The trouble with Article 25 (and how to fix it): the future of data protection by design and default

Abstract

In its simplest formulation, data protection by design and default uses technical and organizational measures to achieve data protection goals. Although privacy regulators have endorsed privacy-enhancing technologies or PETs for well over thirty years, Article 25 of the General Data Protection Regulation (GDPR) breaks new ground by transforming this idea into a binding legal obligation. But Article 25 as presently conceived is poorly aligned with privacy engineering methods and related privacy-enhancing technologies (PETs). This is especially true of “hard” PETs that place limited trust in third parties (including data controllers) and instead rely on cryptographic techniques to achieve data minimisation. In order to advance data protection in its own right rather than merely reinforce the general principles of the GDPR, Article 25 must be interpreted as requiring the implementation of privacy engineering and hard PETs. A bold way to achieve this is by mandating that data controllers use available hard PETs for data minimisation. More gradual steps include data protection regulators insisting on a central role for privacy engineering and PETs in public sector projects; issuing guidance on Article 25 in very forceful terms that clearly require the implementation of “state of the art” privacy technology; and using their enforcement powers to reward good examples of privacy engineering rather than to penalize failures. NB: This is a pre-copyedited, preprint version of an article accepted for publication in International Data Privacy Law following peer review. The final and updated version was published in International Data Privacy Law, Volume 10, Issue 1, February 2020, Pages 37–56, https://doi.org/10.1093/idpl/ipz019.