The Trouble with Article 25 (and How to Fix It): The Future of Data Protection by Design and Default

Privacy and Security

Article Snapshot


Nathaniel Good and Ira Rubinstein


International Data Privacy Law, Vol. 10, No. 1, pp. 37-56, 2020


Article 25 of Europe’s General Data Protection Regulation (GDPR) suggests that data controllers use privacy enhancing technologies (PETs). Regulators should interpret Article 25 to require the use of engineering techniques to enhance privacy.

Policy Relevance

Regulators should recommend specific PETs.

Main Points

  • Article 25 of Europe’s GDPR requires data controllers to use data protection by design and by default, that is, it may be interpreted to require data controllers to use PETs.
  • Critics note that Article 25 is extremely vague and does not require use of any specific technologies.
  • “Hard” PETS place limited trust in data controllers, relying instead on cryptography or other techniques to minimize data sharing.
  • Article 25 is poorly aligned with PETs, as the GDPR tends to assume that data controllers are trusted entities.
  • A study of online advertising shows the difference between privacy by engineering and privacy by policy.
    • Privacy by policy emphasizes the importance of consent, a model many have rejected.
    • Privacy by engineering emphasizes anonymization of data, hard PETs, and special methods of data storage and processing.
    • Without privacy by engineering, there will be no change in the practices of advertisers.
  • Article 25 should be interpreted to require the implementation of privacy engineering and hard PETs; regulators should identify, assess, and recommend specific PETs, and should reward “best practices.”

Get The Article

Find the full article online

Search for Full Article