Privacy Rights

View

A dove sat atop a set of scales symbolizing how rights help to maintain justice and peace

In line with the FIPPs principle of Individual Participation, most data protection laws establish privacy rights for individuals. At a minimum, these typically include:

  • The right to access/export personal data
  • The right to update personal data (also known as the right to update or rectify)
  • The right to delete personal data

Some other less universal privacy rights you should be aware of are:

  • The right to data portability (GDPR) - not only should you be able to export personal data, but you should be able to provide it in a portable format so that it can be imported into a similar product. For example, if you provide a music app you should allow your users to export their playlists in a format recognized by other music apps on the market. As you might expect, portability is a huge challenge as in many contexts appropriate standardized formats don't yet exist. You could be the one to define them!
  • The right to opt out of sensitive data processing (CPRA) - as we discussed earlier, if you process personal data that falls under one of the CPRA's sensitive data categories, the user should be able to opt out of this. How will you design your product to make this possible and to ensure that the user can still use your product afterward?
  • The right not to be subject to a decision based solely on automated processing, including profiling (GDPR) - in general, such decisions are prohibited under the GDPR if they have legal effects for an individual, such as being denied access to childcare benefits. Article 22 describes some exceptions (such as explicit consent), but in these cases there must be a person that the individual can contact to challenge the automated decision if needed.

Architecting Privacy Rights

You will likely need to implement some degree of automation to be able to fulfill privacy rights requests on time (the legal limits range from 15 days to 30 days or more). Implementing this can be tricky if you have personal data scattered across many different data stores maintained by different teams. The following steps can help:

Privacy Rights Endpoints

Establish a standardized privacy API with endpoints to export, update, and delete personal data by user identifier and require all teams processing personal data to implement it in their systems. These endpoints of course need to be carefully protected; only people directly involved in fulfilling privacy rights requests should have access to them in Production, and you should keep audit logs of which employee queried them when.

Data Retention Periods

Require every team to set data retention periods for each type of personal data they manage. These should be as short as possible and data should be hard deleted afterward rather than soft deleted or archived. (If hard deletion is technically challenging in your system, consider overwriting the data instead.) Don't forget to also set retention periods for third-party systems, your data warehouse / lake, and backups, otherwise the data will still be lying around. Strict data retention periods help fulfill the principle of storage limitation, cut your storage costs, and improve your database performance. Keeping data for too long can make database tables very large, severely impacting performance - in the worst case, it might not be possible for you to do a complete query for a user's personal data without bringing down your system.

Data retention periods can raise a lot of questions, so need to be backed up by business requirements. For example, consider free trial users. To respect storage limitation, you want to delete all free trial user data once their trial has expired (after sending the user warning emails that this will happen). If you remove all trace of them from the system, then they can immediately sign up again and you are essentially offering unlimited free trials. What is your policy here? Is that acceptable, or will you compromise, storing emails for a certain period to enforce for example one free trial per email every six months? These questions must be answered in order for engineers to be able to implement data retention periods with confidence.

Central PII Database

Depending on your use case and system design, it may be worth centralizing your storage of personal data in a single database. Other systems can refer to this data using an ID, hash, or other pseudonymized identifier and query its value as needed at runtime rather than persistently storing it. This makes data governance much easier: it facilitates not only export, update, and deletion requests but also helps you avoid data inconsistency issues with systems storing outdated copies of personal data. It reduces the risk of data breaches that affect other data stores, as these will no longer contain raw personal data. However, it does then mean you have a single point of weakness for personal data breaches, so you should protect this central store with the strongest possible security controls feasible for you.

Further Reading

  • The books The Architecture of Privacy and Data Privacy: A Runbook for Engineers dive deeper into how you can design systems to support privacy rights requests, data retention, consent management, and data governance in general.
  • Architecting for privacy rights is just one part of the broader topic of data governance. In order to implement privacy rights, you need to understand what data you have where, and in larger organizations this can be challenging. Data Protocol's free Data Governance course provides an excellent introduction. See also this Intro to Data Governance seminar on Youtube.
  • Setting data retention timelines and Data retention in a distributed system by Lea Kissner address the technical challenges of retention and deletion.
  • ICO guidance on privacy rights - this excellent series provides detailed guidelines on how to fulfill each right. Note that, since Brexit, the UK GDPR is distinct from the EU GDPR. While it is currently almost identical in content, it may diverge in the future.
  • The Limitations of Privacy Rights, Daniel J. Solove, 98 Notre Dame Law Review 975 (2023) - this paper critiques the concept of individual privacy rights. While they do enable individuals to exercise some control over their personal data, by doing so they take some responsibility for ethical data processing away from data controllers. Most people do not have the time, energy, or knowledge to advocate for their own privacy using their privacy rights, and (as we saw previously in this course) privacy is also a collective right.