Journal article
When data protection by design and data subject rights clash
- Abstract:
-
• Data Protection by Design (DPbD), a holistic approach to embedding principles in technical and organisational measures undertaken by data controllers, building on the notion of Privacy by Design, is now a qualified duty in the GDPR.
• Practitioners have seen DPbD less holistically, instead framing it through the confidentiality-focussed lens of Privacy Enhancing Technologies (PETs).
• While focussing primarily on confidentiality risk, we show that some DPbD strategies deployed by large data controllers result in personal data which, despite remaining clearly reidentifiable by a capable adversary, make it difficult for the controller to grant data subjects rights (eg access, erasure, objection) over for the purposes of managing this risk.
• Informed by case studies of Apple’s Siri voice assistant and Transport for London’s Wi-Fi analytics, we suggest three main ways to make deployed DPbD more accountable and data subject–centric: building parallel systems to fulfil rights, including dealing with volunteered data; making inevitable trade-offs more explicit and transparent through Data Protection Impact Assessments; and through ex ante and ex post information rights (arts 13–15), which we argue may require the provision of information concerning DPbD trade-offs.
• Despite steep technical hurdles, we call both for researchers in PETs to develop rigorous techniques to balance privacy-as-control with privacyas- confidentiality, and for DPAs to consider tailoring guidance and future frameworks to better oversee the trade-offs being made by primarily well-intentioned data controllers employing DPbD.
- Publication status:
- Published
- Peer review status:
- Peer reviewed
Actions
Access Document
- Files:
-
-
(Preview, Version of record, pdf, 232.0KB, Terms of use)
-
- Publisher copy:
- 10.1093/idpl/ipy002
Authors
- Publisher:
- Oxford University Press
- Journal:
- International Data Privacy Law More from this journal
- Volume:
- 8
- Issue:
- 2
- Pages:
- 105–123
- Publication date:
- 2018-04-04
- Acceptance date:
- 2018-02-20
- DOI:
- EISSN:
-
2044-4001
- ISSN:
-
2044-3994
- Pubs id:
-
pubs:827821
- UUID:
-
uuid:e85f845d-35cf-4664-aff4-332ab6cc2e02
- Local pid:
-
pubs:827821
- Source identifiers:
-
827821
- Deposit date:
-
2018-03-05
Terms of use
- Copyright holder:
- Binns et al
- Copyright date:
- 2018
- Notes:
- © The Author(s) 2018. Published by Oxford University Press. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted reuse, distribution, and reproduction in any medium, provided the original work is properly cited.
- Licence:
- CC Attribution (CC BY)
If you are the owner of this record, you can report an update to it here: Report update to this record