Putting Data Protection by Design and by Default in Practice: Unveiling the internal inconsistencies and external constraints of the General Data Protection Regulation (GDPR) and propounding solutions *
Although the GDPR strengthens the legal framework that protects the privacy and personal data of the individuals in the EU, there are several instances where compliance with the Regulation’s requirements become extremely challenging, or even impossible.
Underexplored in the literature is the practical application of the newly introduced concept of Data Protection by Design and by Default (‘PbDD’), which attempts to provide a robust framework for protecting personal data. Despite the best intentions of the legislator, integrating the legal requirement of PbDD into technology and contemporary business operations can sometimes translate into an impossible mission.
Through critical reflection and empirical research, the legal issues that lie at the heart of the PbDD concept are revealed in this study. A comprehensive literature review and analysis of data stemming from EU DPAs and Privacy NGOs, reveals that rather than following economic logic or leaning on obsolete privacy trade-off paradigms, data controllers are more likely to benefit from adopting a simple bona fide approach to PbDD, in order to meet the GDPR requirements.
By streamlining the PbDD process to focus on the data protection principles and the rights of individuals, the proposed Data Protection Principles Approach (DPPA) identifies, analyses, and resolves tensions between data security and protection, organisational data needs, and GDPR requirements, considering the businesses’ efforts to ensure the protection of personal data (organisational perspective), the technological advances influencing its effectiveness (the technological perspective), and the current legal state in the EU (legal perspective).
The thesis concludes that data protection legislation needs to focus on more coherent, and probably stricter mechanisms of protecting an individual’s rights, distancing itself from “win-win” evaluations mostly anchored on economic logic, and it invites both organisations and the legislator to confirm the validity of the proposed DPPA model.
* WIP = Work In Progress