Unlocking Data Protection By Design & By Default: Lessons from the Enforcement of Article 25 GDPR

The European Union’s (EU) General Data Protection Regulation (GDPR) introduced the concept of data protection by design and by default (DPbD&bD) in its Article 25. This provision enshrines two key obligations that the controller should abide by, as it mandates: 1) the adoption of technical and organizational measures (TOMs) — both at the time of the determination of the means and during the processing, designed to implement data protection principles into the processing, generally meet the requirements of the GDPR and protect the rights of individuals whose personal data are processed, and 2) ensuring that, by default, only personal data necessary for each specific purpose are processed. Given the breadth of the obligations, it has been argued that the “entire weight of the GDPR rests on the ‘shoulders’ of Article 25.” It is also noted that Article 25 is making the GDPR “stick” by overcoming “the gap between ‘law in books’ and ‘law in practice.’” The DPbD&bD obligation is seen as a tool to enhance accountability for data controllers, implement data protection effectively, and add emphasis to the proactive implementation of data protection safeguards.4 This Report aims to explore how the DPbD&bD obligation breaks down in practice and whether it is effective, informed by how Data Protection Authorities (DPAs) and Courts enforced Article 25 GDPR since it became applicable. For instance, we analyze whether DPAs and courts find breaches of Article 25 without links to other infringements of the regulation and what provisions enforcers tend to apply together with Article 25 the most, including the general data protection principles and requirements related to data security under Article 32. We are also looking at what controls and behavior of controllers are deemed to be sufficient to comply with Article 25 and, per a contrario, what is not sufficient.