that regulate the matter, but they certainly serve as good references for aligning with good practices in the treatment of personal information. Most importantly, we must not forget: any practice must be human-centered from beggining to end.