True privacy by design requires data encryption and host-proof applications.
Even though strong encryption algorithms have been in the public domain for quite a while now, your typical end user won't benefit from them and your typical web application won't make use of them.
Why? Two reasons: For the user it is too complicated to get it running and for the service provider there is little incentive as the current business models revolve around knowing as much as possible about your users.
And even the few existing solutions today suffer from one major drawback: The code that handles de- and encryption comes from the same site as the rest of the service and could potentially be manipulated.