Data Protection by Design: Promises and Perils in Crossing the Rubicon Between Law and Engineering

This article reports some main findings from a study of recent efforts towards building privacy and other fundamental rights and freedoms into smart ICT systems. It mainly focuses on the concept of ‘Data Protection by Design and by Default’ (DPbD), recently introduced by EU legislation, and as implemented through the new field of privacy engineering. We describe the new constellations of actors that gather around this legislative and engineering initiative as an emerging ‘techno-epistemic network’. The article presents the empirical findings of a broad consultation with people involved in the making of this network, including policy makers, regulators, entrepreneurs, ICT developers, civil rights associations, and legal practitioners. Based on the findings from our consultations, we outline how DPbD is subject to differing, sometimes also conflicting or contradictory, expectations and requirements. We identify these as three main points of friction involved in the making of data protection by design: organisations versus autonomous data subjects; law versus engineering, and local versus global in the making of standards and infrastructures.

[1]  Rob Kitchin,et al.  The data revolution : big data, open data, data infrastructures & their consequences , 2014 .

[2]  Jaap-Henk Hoepman,et al.  PDF hosted at the Radboud Repository of the Radboud University Nijmegen , 2022 .

[3]  S. Funtowicz,et al.  Science for the Post-Normal Age , 1993, Commonplace.

[4]  C. Raab,et al.  Right engineering? The redesign of privacy and personal data protection , 2018 .

[5]  Robin Williams,et al.  The Wrong Trousers? Beyond the Design Fallacy: Social Learning and the User , 2005 .

[6]  Karen Ruhleder,et al.  Steps Toward an Ecology of Infrastructure: Design and Access for Large Information Spaces , 1996, Inf. Syst. Res..

[7]  Seda Gürses,et al.  Privacy after the Agile Turn , 2016 .

[8]  José M. del Álamo,et al.  Privacy Engineering: Shaping an Emerging Field of Research and Practice , 2016, IEEE Security & Privacy.

[9]  Gina Neff,et al.  Permanently Beta: Responsive Organization in the Internet Era , 2002 .

[10]  Ronald Dworkin,et al.  Taking Rights Seriously , 1977 .

[11]  Ian Oliver Privacy Engineering: A Dataflow and Ontological Approach , 2014 .

[12]  J. Hoven Value Sensitive Design and Responsible Innovation , 2013 .

[13]  S. Davies Re-engineering the right to privacy: how privacy has been transformed from a right to a commodity , 1997 .

[14]  Kjetil Rommetveit,et al.  A risk to a right? Beyond data protection risk assessments , 2016, Comput. Law Secur. Rev..

[15]  David Wright,et al.  PRIPARE: Integrating Privacy Best Practices into a Privacy Engineering Methodology , 2015, 2015 IEEE Security and Privacy Workshops.

[16]  Paul De Hert,et al.  Introduction to Privacy Impact Assessment , 2012 .

[17]  Luc Boltanski,et al.  On Justification , 2006 .

[18]  Mireille Hildebrandt,et al.  Smart Technologies and the End(s) of Law. Novel Entanglements of Law and Technology , 2015 .

[19]  Lawrence Lessig,et al.  Code - version 2.0 , 2006 .

[20]  Colin J. Bennett The Privacy Advocates: Resisting the Spread of Surveillance , 2008 .

[21]  Ovidiu Vermesan European Research Cluster on the Internet of Things - Outlook of IoT Activities in Europe , 2010 .

[22]  Paul De Hert,et al.  The new General Data Protection Regulation: Still a sound system for the protection of individuals? , 2016, Comput. Law Secur. Rev..