Privacy regulation cannot be hardcoded. A critical comment on the ‘privacy by design’ provision in data-protection law

‘Privacy by design’ is an increasingly popular paradigm. It is the principle or concept that privacy should be promoted as a default setting of every new ICT system and should be built into systems from the design stage. The draft General Data Protection Regulation embraces ‘privacy by design’ without detailing how it can or should be applied. This paper discusses what the proposed legal obligation for ‘privacy by design’ implies in practice for online businesses. In particular, does it entail hard-coding privacy requirements in system design? First, the ‘privacy by design’ provision in the proposed Regulation is analysed and interpreted. Next, we discuss an extreme interpretation – embedding data protection requirements in system software – and identify five complicating issues. On the basis of these complications, we conclude that ‘privacy by design’ should not be interpreted as trying to achieve rule compliance by techno-regulation. Instead, fostering the right mindset of those responsible for developing and running data processing systems may prove to be more productive. Therefore, in terms of the regulatory tool-box, privacy by design should be approached less from a ‘code’ perspective, but rather from the perspective of ‘communication’ strategies.

[1]  Roger Brownsword,et al.  Code, control, and choice: why East is East and West is West , 2005, Legal Studies.

[2]  Lorenzo Valeri,et al.  Review of the European Data Protection Directive , 2009 .

[3]  Daniel Oberle,et al.  Engineering Compliant Services: Advising Developers by Automating Legal Reasoning , 2012 .

[4]  Lawrence Lessig,et al.  Code and Other Laws of Cyberspace , 1999 .

[5]  Bert-Jaap Koops,et al.  The (In)Flexibility of Techno-Regulation and the Case of Purpose-Binding , 2011 .

[6]  Ugo Pagallo,et al.  On the Principle of Privacy by Design and its Limits: Technology, Ethics and the Rule of Law , 2020, European Data Protection.

[7]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[8]  Daniele Senzani CHARTER OF FUNDAMENTAL RIGHTS OF THE EUROPEAN UNION , 2016 .

[9]  Ann Cavoukian,et al.  Privacy by design: the definitive workshop. A foreword by Ann Cavoukian, Ph.D , 2010 .

[10]  Herbert Burkert,et al.  Some Preliminary Comments on the DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. , 1996 .

[11]  Matthias Pocs Will the European Commission be able to standardise legal technology design without a legal method? , 2012, Comput. Law Secur. Rev..

[12]  Wouter Joosen,et al.  Towards a reference framework for legal compliance: a detailed overview , 2010 .

[13]  Sandra Olislaegers Early Lessons Learned in the ENDORSE Project: Legal Challenges and Possibilities in Developing Data Protection Compliance Software , 2011, PrimeLife.

[14]  Bert-Jaap Koops,et al.  Should ICT Regulation Be Technology-Neutral? , 2006 .

[15]  Ifail,et al.  An example , 2020, A Psychoanalytical-Historical Perspective on Capitalism and Politics.

[16]  Dear Mr Sotiropoulos ARTICLE 29 Data Protection Working Party , 2013 .

[17]  B. Morgan,et al.  An Introduction to Law and Regulation: Contents , 2007 .

[18]  Gerrit Hornung,et al.  A General Data Protection Regulation for Europe? Light and shade in the Commission’s draft of 25 January 2012 , 2012 .

[19]  R. Hes,et al.  Privacy-Enhancing Technologies: The Path to Anonymity , 1998 .

[20]  C. Kuner The European Commission's Proposed Data Protection Regulation: A Copernican Revolution in European Data Protection Law , 2012 .

[21]  Jaap-Henk Hoepman,et al.  PDF hosted at the Radboud Repository of the Radboud University Nijmegen , 2022 .

[22]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[23]  Joanna Abadie,et al.  Article 29 Working Party , 2016 .

[24]  Carmela Troncoso,et al.  Engineering Privacy by Design , 2011 .

[25]  Maurice Schellekens,et al.  Starting Points for ICT Regulation; Deconstructing Prevalent Policy One-Liners , 2006 .