Skip to content

Data Protection by Design and by Default:

Framing Guiding Principles into Legal Obligations in the GDPR

Lina Jasmontaite, Irene Kamara, Gabriela Zanfir-Fortuna, Stefano Leucci

DOI https://doi.org/10.21552/edpl/2018/2/7



In this contribution we examine the principles of Data Protection by Design and Data Protection by Default (DPbD and DPbDf) as introduced in the General Data Protection Regulation 2016/679 (GDPR). In particular, we seek answering these questions: ‘what are the elements of DPbD and DPbDf obligations under the Article 25 of the GDPR and how could they be interpreted and applied in practice’? By reflecting on elements embedded in these two concepts we aim at contributing to the ongoing debate on the implementation of these principles and conquering the opinion that DPbD and DPbDf contain ambiguous wording and confusing legalese that cannot be digested. Considering high stakes of being GDPR (in)compliant, we focus on the translation of the two legal provisions into high-level non-functional design requirements. We build on the existing knowledge about each element and also take into account a wider context in which such obligations were negotiated and introduced. We argue that while at first glance DPbDf is mainly linked to the data minimisation and purpose limitation principles, it is also equally relevant for the principles of data retention, confidentiality and accessibility. We suggest that the entire weight of the GDPR rests on the ‘shoulders’ of Article 25 and that, theoretically at least, complying with the DPbD and DPbDf principles is the key for the GDPR compliance.

Lina Jasmontaite, Researcher, Vrije Universiteit Brussel, Research Group on Law, Science, Technology and Society (LSTS), Belgium <mailto:lina.jasmontaite@vub.be>. Irene Kamara, Researcher, Tilburg University, Tilburg Institute for Law, Technology, and Society (TILT), the Netherlands, Affiliated Researcher, Vrije Universiteit Brussel, Research Group on Law, Science, Technology and Society (LSTS), Belgium <mailto:i.kamara@uvt.nl>. Gabriela Zanfir-Fortuna, PhD, Fellow of the Future of Privacy Forum, USA, Affiliated Researcher, Vrije Universiteit Brussel, Research Group on Law, Science, Technology and Society (LSTS), Belgium <mailto:gzanfir-fortuna@fpf.org>. Stefano Leucci, Legal and technical researcher and fellow, Nexa Center for Internet and Society – Politecnico di Torino, Italy <mailto:stefanoleucci@gmail.com>. The research for this article was made possible partially thanks to the funding from the EU Horizon 2020 Framework Programme for research and innovation under the CANVAS (Constructing an Alliance for Value-driven Cybersecurity) project, grant agreement no 700540 and the Research Coordination Network project of the Future of Privacy Forum, through a grant awarded by the US National Science Foundation. We would like to express sincere thanks to Prof Gloria Gonzalez Fuster, Dr Jaap-Henk Hoepman and the two EDPL reviewers for their feedback on an earlier version of this paper. We also would like to thank the participants of TILTing perspectives conference for their feedback and the IPEN (Internet Privacy Engineering Network of the European Data Protection Supervisor) which provoked our discussions and provided us with a platform for this collaboration.

Related Content

Lina Jasmontaite, Irene Kamara, Gabriela Zanfir-Fortuna, Stefano Leucci
Category: Articles


Share


Lx-Number Search

A
|
(e.g. A | 000123 | 01)

Cite this article

Jasmontaite, L. , Kamara, I. , Zanfir-Fortuna, G. , & Leucci, S.
Data Protection by Design and by Default:
European Data Protection Law Review
Volume 4, Issue 2 (2018)
pp. 168 - 189
DOI: https://doi.org/10.21552/edpl/2018/2/7

Export Citation