3,763
Views
75
CrossRef citations to date
0
Altmetric
Original Articles

Privacy regulation cannot be hardcoded. A critical comment on the ‘privacy by design’ provision in data-protection law

&
Pages 159-171 | Received 18 Mar 2013, Published online: 01 Jul 2013
 

Abstract

‘Privacy by design’ is an increasingly popular paradigm. It is the principle or concept that privacy should be promoted as a default setting of every new ICT system and should be built into systems from the design stage. The draft General Data Protection Regulation embraces ‘privacy by design’ without detailing how it can or should be applied. This paper discusses what the proposed legal obligation for ‘privacy by design’ implies in practice for online businesses. In particular, does it entail hard-coding privacy requirements in system design? First, the ‘privacy by design’ provision in the proposed Regulation is analysed and interpreted. Next, we discuss an extreme interpretation – embedding data protection requirements in system software – and identify five complicating issues. On the basis of these complications, we conclude that ‘privacy by design’ should not be interpreted as trying to achieve rule compliance by techno-regulation. Instead, fostering the right mindset of those responsible for developing and running data processing systems may prove to be more productive. Therefore, in terms of the regulatory tool-box, privacy by design should be approached less from a ‘code’ perspective, but rather from the perspective of ‘communication’ strategies.

Notes

1. See http://vsdesign.org/projects.shtml (accessed 25 January 2013).

2. See Lessig (Citation1999).

3. European Commission, Communication on Promoting Data Protection; Registratiekamer et al. (1995).

4. For example, OECD (Citation2001); European Commission, Communication on Promoting Data Protection.

5. European Commission, Communication on Promoting Data Protection, 4; see also EDPS (Citation2009); Article 29 Working Party (Citation2009).

6. Cavoukian (Citation2010, 248).

7. Cavoukian (Citation2010, 248).

8. EDPS (Citation2009); Article 29 Working Party (Citation2009).

9. Pagallo (Citation2012); Brownsword (Citation2005).

10. Article 23 Proposal for a Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM (2012) 11 final, 25.01.2012.

11. Hornung (Citation2012, 75).

12. Hornung (Citation2012, 80–81).

13. Cf. Albrecht (Citation2012, 111): ‘Data protection by design is applauded as a core innovation of the reform’ (emphasis added).

14. Article 29 Working Party (Citation2012).

15. Pocs (Citation2012, 645–646).

16. See Koops (Citation2006) on the challenges of ‘technology-neutral’ regulation.

17. Hornung (Citation2012, 68).

18. Information Commissioner's Office (Citation2012).

19. Konarski et al. (Citation2012, 38).

20. Konarski et al. (Citation2012, 51).

21. Albrecht (Citation2012, Amendment 98 and Amendment 178). Cf. EDPS (Citation2011, §112): ‘It should be considered, on top of that, to create a separate obligation addressed to designers and manufacturers of new products and services with likely impact on data protection and privacy.’

22. Kuner (Citation2012, 7). See, however, Pocs (Citation2012, 643–645), who argues that art. 23 does not address technology producers.

23. EDPS (Citation2011, §109). Cf. recital 61 of the draft GDPR: ‘In order to ensure and demonstrate compliance with this Regulation, the controller should adopt internal policies and implement appropriate measures, which meet in particular the principles of data protection by design and data protection by default’ (emphasis added).

24. Partially funded under the EU Framework 7 Programme under grant no. 257063. The project ran from September 2010 until January 2012.

25. Oberle et al. (Citation2012) describes efforts in the same direction, albeit limited to advising systems designers what data protection rule compliance means and how to implement it.

26. Cf. Olislaegers (Citation2012).

27. Charter of Fundamental Rights of the European Union, Official Journal C 83/389, 30 March 2010, available at http://www.europarl.europa.eu/charter/pdf/text_en.pdf.

28. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L281/31, 23 November 1995.

29. Directive 2002/58/CE of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201/37, 31 July 2002.

30. Robinson et al. (Citation2009).

31. Leenes et al. (Citation2011, 9).

32. Wuyts et al.(Citation2010, 10).

33. In classical systems this would usually be hard-coded in the system. A system that has explicit access control rules or data handling policies and a policy engine is more flexible; changes to the data handling policies require no further changes in the system, the policy engine will just enforce the current rules.

34. Such policy engines have for instance been developed in the EU FP7 projects PrimeLife and Semiramis.

35. Leenes et al. (Citation2011, 10).

36. Art. 6 DPD includes various other relevant requirements relating to data quality, which in principle leave ample room for data controllers to process personal data.

37. See Koops (Citation2011).

38. See Gürses, Troncoso and Diaz (Citation2011).

39. See Olislaegers (Citation2012).

40. Yeung (Citation2008, 106).

41. Koops (Citation2011, 193).

42. See also Koops (Citation2011), Pagallo (Citation2012), and Olislaegers (Citation2012), including references.

43. See Notes 20–22.

44. ‘Compliance with the data protection regulation therefore is a key term. A useful distinction in this respect is between “rule compliance” on the one hand – “the practice of obeying rules or requests based on what is allowed or required by law made by authorities” – and “substantive compliance” with collective goals on the other’. Morgan and Yeung (Citation2007, 152).

45. Registratiekamer, Information and Privacy Commissioner and TNO (Citation1995).

46. See Gürses, Troncoso and Diaz (Citation2011).

47. This is one among several possible approaches; for another interesting approach, see Pocs (Citation2012).

48. Hoepman (Citation2012).

49. Chaum (Citation1981).

50. Camenisch and Lysyanskaya (Citation2001).

51. See Morgan and Yeung (Citation2007) who distinguish between the regulatory modalities of ‘command’, ‘competition’, ‘consensus’, ‘communication’ and ‘code’.

Log in via your institution

Log in to Taylor & Francis Online

PDF download + Online access

  • 48 hours access to article PDF & online version
  • Article PDF can be downloaded
  • Article PDF can be printed
USD 53.00 Add to cart

Issue Purchase

  • 30 days online access to complete issue
  • Article PDFs can be downloaded
  • Article PDFs can be printed
USD 878.00 Add to cart

* Local tax will be added as applicable

Related Research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.