Europe’s General Data Protection Regulation (GDPR) took effect on May 25, 2018. Article 25, titled, “Data Protection by Design and by Default,” purports to incorporate the concept of “privacy by design” into European data protection law. This Article challenges that common presumption. Although privacy by design is not a new doctrine, having been the subject of academic debate, legal, and regulatory discussions for more than a decade, the final draft of Article 25(1) reflects little, if any, of that history. Relying on multiple forms of statutory interpretation commonly used to interpret European Community legislation, this Article argues that Article 25 of the GDPR lacks any meaningful connection to privacy by design under textualist, contextual, purposive, and precedential interpretations. Only teleological reasoning offers a meaningful way forward. This means that it is up to the European Court of Justice to determine if Article 25(1) will have any chance of protecting European Union citizens and limiting the power of data controllers.
Data Protection by Design? A Critique of Article 25 of the GDPR
21 Apr 2021