The European Union’s (EU) General Data Protection Regulation (GDPR) introduced the concept
of data protection by design and by default (DPbD&bD) in its Article 25.
This provision
enshrines two key obligations that the controller should abide by, as it mandates: 1) the
adoption of technical and organizational measures (TOMs) — both at the time of the determination
of the means and during the processing, designed to implement data protection principles into
the processing, generally meet the requirements of the GDPR and protect the rights of individuals
whose personal data are processed, and 2) ensuring that, by default, only personal data necessary
for each specific purpose are processed.
Given the breadth of the obligations, it has been argued that the “entire weight of the GDPR rests
on the ‘shoulders’ of Article 25.” It is also noted that Article 25 is making the GDPR “stick” by
overcoming “the gap between ‘law in books’ and ‘law in practice.’”
The DPbD&bD obligation is
seen as a tool to enhance accountability for data controllers, implement data protection effectively,
and add emphasis to the proactive implementation of data protection safeguards.4
This Report aims to explore how the DPbD&bD obligation breaks down in practice and whether
it is effective, informed by how Data Protection Authorities (DPAs) and Courts enforced Article
25 GDPR since it became applicable. For instance, we analyze whether DPAs and courts find
breaches of Article 25 without links to other infringements of the regulation and what provisions
enforcers tend to apply together with Article 25 the most, including the general data protection
principles and requirements related to data security under Article 32. We are also looking at what
controls and behavior of controllers are deemed to be sufficient to comply with Article 25 and, per
a contrario, what is not sufficient.
Authors
- Published in
- United States of America