Cornell Law School Logo - white on transparent background
PDF LinkFacebook share link LinkedIn share link


Data Protection by Design? A Critique of Article 25 of the GDPR, Vol. 53

Ari Ezra Waldman

21 Apr 2021

Europe’s General Data Protection Regulation (GDPR) took effect on May 25, 2018. Article 25, titled, “Data Protection by Design and by Default,” purports to incorporate the concept of “privacy by design” into European data protection law. This Article challenges that common presumption. Although privacy by design is not a new doctrine, having been the subject of academic debate, legal, and regulatory discussions for more than a decade, the final draft of Article 25(1) reflects little, if any, of that history. Relying on multiple forms of statutory interpretation commonly used to interpret European Community legislation, this Article argues that Article 25 of the GDPR lacks any meaningful connection to privacy by design under textualist, contextual, purposive, and precedential interpretations. Only teleological reasoning offers a meaningful way forward. This means that it is up to the European Court of Justice to determine if Article 25(1) will have any chance of protecting European Union citizens and limiting the power of data controllers.

Continue Reading

Professor of Law and Computer Science, Northeastern University School of Law and Khoury College of Computer Sciences. Visiting Professor, Woodrow Wilson School of Public and International Affairs, Princeton University (2019-2020). Affiliate Fellow, Information Society Project, Yale Law School. Ph.D., Columbia University; J.D., Harvard Law School. Thanks to Kendra Alpert, Michael Birnhack, Lee Bygrave, Danielle Keats Citron, Mary Culnan, Nico van Eijk, Sue Glueck, Woodrow Hartzog, Mike Hintze, Meg Leta Jones, Cameron Kerry, Jonathan Mayer, Sean McDonald, Neil Richards, Ira Rubinstein, James Rule, Stuart Shapiro, Felix Wu, and Tal Zarsky for their helpful and insightful comments. Portions of this Article are taken from my article, Privacy’s Law of Design, 9 U.C. IRVINE L. REV. 1239 (2019). Versions of this Article were presented or workshopped at the AI and the Law Conference at Seton Hall University School of Law, at the Privacy Law Scholars Conference in Washington, D.C., and at the Berlin Center for Consumer Policies Annual Forum in Berlin, Germany. Special thanks to the editors at the Cornell International Law Journal. All errors are my own.