November 5, 2013

The concept of “privacy by default” refers to the design of an information system whose technical architecture is, at its roots, intended to ensure the safety and confidentiality of personal data. For example, a computer program could require a specific purpose to start the processing, a minimal retention period could be imposed and the access could be limited to what is strictly necessary. Discussed in the draft EU Regulation proposed by the European Commission on 25 January 2012, regarded by many specialists as the best practice this notion could get the reputation of a sort of “winning racehorse”. The judgment of the Court of Justice of the European Union (CJEU) of May 2013 (Worten v Autoridade para as Condições de Trabalho (ACT), C-342/12) implicitly shows the limits of such a concept.

In March 2010, the ACT imposed a fine on Worten, a Portuguese employer, for not having made immediately available to the ACT a central record of working time, as set out in the Portuguese Employment Code. Actually, a local record could be consulted by the person who had computerized access to it, namely the regional manager; such restrictions presumably were motivated by security considerations. More specifically, they correspond to one of the main principles of “privacy by default”: access to personal data files is decentralized and limited to that which is strictly necessary.  Worten claimed that the obligation to make the records available was incompatible with the obligation to establish an adequate system of data protection. In the claimant’s view, complying with the labor rules would allow any employee to gain access to the records, and would therefore violate Article 17 of EU Directive 95/46, which states that “ the controller must implement appropriate technical and organizational measures to protect personal data against … unauthorized disclosure or access ”.

In order to decide on the case, the Tribunal referred several questions to the CJEU.  In the CJEU’s interpretation, the intention of Article 17 is not to require all controllers to implement an ex-ante restricted access, or to punish those which do not provide such protection, since, as in this case, no incident included within the Article 17 scope occurred (destruction, alteration, disclosure and so on). The judgment also confirms that the collection by an employer of personal data related to working time achieves “ specified, explicit and legitimate purposes”, and that the processing was “adequate, relevant and not excessive”. Indeed, the processing ensures compliance with the legislation and meets a legal obligation falling within the scope of European legislation, specifically Directive 2003/88 concerning certain aspects of the organization of working time. The CJEU refuses to interpret Directive 95/46 in order to generalize and prioritize “privacy by default” over other important legal goals.  The obligation to allow the competent authority (ACT) to have an immediate access to the record was “ necessary for the performance of a task carried out in the exercise of official authority”, as required by Article 7(e) of Directive 95/46). Indeed, “only the grant of access to authorities having powers in that field could be considered to be necessary within the meaning of Article 7(e)” ( Huber (2008), case C‑524/06), and ACT was the authority having power in the field of working condition.

Finally, besides its explicit holding, the judgment also indicates that the “privacy by default” principle proposed by the European Commission in the draft General Data Protection Regulation, even if adopted, is not absolute. In other words, ensuring that access to personal data is restricted by default will not automatically be considered lawful where a specific provision mandates processing that will qualify as necessary.  For full analysis of this case, see our article “Privacy by default principle does not always beat the law,” Privacy Laws & Business, October 2013.