Privacy Regulation Cannot Be Hardcoded. A Critical Comment on the 'Privacy by Design' Provision in Data-Protection Law

International Review of Law, Computers & Technology 28 (2), p. 159-171, 2014

12 Pages Posted: 15 Feb 2015

See all articles by Bert-Jaap Koops

Bert-Jaap Koops

Tilburg University - Tilburg Institute for Law, Technology, and Society (TILT)

Ronald E. Leenes

Tilburg Institute for Law, Technology, and Society; Tilburg Law School; Tilburg University

Date Written: March 15, 2014

Abstract

‘Privacy by design’ is an increasingly popular paradigm. It is the principle or concept that privacy should be promoted as a default setting of every new ICT system and should be built into systems from the design stage. The draft General Data Protection Regulation embraces ‘privacy by design’ without detailing how it can or should be applied. This paper discusses what the proposed legal obligation for ‘privacy by design’ implies in practice for online businesses. In particular, does it entail hardcoding privacy requirements in system design? First, the ‘privacy by design’ provision in the proposed Regulation is analysed and interpreted. Next, we discuss an extreme interpretation – embedding data protection requirements in system software – identifying five complicating issues. On the basis of these complications, we conclude that ‘privacy by design’ should not be interpreted as trying to achieve rule compliance by techno-regulation. Instead, fostering the right mindset of those responsible for developing and running data processing systems may prove to be more productive. Therefore, in terms of the regulatory tool-box, privacy by design should be approached less from a ‘code’ perspective, but rather from the perspective of ‘communication’ strategies.

Keywords: privacy by design, General Data Protection Regulation, techno-regulation

JEL Classification: K10, K40, O33, O38

Suggested Citation

Koops, Bert-Jaap and Leenes, Ronald E., Privacy Regulation Cannot Be Hardcoded. A Critical Comment on the 'Privacy by Design' Provision in Data-Protection Law (March 15, 2014). International Review of Law, Computers & Technology 28 (2), p. 159-171, 2014. Available at SSRN: https://ssrn.com/abstract=2564791

Bert-Jaap Koops (Contact Author)

Tilburg University - Tilburg Institute for Law, Technology, and Society (TILT) ( email )

P.O.Box 90153
Prof. Cobbenhagenlaan 221
Tilburg, 5037
Netherlands

Ronald E. Leenes

Tilburg Institute for Law, Technology, and Society

NL-5000 LE Tilburg
Netherlands

Tilburg Law School ( email )

Tilburg, 5000 LE
Netherlands

Tilburg University ( email )

P.O. Box 90153
Tilburg, DC 5000 LE
Netherlands

Register to save articles to
your library

Register

Paper statistics

Downloads
480
rank
56,976
Abstract Views
1,491
PlumX Metrics