Data Protection by Design and by Default

This paper has been written as an entry to the forthcoming Oxford Encyclopedia of European Union Law. As such, it gives a concise presentation of the role of ‘Data Protection by Design and by Default’ (DPbDD), particularly as provided for under Article 25 of the EU General Data Protection Regulation (GDPR). The paper canvasses the rationale, heritage, and ambit of Article 25, together with criticisms of its utility. The overall argument advanced in the paper is that DPbDD is not just a simple rule inhering in the GDPR and other EU secondary legislation but a higher-order regulatory principle that also inheres in the EU constitutional fabric. Moreover, DPbDD is a key principle in European data protection law and thereby helps to rejuvenate and modernize the traditional ‘Fair Information Practice Principles’. Its central function is to ensure that the core norms of data protection law ‘stick’ and to spell out that this traction goes beyond simply undertaking a process or set of processes (assessment, planning, design, etc.), but ultimately involves a result that secures data protection ‘on the ground’.