In this text, we will explain the concepts of Privacy by Design (integrated privacy) and Privacy by Default.
Specifically, we will address whether these two principles have a place in the Serbian Law on Personal Data Protection (ZZPL) or are reserved exclusively to the scope of application of the General Data Protection Regulation (GDPR).
After reading the entire article, you will understand what privacy by design and privacy by default are, what their significance is for personal data protection, and how businesses can gain a competitive edge by embedding data privacy into the very foundation of their operations – all accompanied by practical examples that will clarify these technical terms for you.
Sadržaj/Table of Contents
- Does the ZZPL Mention “Privacy by Design” and “Privacy by Default”?
- How the GDPR Regulates Privacy by Design and Privacy by Default
- What Is Privacy by Design?
- What Is Privacy by Default?
- Privacy by Design vs Privacy by Default: Key Differences
- How Privacy by Design and Privacy by Default Work Together in Practice
- Benefits of Implementing the Privacy by Design and Privacy by Default Approaches
- Practical Application of Privacy by Design and Privacy by Default in Different Industries
- Conclusion: Privacy by Design vs Privacy by Default – Do We Have These GDPR Concepts in the ZZPL?
Does the ZZPL Mention “Privacy by Design” and “Privacy by Default”?
The ZZPL does not explicitly mention privacy by design and privacy by default, nor does it mention the Serbian translations of these terms. However, in Article 5, the ZZPL defines data minimization as one of the principles of personal data processing:
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”).
In other words, any data processing that is not limited to what is necessary in relation to the purpose of the processing is not in compliance with the principle of data minimization.
Data Minimization – A Fundamental Principle of the ZZPL and an Obligation for Controllers
The ZZPL further elaborates on the principle of data minimization in Article 42, which regulates safeguards, and among other things, obligates the controller to:
Implement appropriate technical, organizational and staff-related measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner.
As we can see, the ZZPL does not explicitly mention privacy by design and privacy by default (while it does mention pseudonymization). However, these two concepts represent one of the key ways to implement the principle of data minimization in practice through the application of appropriate technical measures. This is clearly visible in the GDPR (and its recitals), from whose text a large part of the ZZPL was practically adopted.
How the GDPR Regulates Privacy by Design and Privacy by Default
The very title of Article 25 of the GDPR reads “Data protection by design and by default,” which tells us that these two methods are key to interpreting the article itself, which is the equivalent of Article 42 of our ZZPL.
An explicit mention of these two concepts can be found in the recitals of the GDPR, which, unfortunately, were not adopted into our ZZPL. Recital 78 of the GDPR states the following:
In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default
It is clear from the recital that privacy by design and privacy by default are not merely generic obligations of the data controller; rather, the controller is expected to adopt specific internal policies and implement measures to implement these two privacy principles, thereby demonstrating compliance with the GDPR. Consequently, these terms are not mere abstractions but prerequisites without which companies cannot demonstrate GDPR compliance, risking fines.
However, neither the GDPR itself nor its recitals specify exactly what privacy by design and privacy by default are, nor how they complement each other, which we will discuss further below.
What Is Privacy by Design?
Privacy by design (integrated personal data protection) is a protective approach in which user privacy and personal data protection are embedded in the system’s architecture and business processes from the very beginning.
In other words, maximum personal data protection and user privacy serve as the starting point, rather than something taken care of subsequently and “along the way.”
Privacy by design is a proactive approach that seeks to anticipate, prevent, or at least minimize privacy risks. This makes it the opposite of the common, reactive approach, which cares only about privacy and data protection when data subjects reach out (if even then) or in the event of incidents such as data leaks or hacker attacks (when it is already too late).
When processes, products, and services are built according to the privacy-by-design principle, privacy and personal data protection are not only taken for granted but also inherent to them and cannot be “turned off.”
Example: A software team decides to develop an application for web traffic analysis. Instead of using precise data like IP addresses and profiling, they decide to cross-reference data that cannot be sufficient to identify an individual, but is sufficient to distinguish one website visitor from another – such as data on which country the visitors come from, which time zones, which operating systems they use, and similar. In this way, the team creates an application that achieves its purpose (tracking the total number of visitors to the website) while avoiding excessive processing of personal data.
What Is Privacy by Default?
The Privacy by Default approach ensures that the strictest personal data protection and privacy options are automatically applied when using a product or service, so users are not required to “turn them on” to enable them.
In other words, if a user leaves the predefined (default) settings as they are, their privacy and personal data will be protected to the greatest extent. Without changing the settings, only the personal data necessary to achieve the basic purpose of the processing will be collected and processed, and nothing more.
To make it a bit clearer, the privacy-by-design approach focuses on how systems are built, while privacy-by-default deals with how systems function and which settings are automatically configured.
Example: An e-commerce store plans to place a newsletter subscription checkbox on its checkout page. To comply with the privacy-by-default principle, the box must not be pre-checked; instead, the buyer themselves must check it if they wish to receive notifications.
Privacy by Design vs Privacy by Default: Key Differences
These two concepts are closely related, but they also have some conceptual differences:
- Privacy by design concerns the architecture and logic of the system itself, and its primary purpose is preventive. It answers the question: “How are privacy and personal data protection built into the system?”
- Privacy by default concerns the system’s behavior and configuration, and its primary purpose is restrictive. It answers the question: “What happens if the user does not change any settings?”
There are also differences in implementation, which you can see in the following table:
| Aspect | Privacy by Design | Privacy by default |
| Implementation moment | Early planning and development phase | Deployment and configuration |
| Focus | System architecture | User-facing settings |
| Primary responsibility | Engineers, architects, management | Product managers, UX designers, compliance |
| Nature | Structural (embedded into the system itself) | Functional (system behavior) |
How Privacy by Design and Privacy by Default Work Together in Practice
In practice, these two systems are closely linked. For privacy by default to function, the application itself must be designed with maximum privacy as the starting point.
For example, to provide the user with cascading/granular control over privacy options, the backend database architecture must support that level of separation and partial data access based on the user’s choices. If the system is not built from the ground up to allow this flexibility, subsequently introducing settings that respect user privacy will often not even be possible.
This is precisely one of the most common problems when implementing the privacy-by-design and privacy-by-default approaches – subsequent implementation in systems that did not care about user privacy and personal data protection from the very beginning.
Together, privacy by design and privacy by default enable the creation of systems that are compliant at the very structural level, while also offering practical personal data protection on the user’s end.
In this way, the total amount of processed personal data is reduced, thereby respecting the data minimization principle prescribed by both the ZZPL and the GDPR.
Benefits of Implementing the Privacy by Design and Privacy by Default Approaches
While it is true that implementing the privacy-by-design and privacy-by-default principles will often mean that a company has less precise data about its users (due to the fact that it processes less personal data), there are specific benefits that bring long-term advantages:
- Reduced likelihood of incidents and fines – cyberattacks, data leaks, and similar incidents expose companies to immense risk. GDPR fines are exceptionally high, and the reputational damage a company can suffer from a personal data breach is sometimes irreparable. Data minimization reduces these risks – even if an incident occurs, the compromised data will not be personal data, or there will be far less of it than there would have been if the privacy by design and privacy by default principles had not been implemented.
- Reduction in processing costs – processing personal data requires ongoing investments in technical, financial, and operational infrastructure. You will constantly have to respond to inquiries from data subjects, maintain systems in compliance with GDPR/ZZPL provisions, and worry about fines. The privacy-by-design and privacy-by-default approaches will reduce the amount of personal data you process from the outset, significantly lowering total costs in the long run.
- Greater user trust – Users appreciate companies that protect their personal data, which can positively impact your business’s reputation. It is true that, in our market, this awareness is still not high, as users are primarily driven by price, but significant strides are being made in the right direction.
Practical Application of Privacy by Design and Privacy by Default in Different Industries
Privacy by design and privacy by default are widely applied across various sectors of the economy. To help you get a picture of how they function in practice, here are a few examples:
- Mobile Application Development:
- Applying the principle of data minimization and collecting only those pieces of personal data that are necessary to achieve the purpose of processing.
- Implementing appropriate access controls in IT systems.
- Minimum accessibility of user data within the default settings.
- Healthcare Sector:
- Developing detailed procedures for processing special categories of personal data.
- Restricted access control that employees have regarding data, depending on their position.
- Establishing procedures for the storage and anonymization of patient data.
- e-commerce – Electronic Commerce:
- User profile visibility is configured for maximum privacy by default.
- Tracking user behavior, analytics, and marketing activities is conducted only to the extent necessary and with adequate notification to the user.
- The payment and order processing cycle collects only the buyer’s personal data necessary to execute the transaction, while ensuring that the state-of-the-art data security measures are implemented.
Conclusion: Privacy by Design vs Privacy by Default – Do We Have These GDPR Concepts in the ZZPL?
Although the Law on Personal Data Protection does not explicitly mention them, privacy by design and privacy by default are among the technical safeguards that the ZZPL deems mandatory, all with the purpose of implementing the data minimization principle. By implementing these principles, companies ensure that privacy is embedded into the very design of products and services from the start, rather than being just a legal concept thought of subsequently, pro forma.
Through the adequate implementation of the privacy by design and privacy by default principles, as well as the application of other technical, organizational, and staff-related measures, controllers and processors ensure not only that they avoid fines, but they also elevate the trust that users place in their services, while simultaneously strengthening their business reputation and gaining a competitive edge in the market.