EDSA: 2^nd ver­si­on of the gui­de­lines on Pri­va­cy by Design and Pri­va­cy by Default / comm­ents on the systematics.

The EDSA has released a new ver­si­on 2.0 of the alre­a­dy Published 2019 Gui­de­lines on Pri­va­cy by Design and Pri­va­cy by Default published. A com­pa­ra­ti­ve ver­si­on (Del­ta­view, PDF) can be found at here.

The gui­de­lines are still quite bree­zy on many points, but they do pro­vi­de gui­dance on the spe­ci­fic ways in which com­pli­ance with the pro­ce­s­sing prin­ci­ples can be ensured.

What the gui­de­lines do not expli­ci­t­ly explain is the rela­ti­on­ship bet­ween pri­va­cy by design, pri­va­cy by default, data secu­ri­ty, accoun­ta­bi­li­ty, and impact assess­ments. In my view, the simp­lest way to descri­be this rela­ti­on­ship is as follows:

• Pri­va­cy by Design is the over­ar­ching prin­ci­ple and start­ing point for con­side­ra­ti­on. Essen­ti­al­ly, this prin­ci­ple requi­res the con­trol­ler to con­sider at an ear­ly stage how to ensu­re com­pli­ance with data pro­tec­tion – espe­ci­al­ly the pro­ce­s­sing prin­ci­ples, but also the other obli­ga­ti­ons such as the ful­fill­ment of data sub­ject rights – throug­hout the enti­re data life­cy­cle (EDSA: “Con­trol­lers need to imple­ment the prin­ci­ples to achie­ve DPbDD. The­se prin­ci­ples include: trans­pa­ren­cy, lawful­ness, fair­ness, pur­po­se limi­ta­ti­on, data mini­mizati­on, accu­ra­cy, sto­rage limi­ta­ti­on, inte­gri­ty and con­fi­den­tia­li­ty, and accoun­ta­bi­li­ty”). In this sen­se, Pri­va­cy by Design is not so much a pro­ce­s­sing prin­ci­ple, but a meta-prin­ci­ple, which aims at the rea­lizati­on of the mate­ri­al prin­ci­ples and in this sen­se ensu­res system data pro­tec­tion. Which requi­re­ments – i.e., which tech­ni­cal and/or orga­nizatio­nal requi­re­ments – result from this in con­cre­te terms depends on the spe­ci­fic pro­ject, but in any case the respon­si­ble par­ty must assess the risks for the data sub­jects and con­sider how to miti­ga­te them appropriately.
• The prin­ci­ple of Data secu­ri­ty over­laps stron­gly with the prin­ci­ple of Pri­va­cy by Design, becau­se data secu­ri­ty – under­s­tood as a gene­ral prin­ci­ple – requi­res the tech­ni­cal and orga­nizatio­nal safe­guar­ding of data pro­tec­tion as a who­le. In this sen­se, it is not limi­t­ed to com­pli­ance with tech­ni­cal data pro­tec­tion in the sen­se of IT secu­ri­ty. The cor­re­spon­ding basic stan­dard is Artic­le 24 of the GDPR. This is con­cre­ti­zed by the fact that Art. 5 (1) (f) and Art. 32 GDPR address cer­tain pro­tec­tion goals and mea­su­res that pri­ma­ri­ly have tech­ni­cal data pro­tec­tion in mind, i.e., the clas­sic pro­tec­tion goals of inte­gri­ty and con­fi­den­tia­li­ty (in addi­ti­on to avai­la­bi­li­ty and, depen­ding on the view­point, other pro­tec­tion goals). This nar­rower data secu­ri­ty (IT safe­ty and IT secu­ri­ty) is a sub­area of gene­ral data pro­tec­tion and must the­r­e­fo­re be taken into account in the con­text of pri­va­cy by design.
• The prin­ci­ple of Pri­va­cy by Default for its part, is a mani­fe­sta­ti­on of the prin­ci­ple of pro­por­tio­na­li­ty, or rather a con­cre­tizati­on of this prin­ci­ple spe­ci­fi­cal­ly in con­nec­tion with “default set­tings”. It is limi­t­ed to the lat­ter and the­r­e­fo­re does not requi­re, for exam­p­le, obtai­ning cons­ents that are not requi­red under Art. 6, 9 or 44 et seq. GDPR are not requi­red. Like the other pro­ce­s­sing prin­ci­ples, its com­pli­ance must be plan­ned and ade­qua­te­ly ensu­red under the hea­ding of Pri­va­cy by Design.
• Under the tit­le of Accoun­ta­bi­li­ty  the respon­si­ble par­ty must appro­pria­te­ly docu­ment his con­side­ra­ti­ons and decis­i­ons in the sen­se of an inde­pen­dent duty (with regard to secu­ri­ty mea­su­res, e.g., by means of sui­ta­ble metrics, KPIs, as the EDSA notes in the Gui­de­lines). The hig­her the risks, the hig­her the mate­ri­al requi­re­ments for the respon­si­ble par­ty (and, if appli­ca­ble, the order pro­ces­sor) and the hig­her the accoun­ta­bi­li­ty requirements.
• A DSFA is not a new or dif­fe­rent obli­ga­ti­on, but pri­ma­ri­ly a for­ma­lizati­on of the exi­sting obli­ga­ti­on to assess risks, plan their miti­ga­ti­on and docu­ment both, which is trig­ge­red by high gross risks in the con­text of Pri­va­cy by Design. Under­s­tood in this way, the obli­ga­ti­on to con­duct the DSFA is pri­ma­ri­ly a con­cre­tizati­on of the accoun­ta­bi­li­ty prin­ci­ple. Accor­din­gly, almost the only inde­pen­dent obli­ga­ti­on is the obli­ga­ti­on to inform the data pro­tec­tion aut­ho­ri­ties if neces­sa­ry – in the event of high net risks. From this point of view, the per­for­mance of a DSFA in many cases actual­ly only ser­ves the docu­men­ta­ti­on of the more gene­ral risk manage­ment, which is requi­red any­way. The vol­un­t­a­ry per­for­mance of a DSFA can the­r­e­fo­re often be useful (alt­hough the vol­un­t­a­ry natu­re should be expli­ci­t­ly recor­ded, e.g. as part of an appro­pria­te form). As a result, the­re is less of a cate­go­ri­cal dif­fe­rence bet­ween the gene­ral approach and a DSFA, but rather a dif­fe­rence in the depth and level of detail of the imple­men­ta­ti­on and docu­men­ta­ti­on of risk manage­ment (apart from the afo­re­men­tio­ned report­ing obli­ga­ti­on vis-à-vis the aut­ho­ri­ties, which can, howe­ver, be wai­ved under the revDSG if a data pro­tec­tion advi­sor has been appointed).