‘Privacy by design’ in the EU General Data Protection Regulation: A new privacy standard or the Emperor’s new clothes?

Abstract

Privacy by design (‘PbD’) is a conceptual framework that has been widely adopted as a helpful, practical framework for organisations to ‘translate’ legal data protection principles into concrete technical design and organisational policies. It can offer a harmonising framework for multiple, overlapping legal compliance obligations. Privacy is engineered directly into the design of new technologies, as a default setting, while still achieving full functionality. The article explains the seven foundational principles of the concept with detailed cross reference to the relevant conditions of lawful processing under the Protection of Personal Information Act 4 of 2013 (‘POPIA’), offering the first in-depth analysis of PbD in a South African context. PbD is now an express legal obligation in art 25 of the European Union’s General Data Protection Regulation (2016). The article sketches the background to that important development and provides an in-depth critique of the three key shortcomings of art 25. It recommends that instead of following the EU example, South Africa’s Information Regulator could promote the adoption of PbD through a guidance note and in approved codes of conduct. It concludes that a PbD approach is already (albeit only impliedly) required for compliance with the conditions of lawful processing under POPIA.