'Data Protection by Design? A Critique of Article 25 of the GDPR' by Ari Ezra Waldman in (2020) 53 Cornell International Law Journal 147 comments
Europe’s General Data Protection Regulation (GDPR) took effect on May 25, 2018. Article 25, titled, “Data Protection by Design and by Default,” purports to incorporate the concept of “privacy by design” into European data protection law. This Article challenges that common presumption. Although privacy by design is not a new doctrine, having been the subject of academic debate, legal, and regulatory discussions for more than a decade, the final draft of Article 25(1) reflects little, if any, of that history. Relying on multiple forms of statutory interpretation commonly used to interpret European Community legislation, this Article argues that Article 25 of the GDPR lacks any meaningful connection to privacy by design under textualist, contextual, purposive, and precedential interpreta- tions. Only teleological reasoning offers a meaningful way forward. This means that it is up to the European Court of Justice to determine if Article 25(1) will have any chance of protecting European Union citizens and lim- iting the power of data controllers.
When the General Data Protection Regulation (GDPR) took effect on May 25, 2018, “data protection by design and by default” became the law of the European Union. The concept, embodied in Article 25, Section 1, requires a data “controller” to both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
This provision is far from clear. This Article leverages a variety of statutory interpretation methods commonly used to interpret European statutory law to discern what Article 25 actually means.3 It concludes that Article 25(1) is hopelessly vague. Neither the text nor its context offers any clarity about Article 25(1)’s requirements, scope, or limitations. Only a teleological approach can rescue Article 25(1) from obscurity and obsolescence.
Most scholars and industry experts suggest that Article 25(1) codifies privacy by design into law. Daniel Solove has stated that “Article 25 . . . mandates that data protection be built in starting at the beginning of the design process,” reflecting one of the standard academic definitions of privacy by design. Woodrow Hartzog wrote that Article 25, which “requires that core data protection principles be integrated into the design and development of data technologies,” is important because privacy by design is an essential weapon in vindicating privacy rights against preda- tory, data-hungry technology companies. The international consulting firm Deloitte told its clients that “privacy by design” was “new as a legal requirement under” Article 25, requiring companies to embed privacy in the design process. And PrivacyTrust called Article 25 a “key change[ ]” that “provides the recognition of [the right to privacy by design] and how it is to be enforced.”
There are two problems with that neat narrative, both of which I describe in this Article. First, although the phrase “privacy by design” gen- erally refers to making privacy part of the design process for new technologies, scholars have long disagreed about what that actually means, making it difficult to codify it as a unitary concept. Second, the very diversity of definitions means that the drafters of the GDPR had several choices: they could have codified one version, tried to blend different definitions together, developed another perspective entirely, or used language so vague that the provision would be rendered meaningless. Article 25(1) reflects the last option, comprising language so devoid of meaning that it can hardly be considered to reflect privacy by design at all. I argue that under most methods of statutory interpretation used by the Court of Justice of the European Union (CJEU or Court of Justice), Article 25(1) does not reflect privacy by design. Rather, it was written as a catch-all provision that has no identity of its own. The CJEU will have to leverage teleological reasoning to empower the provision. If it does not, European citizens will have lost what could be a powerful tool of data protection.