Privacy By Default Principle Is Not Always The Winning Racehorse

Author:Mr Paul Van den Bulck
Profession:McGuireWoods LLP

The concept of “privacy by default” refers to the design of an information system whose technical architecture is, at its roots, intended to ensure the safety and confidentiality of personal data. For example, a computer program could require a specific purpose to start the processing, a minimal retention period could be imposed and the access could be limited to what is strictly necessary. Discussed in the draft EU Regulation proposed by the European Commission on 25 January 2012, regarded by many specialists as the best practice this notion could get the reputation of a sort of “winning racehorse”. The judgment of the Court of Justice of the European Union (CJEU) of May 2013 (Worten v Autoridade para as Condições de Trabalho (ACT), C-342/12) implicitly shows the limits of such a concept.

In March 2010, the ACT imposed a fine on Worten, a Portuguese employer, for not having made immediately available to the ACT a central record of working time, as set out in the Portuguese Employment Code. Actually, a local record could be consulted by the person who had computerized access to it, namely the regional manager; such restrictions presumably were motivated by security considerations. More specifically, they correspond to one of the main principles of “privacy by default”: access to personal data files is decentralized and limited to that which is strictly necessary.

Worten claimed that the obligation to make the records available was incompatible with the obligation to establish an adequate system of data protection. In the claimant's view, complying with the labor rules would allow any employee to gain access to the records, and would therefore violate Article 17 of EU Directive 95/46, which states that “ the controller must implement appropriate technical and organizational measures to protect personal data against … unauthorized disclosure or access ”. In order to decide on the case, the Tribunal referred several questions to the CJEU.

In the CJEU's interpretation, the intention of Article 17 is not to require all controllers to implement an ex-ante restricted access, or to punish those which do not provide such protection, since, as in this case, no incident included within the...

To continue reading