The trouble with Article 25 (and how to fix it): the future of data protection by design and default

The trouble with Article 25 (and how to fix it): the future of data protection by design and default

Article 25 requires every controller and processor (and indirectly all vendors) to implement data protection by design and default. This can mean business as usual in the form of procedural solutions or an explosion of innovative architectural solutions. We have argued that time for adopting privacy...

Full description

Saved in:
Bibliographic Details
Published in:International data privacy law Vol. 10; no. 1; pp. 37 - 56
Main Authors: Rubinstein, Ira S, Good, Nathaniel
Format: Journal Article
Language:English
Published: Oxford Oxford University Press 01-02-2020
Oxford Publishing Limited (England)
Subjects:
Control
Councils
Data security
Electronic data processing
Engineering
Evaluation
General Data Protection Regulation
Handbooks
International conferences
Laws, regulations and rules
Management
Privacy
Privacy, Right of
Surveillance
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Article 25 requires every controller and processor (and indirectly all vendors) to implement data protection by design and default. This can mean business as usual in the form of procedural solutions or an explosion of innovative architectural solutions. We have argued that time for adopting privacy engineering and hard PETs is now, not later or never. This position depends a great deal on the readiness of privacy engineering and hard PETs to assume their assigned tasks. We have therefore identified one bold step (requiring that data controllers henceforth use ‘mature’ hard PETs for data minimisation) as well as several modest steps (encouraging the use of privacy engineering and hard PETs in public sector projects, issuing design guidance premised on the ENISA Report and PRIPARE Handbook, and emphasizing carrots rather than sticks in Article 25 enforcement actions). There is much to be done but we believe that the GDPR creates the opportunity to begin the necessary tasks in earnest. Thirty years after Chaum’s cryptographic breakthroughs and more than twenty years after regulators began incorporating design ideas into EU data protection law, it is time to implement technological measures that fulfil the early promise of PETs and the work of the contemporary privacy engineering community. Otherwise, Article 25 will be little more than an afterthought to ordinary GDPR compliance.
ISSN:2044-3994
2044-4001
DOI:10.1093/idpl/ipz019