Data Protection by Design and by Default: Deciphering the EU's Legislative Requirements

Abstract

In this paper, a critical examination is conducted of Article 25 of the European Union’s General Data Protection Regulation (Regulation 2016/679). Bearing the title ‘data protection by design and by default’, Article 25 requires that core data protection principles be integrated into the design and development of systems for processing personal data. The paper outlines the rationale and legal heritage of Article 25, and shows how its provisions proffer considerably stronger support for data protection by design and by default than is the case under the 1995 Data Protection Directive (Directive 95/46/EC). The paper further shows that this strengthening of support is in keeping with jurisprudence of the European Court of Human Rights and the Court of Justice of the European Union. Nonetheless, it is herein argued that Article 25 suffers from multiple flaws, in particular a lack of clarity over the parameters and methodologies for achieving its goals, a failure to communicate clearly and directly with those engaged in the engineering of information systems, and a failure to provide the necessary incentives to spur the ‘hardwiring’ of privacy-related interests. Taken together, these flaws will likely hinder the traction of Article 25 requirements on information systems development.