Data Protection by Design and by Default: Deciphering the EU's Legislative Requirements

Oslo Law Review, Volume 4, No. 2, 2017

16 Pages Posted: 13 Sep 2017  

Lee A. Bygrave

University of Oslo

Date Written: June 20, 2017


In this paper, a critical examination is conducted of Article 25 of the European Union’s General Data Protection Regulation (Regulation 2016/679). Bearing the title ‘data protection by design and by default’, Article 25 requires that core data protection principles be integrated into the design and development of systems for processing personal data. The paper outlines the rationale and legal heritage of Article 25, and shows how its provisions proffer considerably stronger support for data protection by design and by default than is the case under the 1995 Data Protection Directive (Directive 95/46/EC). The paper further shows that this strengthening of support is in keeping with jurisprudence of the European Court of Human Rights and the Court of Justice of the European Union. Nonetheless, it is herein argued that Article 25 suffers from multiple flaws, in particular a lack of clarity over the parameters and methodologies for achieving its goals, a failure to communicate clearly and directly with those engaged in the engineering of information systems, and a failure to provide the necessary incentives to spur the ‘hardwiring’ of privacy-related interests. Taken together, these flaws will likely hinder the traction of Article 25 requirements on information systems development.

Keywords: Privacy by design, data protection by design, privacy-enhancing technology, General Data Protection Regulation

Suggested Citation

Bygrave, Lee A., Data Protection by Design and by Default: Deciphering the EU's Legislative Requirements (June 20, 2017). Oslo Law Review, Volume 4, No. 2, 2017. Available at SSRN:

Lee A. Bygrave (Contact Author)

University of Oslo ( email )

PO Box 6706 St Olavs plass
Oslo, N-0317

Register to save articles to
your library


Paper statistics

Abstract Views