When Data Protection by Design and Data Subject Rights Clash

International Data Privacy Law (2018) doi:10.1093/idpl/ipy002

19 Pages Posted: 9 Dec 2017 Last revised: 17 Apr 2018

See all articles by Michael Veale

Michael Veale

Alan Turing Institute - Alan Turing Institute; University of Birmingham - Birmingham Law School

Reuben Binns

University of Oxford

Jef Ausloos

University of Amsterdam - Institute for Information Law (IViR)

Date Written: February 20, 2018

Abstract

Data protection by design (DPbD), a holistic approach to embedding principles in technical and organizational measures undertaken by data controllers, building on the notion of Privacy by Design, is now a qualified duty in the GDPR.

Practitioners have seen DPbD less holistically, instead framing it through the confidentiality-focussed lens of privacy enhancing technologies (PETs).

We show that some confidentiality-focussed DPbD strategies used by large data controllers leave data reidentifiable by capable adversaries while heavily limiting controllers’ ability to provide data subject rights, such as access, erasure and objection, to manage this risk.

Informed by case studies of Apple’s Siri voice assistant and Transport for London’s Wi-Fi analytics, we suggest three main ways to make deployed DPbD more accountable and data subject–centric: building parallel systems to fulfil rights, including dealing with volunteered data; making inevitable trade-offs more explicit and transparent through Data Protection Impact Assessments; and through ex ante and ex post information rights (Articles 13–15), which we argue may require the provision of information concerning DPbD trade-offs.

Despite steep technical hurdles, we call both for researchers in PETs to develop rigorous techniques to balance privacy-as-control with privacy-as-confidentiality, and for DPAs to consider tailoring guidance and future frameworks to better oversee the trade-offs being made by primarily well-intentioned data controllers employing DPbD.

Note: Original version posted on SSRN 12 November 2017 as "We Can't Find Your Data, But A Hacker: How 'Privacy by Design' Trades-Off Data Protection Rights"

Keywords: privacy by design, data protection by design, privacy-enhancing technologies, privacy enhancing technologies, privacy, data protection, GDPR, data protection impact assessments, information rights, transparency, access rights, right of access, right to be forgotten, right of erasure, right to object

Suggested Citation

Veale, Michael and Binns, Reuben and Ausloos, Jef, When Data Protection by Design and Data Subject Rights Clash (February 20, 2018). International Data Privacy Law (2018) doi:10.1093/idpl/ipy002. Available at SSRN: https://ssrn.com/abstract=3081069 or http://dx.doi.org/10.2139/ssrn.3081069

Michael Veale (Contact Author)

Alan Turing Institute - Alan Turing Institute ( email )

96 Euston Road
London, NW1 2DB
United Kingdom

University of Birmingham - Birmingham Law School ( email )

Edgbaston
Birmingham, B15 2TT
United Kingdom

Reuben Binns

University of Oxford ( email )

Mansfield Road
Oxford, Oxfordshire OX1 4AU
United Kingdom

Jef Ausloos

University of Amsterdam - Institute for Information Law (IViR) ( email )

Roeterseilandcampus, Building A, 5th floor
Nieuwe Achtergracht 166
Amsterdam, Noord-Holland 1018 WV
Netherlands

HOME PAGE: http://ivir.nl

Register to save articles to
your library

Register

Paper statistics

Downloads
490
Abstract Views
2,626
rank
56,484
PlumX Metrics