Lina Jasmontaite, Irene Kamara, Gabriela Zanfir-Fortuna, Stefano Leucci

European Data Protection Law Review, Volume 4 (2018), Issue 2, Page 168 - 189

In this contribution we examine the principles of Data Protection by Design and Data Protection by Default (DPbD and DPbDf) as introduced in the General Data Protection Regulation 2016/679 (GDPR). In particular, we seek answering these questions: ‘what are the elements of DPbD and DPbDf obligations under the Article 25 of the GDPR and how could they be interpreted and applied in practice’? By reflecting on elements embedded in these two concepts we aim at contributing to the ongoing debate on the implementation of these principles and conquering the opinion that DPbD and DPbDf contain ambiguous wording and confusing legalese that cannot be digested. Considering high stakes of being GDPR (in)compliant, we focus on the translation of the two legal provisions into high-level non-functional design requirements. We build on the existing knowledge about each element and also take into account a wider context in which such obligations were negotiated and introduced. We argue that while at first glance DPbDf is mainly linked to the data minimisation and purpose limitation principles, it is also equally relevant for the principles of data retention, confidentiality and accessibility. We suggest that the entire weight of the GDPR rests on the ‘shoulders’ of Article 25 and that, theoretically at least, complying with the DPbD and DPbDf principles is the key for the GDPR compliance.

Lina Jasmontaite

European Data Protection Law Review, Volume 2 (2016), Issue 1, Page 93 - 96