1419 Privacy by Design: Foundations and Seven Principles

1419.1 Learning Objectives

By the end of this chapter, you should be able to:

Define Privacy by Design and explain its origins
Apply the 7 foundational principles of Privacy by Design
Distinguish between proactive and reactive privacy approaches
Configure privacy-by-default settings for IoT devices
Design privacy-embedded system architectures
Implement positive-sum (privacy AND functionality) solutions
Apply end-to-end security throughout the data lifecycle

Related Chapters, Products, and Tools

Privacy Foundations - If you need a refresher, review Introduction to Privacy for concepts and regulations (GDPR, CCPA) before diving into design patterns.
Secure Implementation - Pair this chapter with Secure Data and Software and Encryption Principles and Crypto Basics to connect PbD ideas to concrete technical safeguards.
Privacy Design Patterns - Continue to Privacy Design Patterns and Data Tiers for implementation techniques.
Quizzes & Hubs - Test your understanding with the Privacy-by-Design quiz surfaced in the Quiz Navigator and use the Knowledge Gaps Tracker to note follow-up topics.

For Beginners: Understanding Privacy by Design

What is Privacy by Design? Privacy by Design means building privacy protections into systems from the very beginning - not adding them later as an afterthought. It’s like designing a house with locks already installed versus buying padlocks after you move in. Privacy becomes embedded in the architecture, default settings protect users automatically, and privacy controls are proactive (preventing problems) not reactive (apologizing after breaches).

Why does it matter? Amazon Ring doorbells uploaded video to the cloud by default and shared footage with police without warrants - privacy was retrofitted after scandal, not designed in. Apple HomePod processes “Hey Siri” on-device instead of sending all audio to the cloud - privacy was architecturally embedded from day one. Privacy by Design prevents violations before they happen, builds user trust, and avoids expensive retrofits after launch.

Key terms:

Term	Definition
Privacy by Default	Most protective settings enabled automatically without user configuration (opt-in not opt-out)
Proactive	Anticipating privacy risks during design phase through threat modeling and assessments
Privacy Embedded	Building privacy controls into system architecture (not bolt-on features added later)
Positive-Sum	Achieving both privacy AND functionality - not forcing users to choose between them
Data Minimization	Design principle of not collecting data in the first place (better than encrypting everything)

Key Takeaway

In one sentence: Privacy by Design means building privacy protections into systems from the start - not adding them after a breach or scandal.

Remember this rule: The best privacy protection is not collecting data at all; when collection is necessary, minimize scope, enable privacy by default, and embed controls into architecture rather than bolting them on later.

1419.2 Prerequisites

Before diving into this chapter, you should be familiar with:

Introduction to Privacy: Understanding of fundamental privacy concepts, personal data definitions, and regulatory frameworks like GDPR provides essential context for Privacy by Design principles
Security and Privacy Overview: Knowledge of the CIA triad (Confidentiality, Integrity, Availability) and basic security concepts helps understand how privacy-by-design integrates with broader security architecture
Threat Modelling and Mitigation: Familiarity with identifying and mitigating threats enables proactive privacy protection, a core Privacy by Design principle

1419.3 What is Privacy by Design?

Privacy by Design (PbD) is a framework that embeds privacy into the design and architecture of IT systems and business practices.

Core Concept

Build privacy in from the start, not bolt it on later.

Privacy by Design makes privacy the default setting, ensuring data protection is embedded into the system architecture and business operations.

Origin: Developed by Dr. Ann Cavoukian (Information and Privacy Commissioner of Ontario) in the 1990s.

Adoption:

Incorporated into GDPR (Article 25)
Recognized by ISO/IEC standards
Adopted by major tech companies

1419.3.1 Real-World Privacy by Design: Good vs Bad

1419.3.1.1 GOOD: Apple HomePod (Voice Processing On-Device)

What they did:

Voice command processing happens on-device (not sent to cloud)
Siri only activates after hearing “Hey Siri” (local detection)
If cloud query needed (like weather), only the transcribed text is sent (not voice recording)
Random identifier used (not linked to Apple ID)
Designed with privacy from the start

Privacy by Design principles used:

Proactive: Anticipated privacy concerns with always-listening device
Privacy Embedded: On-device processing built into chip architecture
Default: Most protective mode is default behavior
Full Functionality: Works great without sending voice to cloud

1419.3.1.2 BAD: Amazon Ring Doorbell (Privacy as Afterthought)

What they did:

Video uploaded to cloud by default (no local-only option at launch)
Shared video with police without warrants or user consent (via “Neighbors” program)
Privacy concerns emerged AFTER millions of doorbells were sold
Eventually added privacy controls (after backlash and lawsuits)

Privacy by Design failures:

Reactive: Added privacy controls AFTER scandal, not proactive
Not Default: Cloud upload enabled by default, no local storage option
Not User-Centric: Shared user data with police without explicit consent
Not Transparent: Users didn’t know about police partnerships

Lesson: Privacy retrofitted after launch = privacy theater. Privacy by Design = trust from day one.

1419.4 The 7 Foundational Principles

Seven Pillars of Privacy by Design

Principle	Simple Explanation	Good Example	Bad Example
1. Proactive (Not Reactive)	Anticipate privacy problems BEFORE they happen	Privacy Impact Assessment during design phase	Apologizing for privacy breach after it happens
2. Privacy as Default	Most protective settings ON by default	Smart doorbell doesn’t upload video to cloud unless you explicitly enable it	Cloud upload enabled by default, buried opt-out in settings
3. Privacy Embedded	Built into the system architecture (not bolt-on)	Smart speaker processes voice commands ON-DEVICE (doesn’t send to cloud)	Smart speaker sends ALL audio to cloud, privacy policy as afterthought
4. Full Functionality	Privacy AND features (not either/or)	Fitness tracker works fully offline, cloud sync is optional extra	App says “Location required” even for features that don’t need it
5. End-to-End Security	Protect data through entire lifecycle (collection to deletion)	Smart lock encrypts data at rest, in transit, and has secure deletion	Smart lock encrypts during transmission but stores plaintext keys in database
6. Visibility & Transparency	Users can see what data is collected and how	Dashboard shows exactly what your smart home hub knows about you	“We collect data to improve services” (vague)
7. User-Centric	Respect user privacy rights (control, consent, access)	One-click “delete all my data” button that actually works	“Submit request via mail, wait 90 days, prove your identity with notarized forms”

1419.4.1 Principle 1: Proactive not Reactive; Preventative not Remedial

Principle: Anticipate and prevent privacy invasive events before they happen

%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#16A085', 'secondaryColor': '#E67E22', 'tertiaryColor': '#7F8C8D', 'clusterBkg': '#f9f9f9', 'clusterBorder': '#2C3E50', 'edgeLabelBackground':'#ffffff'}}}%%
flowchart LR
    A[System Design Phase] --> B[Privacy Threat Modeling]
    B --> C{Identify Privacy Risks}
    C --> D[Unauthorized Collection]
    C --> E[Data Leakage]
    C --> F[Third-Party Exposure]

    D --> G[Design Mitigation:<br/>Data Minimization]
    E --> H[Design Mitigation:<br/>Encryption]
    F --> I[Design Mitigation:<br/>Access Control]

    G --> J[Implementation<br/>Before Launch]
    H --> J
    I --> J

    J --> K[Proactive Privacy<br/>Protection]

    style A fill:#2C3E50,stroke:#16A085,color:#fff
    style B fill:#16A085,stroke:#2C3E50,color:#fff
    style K fill:#16A085,stroke:#2C3E50,color:#fff
    style G fill:#E67E22,stroke:#2C3E50,color:#fff
    style H fill:#E67E22,stroke:#2C3E50,color:#fff
    style I fill:#E67E22,stroke:#2C3E50,color:#fff

Figure 1419.1: Proactive Privacy: Threat Modeling to Design Mitigation Before Launch

Implementation Example:

Privacy Threat	Risk Level	Proactive Mitigation	Reactive Response
Unauthorized PII Access	HIGH	Encrypt at source (AES-256)	Apologize after breach
Third-party Data Exposure	MEDIUM	Share only aggregated data	Add deletion button later
Location Tracking	HIGH	Don’t collect precise location	Add privacy policy disclaimer
Persistent Identifiers	MEDIUM	Use rotating pseudonyms	Let users opt-out

LINDDUN Privacy Threat Model:

Threat Category	Description	IoT Example	Mitigation
Linkability	Link multiple actions to same user	Correlate sensor readings by timing	Rotating device IDs
Identifiability	Identify specific user	De-anonymize location data	K-anonymity (k>=5)
Non-repudiation	User cannot deny action	Smart lock logs prove entry	Anonymous credentials
Detectability	Detect someone’s involvement	Detect device in network scan	MAC address randomization
Disclosure	Unauthorized information reveal	Cloud breach exposes sensor data	End-to-end encryption
Unawareness	User unaware of data collection	Hidden analytics tracking	Transparency dashboard
Non-compliance	Violate privacy regulations	GDPR violation for lack of consent	Privacy Impact Assessment

1419.4.2 Principle 2: Privacy as the Default Setting

Principle: No action required by user to protect privacy - it’s automatic

Privacy-by-Default Configuration (ESP32/IoT Device Example):

Setting	Default Value	Rationale	User Can Enable
Encryption	ENABLED (AES-256)	Always protect data	Cannot disable
Location Collection	OFF	Not essential for core functionality	Yes (opt-in)
Usage Analytics	OFF	Benefits vendor, not user	Yes (opt-in)
Data Retention	7 days	Shortest period for functionality	Yes (extend)
Third-party Sharing	OFF	User data stays with vendor	Yes (explicit consent)
Processing Mode	LOCAL	Minimize data transmission	Yes (enable cloud)

Comparison: Privacy by Default vs. Privacy by Negotiation

%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#16A085', 'secondaryColor': '#E67E22', 'tertiaryColor': '#7F8C8D', 'clusterBkg': '#f9f9f9', 'clusterBorder': '#2C3E50', 'edgeLabelBackground':'#ffffff'}}}%%
flowchart LR
    subgraph Good["PRIVACY BY DEFAULT (Opt-In Model)"]
        A1[Device Setup] --> A2[All Tracking: OFF]
        A2 --> A3{User Action}
        A3 --> |No action| A4[Protected by Default]
        A3 --> |Opt-in| A5[Enable Feature<br/>with Consent]
    end

    subgraph Bad["PRIVACY BY NEGOTIATION (Opt-Out Model)"]
        B1[Device Setup] --> B2[All Tracking: ON]
        B2 --> B3{User Action}
        B3 --> |No action| B4[Privacy Invaded]
        B3 --> |Opt-out| B5[Find Settings<br/>Disable Each One]
    end

    style A2 fill:#16A085,stroke:#2C3E50,color:#fff
    style A4 fill:#16A085,stroke:#2C3E50,color:#fff
    style B2 fill:#E67E22,stroke:#2C3E50,color:#fff
    style B4 fill:#E67E22,stroke:#2C3E50,color:#fff

Figure 1419.2: Privacy by Default (Opt-In) vs Privacy by Negotiation (Opt-Out) Comparison

1419.4.3 Principle 3: Privacy Embedded into Design

Principle: Privacy is integral to system design, not an add-on

%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#16A085', 'secondaryColor': '#E67E22', 'tertiaryColor': '#7F8C8D', 'clusterBkg': '#f9f9f9', 'clusterBorder': '#2C3E50', 'edgeLabelBackground':'#ffffff'}}}%%
flowchart TB
    subgraph Architecture["Privacy-First System Architecture"]
        A[Sensor Data Collection]
        B[Data Minimizer<br/>Built-in]
        C[Local Processing<br/>Engine]
        D[Anonymization<br/>Module]
        E[Encryption<br/>Layer]
        F[Consent<br/>Manager]
    end

    A --> B
    B --> |Minimal Data| C
    C --> |Process Locally| G{Send to Cloud?}
    G --> |Yes| D
    D --> E
    E --> Cloud[Cloud Storage]
    G --> |No| Local[Local Storage Only]
    F -.-> |Controls All| B
    F -.-> |Controls All| C
    F -.-> |Controls All| D

    style B fill:#16A085,stroke:#2C3E50,color:#fff
    style C fill:#16A085,stroke:#2C3E50,color:#fff
    style D fill:#16A085,stroke:#2C3E50,color:#fff
    style E fill:#E67E22,stroke:#2C3E50,color:#fff
    style F fill:#2C3E50,stroke:#16A085,color:#fff

Figure 1419.3: Privacy-First System Architecture: Data Minimization to Encrypted Cloud Storage

Example: Smart Thermostat - Privacy Embedded vs. Privacy Bolted-On

Architecture Component	Privacy Bolted-On	Privacy Embedded
Data Collection	Collect everything, filter later	Collect only temperature + timestamp (no user ID, location)
Processing	Send all to cloud, process there	Process locally first, send only if necessary
Storage	Store raw data indefinitely	Store aggregated hourly averages, 30-day retention
Sharing	Share by default, add opt-out later	Check consent before EVERY share, log all sharing
Anonymization	“We anonymize data” (vague promise)	Built-in anonymizer removes PII before transmission
Encryption	Added TLS after beta testing	Encryption engine integrated from day 1

Smart Thermostat Privacy Architecture:

Stage	Privacy Control	Implementation	Purpose
1. Collection	Data Minimization	Collect only: temp, timestamp	Don’t collect unnecessary PII
2. Processing	Local-First	Process on-device when possible	Avoid cloud transmission
3. Cloud Upload	Anonymization	Remove device ID, use random session ID	Prevent linkability
4. Transmission	End-to-End Encryption	AES-256 encrypted payload	Protect in transit
5. Sharing	Consent Manager	Check consent before each share	User control
6. Audit	Audit Logging	Log all data access and sharing	Transparency

1419.4.4 Principle 4: Full Functionality - Positive-Sum, not Zero-Sum

Principle: Privacy AND functionality, not privacy OR functionality

Real-World Examples: Achieving Both Privacy and Functionality

Use Case	Zero-Sum Approach	Positive-Sum Solution	How It Works
Personalized Recommendations	Upload all behavior to cloud	Federated learning on-device	ML model trains locally, only model updates shared (not user data)
Energy Optimization	Minute-by-minute tracking	Hourly aggregates	Aggregate before storage: 22.1, 22.3, 22.2 -> Avg: 22.2 (equally effective)
Voice Assistant	Record all conversations	On-device wake word detection	Process locally until “Hey Siri” detected, then send only query
Security Camera	24/7 cloud recording	Event-triggered local storage	Store locally, upload only motion-detected clips (encrypted)
Smart Lock	Upload all entries to cloud	Local logging, cloud sync optional	Keep entry log on device, user chooses cloud backup

Privacy vs. Functionality: The False Dichotomy

%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#16A085', 'secondaryColor': '#E67E22', 'tertiaryColor': '#7F8C8D', 'clusterBkg': '#f9f9f9', 'clusterBorder': '#2C3E50', 'edgeLabelBackground':'#ffffff'}}}%%
graph TB
    A[Feature: Energy Optimization] --> B{Design Choice}

    B --> C[Zero-Sum: Privacy OR Functionality]
    C --> C1[High Resolution Data<br/>Minute-by-minute tracking]
    C1 --> C2[Privacy: LOW<br/>Functionality: HIGH]

    B --> D[Positive-Sum: Privacy AND Functionality]
    D --> D1[Aggregated Data<br/>Hourly averages]
    D1 --> D2[Privacy: HIGH<br/>Functionality: HIGH]

    style C fill:#E67E22,stroke:#2C3E50,color:#fff
    style C2 fill:#E67E22,stroke:#2C3E50,color:#fff
    style D fill:#16A085,stroke:#2C3E50,color:#fff
    style D2 fill:#16A085,stroke:#2C3E50,color:#fff

Figure 1419.4: Zero-Sum vs Positive-Sum Design: Energy Optimization Privacy Trade-offs

Case Study: Federated Learning (Google Gboard Keyboard)

Aspect	Traditional Cloud ML	Federated Learning (Privacy by Design)
Data Collection	All keystrokes uploaded to Google servers	Keystrokes stay on device
Model Training	Train on aggregated user data in cloud	Train local model on your device
Model Updates	Download model trained on everyone’s data	Upload only model improvements (differential privacy)
Privacy	Google sees all your typing	Google sees no individual typing data
Functionality	Personalized predictions	Personalized predictions (identical UX)
Result	Zero-sum (functionality requires privacy loss)	Positive-sum (both privacy AND functionality)

Case Study: Security Without Surveillance (Smart City)

Traditional urban security relies on pervasive video surveillance with centralized recording - creating massive privacy concerns. Edge AI enables a Security without Surveillance approach that achieves security goals without mass data collection:

%% fig-alt: "Comparison diagram showing traditional surveillance with cameras sending video to central storage creating privacy risks, versus Security without Surveillance using edge AI to process locally and only transmit anonymous metadata like vehicle counts and anomaly alerts."
%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#16A085', 'secondaryColor': '#E67E22', 'tertiaryColor': '#7F8C8D', 'clusterBkg': '#f9f9f9', 'clusterBorder': '#2C3E50', 'edgeLabelBackground':'#ffffff'}}}%%
flowchart TB
    subgraph trad["Traditional: Surveillance"]
        C1["Camera"] --> S1["Cloud Storage"]
        S1 --> A1["Face Recognition"]
        S1 --> A2["Behavior Analysis"]
        S1 --> R1["Permanent Record"]
    end

    subgraph pbd["Privacy by Design: Security without Surveillance"]
        C2["Camera"] --> E2["Edge AI<br/>(On-Pole)"]
        E2 --> |"Only metadata"| M2["Vehicle Count: 47<br/>Anomaly Alert<br/>Traffic Flow: Normal"]
        E2 --> |"Video deleted<br/>after processing"| D2["No Storage"]
    end

    style trad fill:#ffcccc,stroke:#E67E22
    style pbd fill:#ccffcc,stroke:#16A085
    style E2 fill:#16A085,stroke:#2C3E50,color:#fff
    style D2 fill:#16A085,stroke:#2C3E50,color:#fff

Figure 1419.5: Traditional surveillance vs Security without Surveillance using edge AI

Aspect	Traditional Surveillance	Security without Surveillance
Data Collected	Full video, faces, license plates	Anonymous counts, flow statistics
Storage	Weeks to months of footage	Zero raw video retained
Processing	Cloud-based, centralized	Edge AI, on-pole
Privacy Risk	High (mass surveillance)	Minimal (no PII collected)
Security Capability	Full forensics, face ID	Anomaly detection, traffic optimization
Regulatory Compliance	Requires extensive justification	GDPR-friendly by design

How Edge AI Enables This:

Local processing: Neural network runs on camera hardware (e.g., NVIDIA Jetson, Intel Movidius)
Immediate inference: Vehicle/pedestrian detection happens in <100ms
Metadata extraction: Only anonymous statistics transmitted (counts, speeds, anomalies)
No raw storage: Video frames deleted after processing - no footage to breach

Real-World Example: Street light-mounted cameras detect wrong-way drivers and send instant alerts to traffic control - without ever recording or transmitting identifiable video.

1419.4.5 Principle 5: End-to-End Security - Full Lifecycle Protection

Principle: Protect data from collection to deletion

%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#16A085', 'secondaryColor': '#E67E22', 'tertiaryColor': '#7F8C8D', 'clusterBkg': '#f9f9f9', 'clusterBorder': '#2C3E50', 'edgeLabelBackground':'#ffffff'}}}%%
flowchart LR
    A[1. Collection<br/>Encrypt at Source] --> B[2. Storage<br/>Encrypted at Rest]
    B --> C[3. Processing<br/>Secure Computation]
    C --> D[4. Sharing<br/>Encrypted in Transit]
    D --> E[5. Retention<br/>Automatic Deletion]
    E --> F[6. Destruction<br/>Secure Erasure]

    A -.-> |AES-256| A1[Protection Active]
    B -.-> |Database Encryption| A1
    C -.-> |Homomorphic Encryption| A1
    D -.-> |TLS 1.3| A1
    E -.-> |Retention Policy| A1
    F -.-> |Key Deletion| A1

    style A fill:#16A085,stroke:#2C3E50,color:#fff
    style B fill:#16A085,stroke:#2C3E50,color:#fff
    style C fill:#E67E22,stroke:#2C3E50,color:#fff
    style D fill:#16A085,stroke:#2C3E50,color:#fff
    style E fill:#E67E22,stroke:#2C3E50,color:#fff
    style F fill:#2C3E50,stroke:#16A085,color:#fff

Figure 1419.6: End-to-End Security: Six-Stage Data Lifecycle Protection Framework

End-to-End Protection Through Data Lifecycle:

Lifecycle Stage	Privacy Risk	Protection Mechanism	Implementation Example
1. Collection	Plaintext sensor data	Encrypt at source	AES-256 encryption before transmission
2. Storage	Database breach	Encrypted at rest	Database-level encryption (TDE)
3. Processing	Cloud provider access	Secure computation	Homomorphic encryption or secure enclaves
4. Sharing	Interception in transit	Encrypted transmission	TLS 1.3, re-encrypt for recipient’s public key
5. Retention	Indefinite storage	Automatic deletion	30-day retention policy, automated cleanup
6. Deletion	Recovery from backups	Secure erasure	Delete from DB + backups + destroy encryption keys

True End-to-End Protection Checklist:

Encrypted during collection (sensor to gateway)
Encrypted at rest (database, files)
Encrypted during processing (homomorphic or secure enclave)
Encrypted in transit (TLS 1.3, certificate pinning)
Automatic retention enforcement (delete after N days)
Secure deletion (DB + backups + keys)
Deletion verification (audit log confirms erasure)
User-initiated deletion (right to be forgotten)

1419.4.6 Principle 6: Visibility and Transparency

Principle: Keep operations open and visible to users and stakeholders

Transparency Dashboard Example (Smart Thermostat):

Data Type	Collection Frequency	Purpose	Retention	Shared With
Temperature readings	Every 10 minutes	HVAC control	30 days	None
Device status	Every 10 minutes	System health monitoring	90 days	Cloud provider (encrypted only)
Firmware version	Once per week	Update checks	Until device reset	Update server

Privacy Notice - Plain Language Example:

What We Collect

Temperature and humidity (every 10 minutes)

Device on/off status

We DO NOT collect: Voice, location, personal identifiers

Why We Collect It

Temperature: To control your heating/cooling

Device status: To detect malfunctions

How Long We Keep It

Sensor data: 30 days, then automatically deleted

Device status: 90 days

Who We Share With

Cloud Provider (AWS): Encrypted storage only - they cannot see your data

Nobody else. We never sell your data.

Your Rights

Download your data anytime (Settings -> Export)

Delete your account and all data (Settings -> Delete)

Analytics already OFF by default

Questions? privacy@company.com

1419.4.7 Principle 7: Respect for User Privacy

Principle: Keep user interests first, make privacy user-centric

Granular User Privacy Controls:

Data Collection Setting	Default	User Can Disable?	Purpose	User Benefit
Temperature	ON	No (required for core function)	HVAC control	Device works
Location	OFF	Yes	Weather-based optimization	More accurate by ~2F
Usage Analytics	OFF	Yes	Product improvement	Better features over time

User-Centric Design Principles:

Granular control: Separate controls for each data type (not all-or-nothing)
Clear trade-offs: Explain what user gains/loses with each setting
Easy access: Privacy controls in main settings (not buried in legal pages)
Reversible choices: User can change mind (enable/disable at any time)
Informed consent: Explain purpose, benefit, and duration before collecting
No dark patterns: Equally prominent “Accept” and “Reject” buttons
Respect preferences: Honor user choices without nagging to reconsider

Knowledge Check

Test your understanding of Privacy by Design principles.

Quiz: Privacy by Design Principles

Question 1: A smart home company designs a new thermostat. After launch, users complain about privacy concerns with cloud storage. The company adds an “Export your data” button. Which Privacy by Design principle is being violated?

This violates the “Proactive not Reactive” principle! The company reacted to privacy complaints AFTER deployment by adding a feature. Privacy by Design requires anticipating privacy concerns during the design phase and building in protections from the start. The “export your data” button is reactive remediation, not proactive prevention.

Question 2: Which configuration follows “Privacy as the Default Setting” for a fitness tracker app?

Privacy by Default means the MOST PROTECTIVE settings are active without user action. Option C is correct: all privacy-invasive features OFF by default, users can explicitly opt-in if desired. Option A is “privacy by negotiation” (opt-out model). Option B creates false choice - forcing features on for functionality. Option D is “privacy by configuration,” not by default.

Chapter Summary

Privacy by Design establishes seven foundational principles for embedding privacy into system architecture:

Proactive not Reactive: Anticipate and prevent privacy invasions before they occur through threat modeling
Privacy as Default: Maximum data protection is automatic without user action
Privacy Embedded: Integrate privacy controls architecturally rather than bolting-on compliance
Full Functionality: Pursue positive-sum outcomes - strong privacy enhances rather than diminishes user experience
End-to-End Security: Protect data throughout entire lifecycle from collection through deletion
Visibility and Transparency: Provide complete awareness through clear policies and transparency dashboards
Respect for User Privacy: Maintain user-centricity through informed consent and granular controls

These principles originated with Dr. Ann Cavoukian in the 1990s and are now incorporated into GDPR Article 25, making them both best practice and legal requirement.

1419.5 What’s Next

Continue to Privacy Design Patterns and Data Tiers where you’ll learn:

Data minimization and aggregation techniques
Local processing vs cloud processing decisions
Anonymization and pseudonymization methods
The Three-Tier Privacy Model for IoT data classification
Implementation guidance for tier-aware systems

Continue to Privacy Design Patterns and Data Tiers ->