What is privacy by design?

When it comes to Enterprise Data Management (EDM), data processors, or organisations that process customer data are expected to design systems that protect the privacy of their data subjects, or customers.

The key privacy and security by design policies are

  • Storage limitations – Personal data should be kept only for as long as it is necessary to fulfil its intended purpose and no longer. This reduces the risk of misuse or unauthorized access over time.
  • Purpose limitations – Data must be collected for specific, explicit, and legitimate purposes and not used in ways incompatible with those purposes. This prevents function creep and misuse of personal information.
  • Lawfulness – Personal data must be processed in accordance with the law and relevant regulations. Processing should have a valid legal basis such as consent, contract, or legal obligation.
  • Accountability – Organizations are responsible for complying with data protection principles and must be able to demonstrate compliance. This includes maintaining documentation, policies, and controls.
  • Data minimisation – Only the minimum amount of personal data necessary for a specific purpose should be collected and processed. This limits exposure and reduces privacy risks.
  • Accuracy – Personal data must be accurate, complete, and kept up to date. Inaccurate data should be corrected or deleted without delay.
  • Confidentiality – Personal data must be protected against unauthorized access, disclosure, alteration, or loss. Appropriate technical and organizational security measures must be in place.
  • Informed consent – Individuals must be clearly informed about how their data will be used and must freely agree to it. Consent should be specific, explicit, and easy to withdraw.
  • Access, rectification, erasure – Individuals have the right to access their personal data, correct inaccuracies, and request deletion when data is no longer needed. These rights empower users to control their information.
  • Restrict processing and portability – Individuals can request limits on how their data is processed and can obtain their data in a usable format. This allows transfer of data between service providers.
  • Object to automated decision-making and profiling – Individuals have the right to object to decisions made solely by automated systems. They can request human intervention and challenge such decisions.

Legally mandated requirements, not optional ethical ‘do-gooding’

The key privacy and security by design policies listed above are primarily defined and enforced by legislation, not just ethical considerations.

Legal basis Most of these principles are explicitly mandated by laws such as the UK Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR) (e.g. lawfulness, data minimisation, accuracy, storage limitation, accountability, data subject rights). Organizations are legally required to comply, and violations can result in penalties and fines.

Ethical foundation While these principles have a strong ethical motivation—protecting individual autonomy, fairness, and trust—they are not optional ethical guidelines. Ethical considerations influenced their creation, but legislation makes them binding and enforceable in practice.

In short, they originate from ethical values but are formalized and required by law through data protection legislation.

Acceleration of issues with the fourth industrial revolution

In Industry 4.0,or the fourth industrial revolution, where digital technologies are integrated into manufacturing and industrial processes to create smart, connected, and autonomous systems significantly accelerate the challenges in monitoring privacy-by-design issues; technologies like ML, IoT, AI, AR, cloud computing, and cyber systems significantly increase both the value and risk of personal and operational data. As a result, privacy monitoring becomes more complex, continuous, and critical.

Implications for privacy monitoring

  • Continuous and real-time oversight – Real-time data collection from IoT devices requires ongoing privacy monitoring to detect misuse, excessive data collection, or unauthorized access as it happens.
  • Expanded data footprints – Predictive analytics and digital twins combine data from many sources, increasing the risk of re-identification and making it harder to track where personal data is used.
  • Automated decision-making risks – AI-driven decision-making demands monitoring for transparency, bias, and lawful processing, especially where decisions affect individuals.
  • Greater attack surface – Cloud platforms and interconnected systems increase exposure to cyber threats, making privacy monitoring essential to identify breaches and abnormal access patterns early.
  • Purpose and consent drift – Custom product development and analytics may reuse data in new ways, requiring monitoring to ensure continued compliance with consent and purpose limitations.

The burden of privacy monitoring has moved from periodic checks to continuous, automated, and risk-based monitoring, integrated directly into system design and operations and codified in updated regulations.

Privacy fatigue contributes to Big Data sellers profit margins

Bombarded by privacy concerns from campaigners and legislators, consumers suffering from “privacy-fatigue” has enabled sellers of Big Data to continue to reap profits without significant change to ensure privacy-by-design, a study by Barbeebe Rukkuka reveals.

In the aftermath of the Cambridge Analytica Scandal, shows despite increased regulation, bad press, an FTC fine of $5-billion, Facebook’s advertising revenues increased by 210% between 2016 and 2022, Rukkuka said.

Meta, the owner of the social media platform Facebook (FB) and Instagram (Insta), are not the only Big Data sellers to profit. The fundamental vulnerabilities in the Big Data ecosystem, which has developed largely without public awareness or consent, continues to operate as consumers, or “data subjects” are willing to trade privacy for convenience offered by data processors and data controllers. Data misuse is a problem on a global scale with multiple actors and participants.

The use and sale of data is not in itself illegal. The thorny issue here is ethics rather than legality, Agnishwar Raychaudhuri’s study on the Cambridge Analytica case asserts. The situation is accelerated and exacerbated by unethical artificial intelligence (AI) and machine learning (ML) algorithms harvesting, analysing and augmenting this data, the paper states.

Commercial entities whose business models depend on extensive data-collection and analytics are unlikely to be willing to change these practices.

Rukkuka states that 98% of revenues for Facebook are generated by advertising.

Limited understanding of how, when and why privacy breaches impact users, enables Big Data harvesting

Despite several breaches of privacy, consumers continue to have limited understanding of how comprehensively their data is harvested or how, when and why it is occurring. Hiding under lengthy, obscure technical terms privacy policies often deliberately mislead consumers into sharing data.

Meta was fined, and paid, $1.6 billion to the state of Texas over allegations of unlawful biometric data collection. Using Meta’s “Tag Suggestions” feature, users tagged friends and their biometrics were captured without the friends’ explicit consent.

Meta was accused of capturing biometric data “billions of times” through photos and videos uploaded by users. Despite agreeing to the settlement, Meta has denied any wrongdoing.

A Hackernews report points out, FB are not the only offenders, Alphabet, the owner of google and its associated brands were also fined for the same issue of collecting biometric data of consumers without their explicit consent.

In the UK, the ICO, fined a school for capturing children’s biometric data to take cashless payments from students, breaching the UK’s Data Protection Act (DPA) and the (General Data Protection Regulation) GDPR legislation.

Virtue signalling a key irritant, confusion between privacy and security breaches

Consumers who are fighting, what they consider a losing battle, are now fatigued by the lobbying and what appears to be virtue-signalling by some organisations using the FB and other case studies to shine a light on the problem, rather than cleaning up their own back yards. Almost all Big Data companies are to some extent, in consumers’ opinion, harvesting data if not illegally, then unethically.

While FB’s breach impacted 87-million users, it is different from how T-Mobile exposed the personal identification numbers (PINs) of 37-million customers via an API-breach or a hack that exposed 6.5 million Co-op members data. These were security breaches. A security breach involves unauthorized access to information systems and weak security measures taken by organisations to protect consumer data.

A privacy breach involves the misuse, mishandling, or unauthorized sharing of personal information, focusing on how data is handled and shared even within secure systems.

The rise of “nudifying” apps, as criminology researchers at Middlesex University and University of East London’s findings clearly reveal these data breaches are privacy breaches not security breaches.

Nudifying apps are apps that harvest images of fully clothed children and adults, mainly women and girls from social media and other sources and use AI algorithms to remove clothing and sexualise the images. The images may be commercialised and sold on the dark-web or weaponised to sell to young boys or men who turn into by cyber-bullies or make extortion claims.

With the rapid rise of nudifying apps, Meta’s role in the supply chain came under the spotlight. Images generated on Meta platforms were being exposed to 3rd party app developers - notably, CrushAI, who are now facing legal action against them from Meta.

AI and ML in the Cambridge Analytica case study

The revelation of the use of AI and ML algorithms were brought into sharp focus with the Cambridge Analytica case.

Contextualising the case study

  • Cambridge Analytica utilised a Trojan Horse, via an app on FB platforms asking for participation in a quiz for academic purposes
  • The real purpose of the Trojan Horse was psychological profiling of users checking for six personality profiles neuroticism, conscientiousness, agreeableness, openness, extraversion and conscientiousness
  • FB’s graph data API resulted in friends, and friends of friends of the initial 27,000 users who downloaded the app giving access to a customer base of 87-million users who had not downloaded the app
  • The 87-million users and users’ friends who did not download the quiz had their data breached and information including likes, locations, religious and political views, relationship status, as well as private messages were now available to Cambridge Analytica
  • Cambridge Analytica enhanced the FB’s graph data API gathering an estimated 5,000 data-points per American user of the platform. Using advanced psychographic analytics with ML and AI algorithms, Cambridge Analytica aimed to predict what kinds of messages would influence users to change voting behaviour. This marked a fundamental shift from conventional demographic targeting to a new frontier of psychological manipulation through big data analytics, Raychaudhuri’s paper demonstrates.

The key legal and ethical failures

  • Informed consent – what enraged the public was the lack of concern over the issue of consent, consent policies were not clear, often using mystifying legal terms, lengthy explanations that were difficult to read and understand, however every single legal tenant was broken as various case studies show

  • Data minimisation – the exact opposite, data maximisation was in practice, the FB Graph API exposed information not only of the 27,000 app users but of user’s friends and friends of friends

  • Storage limitations - Flouting regulation in terms of the length of term data could be held for - Cambridge Analytica collected data in 2015 and used this data repeatedly, not for the purpose it was gathered but for other activities across the globe.

  • Purpose limitations - The user data that the company held was used for whatever purpose the company chose to use it for rather than the original stated intention – for academic research

  • Accuracy – Cambridge Analytica augmented the data deliberately creating bias and unfair statistical reasoning models, therefore compromising the quality and accuracy of data

  • Lawfulness – in terms of contractual obligations, outright deception was used by Cambridge Analytica to gain access to the app users’ data. The Trojan Horse’s stated use was academic but real use was to influence behaviour changes for political gain

  • Confidentiality – the Meta API revealed confidential information, in some cases private messages of users that were used by Cambridge Analytica in their sentiment analysis models. AI and ML algorithms were used to find psychological vulnerabilities, users’ political preferences which are all classified as confidential data.

  • Restrict processing and portability - Meta, was considered to have been negligent for for not clearly defining data ownership between data gatherers and 3rd party processors, the Meta Graph API was an open door barely discouraging misuse of user data by 3rd parties

  • Data misuse – Cambridge Analytica for the reasons previously outlined

  • Access, rectification, erasure - even though Meta knew of the data breach in 2015, it failed to inform users promptly, failed to delete data it was only in 2018 full extent public knowledge due to Christopher Wylie’s expose of the issue in The Guardian newspaper and The New York Times that consumers understood how the vulnerabilities they were exposing themselves to on data-sharing platforms. FB acted late and unwillingly.

  • Object to automated decision-making and profiling – once again for all the reasons outlined, Meta’s API allowed the transfer of decision making from the user to the 3rd party processor, without the ability of the user to raise objections

In the subsequent investigations, the malpractices were found largely to stem from Cambridge Analytica’s misuse of the data, rather than FB. Meta was questioned on oversight failures rather than participation and access rights to third parties of their user’s data.

Case not closed – a history of litigation

Meta has a history of privacy issues where it has faced fines and charges.

A CNBC report shows user privacy is rarely discussed by the app developers at Meta. Meta consistently maintains users have full control over the data they share and that nobody is “forced” to share information about themselves.

This is not strictly true, WhatsApp, the Meta messenger app, the BBC reports Meta added an “optional” AI tool even though it cannot be removed from the app. WhatsApp also requests access to user’s contacts, photographs stored on devices to allow them to share images, audio and video files. It is not clear how the AI tool accesses all this data and if users are consenting to AI scraping messenger data.

Meta’s success an MIT Tech Review, says is the ability of the company to “commoditise privacy” with or without the user’s consent. The author Konstantin Kakas is of the view that if a company like FB “doesn’t understand what privacy means”, consumers should be wary of allowing the company to define what privacy means and to relinquish control of personal data.

According to a report in the Guardian newspaper, this is in line with the FB view over 15 years ago that “privacy is no longer a social norm” when it introduced the “news feed”. It added a commercial product called Beacon, that allowed advertisers to track user activity online from these newsfeeds without user consent. FB settled claims against it for $9.5 million, at the time, the paper reports.

Meta has faced multiple privacy issues and legal filing against their apps – FB, Insta and WhatsApp. In 2024, the company paid Eur-251 million for data breaches involving minors. Broader EU penalties total Eur3.9 billion.

The issue that resurfaces is not that Meta is a perpetrator of the challenges via participation but via its open-door policy giving access to malicious (as well as non-malicious) actors access to user data without their consent.

Consumers inadvertently feed the beast

Users posting photos of friends, relatives and their children are inadvertently feeding the beast.

By tagging their friends, or even by the simple act of posting their friends images, they are providing Meta with access to the meta-data in the files – the location, biometrics of the individual concerned all whilst the individual may or may not have given consent to their friends or relatives to post their pictures.

With the issue of minors, parents, guardians and friends post pictures of their loved ones assuming consent on their behalf.

With criminal gangs using AI to detect children’s images for repurposing in sexualised content to be sold, this is a loaded gun.

Social media users, unwittingly co-opt their friends, relatives and minors assuming the principle of “informed consent” on their behalf, which is both illegal and unethical.

This is where privacy-fatigue kicks in and virtue-signalling becomes an irritant that places people who are consciously de-risking themselves at risk.

Worrying increase of younger users, regulation on the increase but a lame deterrent

In May 2025, the UK regulator Ofcom said in a report that 20% of 3–5-year-old now own smart phones, with 30% of 6–7-year-olds owning phones. The data-gathering activities of smart-phone operators have risen exponentially with most users preferring smart phones to access social media versus web applications. A significant use of social media platforms was noted for 7-17-year-olds with 18 being the legal age of consent in the UK.

While regulation and policy may be tightening, the global reach is poor. The law may recommend APIs default minimum data access and use block-chain-based consent management as it is auditable, tamper resistant records for data collection, permission and usage but organisations may not be able to afford to make these changes.

Cambridge Analytica filed for bankruptcy. However, while it may have ceased trading its related entities and structures continue to operate - data may still be held in their databases.

Organisational changes have been recommended - internal governance structures that balance ethics, compliance with commercial exploitation, the need for organisations to provide reports on how data is collected, the purposes, sharing arrangements and access requests.

FB has a Chief Privacy Officers and independent privacy committee to report to FBs board of directors after the Cambridge Analytica affair, yet the Texas Biometrics case shows this change to have little impact on privacy safeguards whilst harvesting user information.

The explosion in the harvesting of large volumes of personal data and the misuse of this data has exposed the fragility of regulation, enforcement on a global scale.

The interpretative adoption of internal governance, which tends to be unevenly applied at best, or cosmetic changes at worst, with underlying malpractices preserved, mean that organisations can’t be expected to mark their own copy books.

Privacy-by-design is great conceptually, but balancing the commercial requirements of making an organisation profitable and managing the growing burden of privacy legislation on them, privacy-fatigue looks like it is set to deepen rather than weaken, especially since the big tech giants earn back the avalanche of fines they pay in a week’s earnings, tech analysts say.

The trust-deficit between users and data harvesters is great, but users are not deterred from sharing data yet …

REFERENCES AND FURTHER READING