Data Protection by Design and by Default : Deciphering the EU’s Legislative Requirements

  • Bygrave L
N/ACitations
Citations of this article
104Readers
Mendeley users who have this article in their library.

Abstract

In this paper, a critical examination is conducted of Article 25 of the European Union's General Data Protection Regulation (Regulation 2016/679). Bearing the title 'data protec- tion by design and by default', Article 25 requires that core data protection principles be integrated into the design and development of systems for processing personal data. The paper outlines the rationale and legal heritage of Article 25, and shows how its provisions proffer considerably stronger support for data protection by design and by default than is the case under the 1995 Data Protection Directive (Directive 95/46/EC). The paper further shows that this strengthening of support is in keeping with jurisprudence of the European Court of Human Rights and the Court of Justice of the European Union. Nonetheless, it is herein argued that Article 25 suffers from multiple flaws, in particular a lack of clarity over the parameters and methodologies for achieving its goals, a failure to communicate clearly and directly with those engaged in the engineering of information systems, and a failure to provide the necessary incentives to spur the 'hardwiring' of privacy-related inter- ests. Taken together, these flaws will likely hinder the traction of Article 25 requirements on information systems development.

Cite

CITATION STYLE

APA

Bygrave, L. A. (2017). Data Protection by Design and by Default : Deciphering the EU’s Legislative Requirements. Oslo Law Review, 4(2), 105–120. https://doi.org/10.18261/issn.2387-3299-2017-02-03

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free