‘Privacy by Design’ in EU Law

Matching Privacy Protection Goals with the Essence of the Rights to Private Life and Data Protection
  • Maria Grazia PorceddaEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11079)


In this paper I tackle the question, currently unaddressed in the literature, of how to reconcile the technical understanding of ‘privacy by design’ with the nature of ‘privacy’ in EU law. There, ‘privacy’ splits into two constitutionally protected rights– respect for private and family life, and protection of personal data– whose essence cannot be violated. After illustrating the technical notion of privacy protection goals and design strategies, developed in the privacy threat modelling literature, I propose a method to identify the essence of the two rights, which rests on identifying first the rights’ ‘attributes’. I answer the research question by linking the technical notion of privacy protection goals and strategies with the attributes and related ‘essence’ of the rights to private life and to the protection of personal data. The analysis unveils the need to adjust and further develop privacy protection goals. It also unveils that establishing equivalences between technical and legal approaches to the two rights bears positive effects beyond PbD.


Data protection by design Privacy by design Information security canons Protection goals Essence Privacy Data protection Charter of Fundamental Rights 



I wish to thank my anonymous reviewers, the participants of the APF 2018 and Martyn Egan for suggestions on how to improve this draft. An early draft of this chapter appeared in a restricted deliverable of the FP7 SURVEILLE project (grant agreement no. 284725), as well as my PhD thesis, partly funded by SURVEILLE. Completion of this chapter was funded by the EPSRC research project “Combatting cRiminals In The Cloud” (CRITiCal - EP/M020576/1).


  1. 1.
    Koops, B.-J., Leenes, R.: Privacy regulation cannot be hardcoded. A critical comment on the ‘privacy by design’ provision in data-protection law. Int. Rev. Law Comput. Technol. 28, 151–171 (2014)CrossRefGoogle Scholar
  2. 2.
    Schartum, D.W.: Making privacy by design operative. Int. J. Law Inf. Technol. 24, 151–175 (2016)CrossRefGoogle Scholar
  3. 3.
    International Conference of Data Protection and Privacy Commissioners: Joint Proposal for a Draft of International Standards on the Protection of Privacy with regard to the processing of Personal Data (The Madrid Resolution). 30th International Conference of Data Protection and Privacy Commissioners, Madrid (2009).
  4. 4.
    Cavoukian, A.: Privacy by Design…Take the Challenge (2010).
  5. 5.
    Wuyts, K., Scandariato, R., Joosen, W.: LINDDUN: a privacy threat analysis framework.
  6. 6.
    Danezis, G., et al.: Privacy and data protection by design – from policy to engineering. ENISA (2014)Google Scholar
  7. 7.
    Pagallo, U.: On the principle of privacy by design and its limits. In: Gutwirth, S., Leenes, R., De Hert, P., Poullet, Y. (eds.) European Data Protection. In Good Health?, pp. 331–346. Springer, Dordrecht (2012). Scholar
  8. 8.
    Kamara, I.: Co-regulation in EU personal data protection: the case of technical standards and the privacy by design standardisation ‘mandate’. Eur. J. Law Technol. 8 (2017)Google Scholar
  9. 9.
    Rachovitsa, A.: Engineering and lawyering privacy by design: understanding online privacy both as a technical and an international human right issues. Int. J. Law Inf. Technol. 24, 374–399 (2016)CrossRefGoogle Scholar
  10. 10.
    Bieker, F., Friedewald, M., Hansen, M., Obersteller, H., Rost, M.: A process for data protection impact assessment under the European general data protection regulation. In: Schiffner, S., Serna, J., Ikonomou, D., Rannenberg, K. (eds.) APF 2016. LNCS, vol. 9857, pp. 21–37. Springer, Cham (2016). Scholar
  11. 11.
    Tsormpatzoudi, P., Berendt, B., Coudert, F.: Privacy by design: from research and policy to practice – the challenge of multi-disciplinarity. In: Berendt, B., Engel, T., Ikonomou, D., Le Métayer, D., Schiffner, S. (eds.) APF 2015. LNCS, vol. 9484, pp. 199–212. Springer, Cham (2016). Scholar
  12. 12.
    Porcedda, M.G.: Cybersecurity and privacy rights in EU law. Moving beyond the trade-off model to appraise the role of technology. Ph.D. thesis. European University Institute (2017)Google Scholar
  13. 13.
    Charter of Fundamental Rights of the European Union, OJ C 303/01. Official Journal C 303/01, pp. 1–22, European Union (2007)Google Scholar
  14. 14.
    Brkan, M.: In search of the concept of essence of EU fundamental rights through the prism of data privacy. Maastricht Working Paper (2017)Google Scholar
  15. 15.
    Lynskey, O.: The Foundations of EU Data Protection Law. Oxford University Press, Oxford (2015)Google Scholar
  16. 16.
    Tzanou, M.: EU counter-terrorism measures and the question of fundamental rights: the case of personal data protection. Ph.D. thesis, European University Institute (2012)Google Scholar
  17. 17.
  18. 18.
  19. 19.
  20. 20.
  21. 21.
    Jouinia, M., Rabaia, L.B.A., Aissab, A.B.: Classification of security threats in information systems. In: 5th International Conference on Ambient Systems, Networks and Technologies (ANT-2014). Procedia Computer Science, pp. 489–496 (2014)Google Scholar
  22. 22.
  23. 23.
  24. 24.
    International Telecommunication Union: Security in Telecommunications and Information Technology. An overview of issues and the deployment of existing ITU-T Recommendations for secure telecommunications (2015).
  25. 25.
    Berendt, B.: Better data protection by design through multicriteria decision making: on false tradeoffs between privacy and utility. In: Schweighofer, E., Leitold, H., Mitrakas, A., Rannenberg, K. (eds.) Privacy Technologies and Policy, pp. 210–230. Springer, Heidelberg (2017). Scholar
  26. 26.
    Hansen, M., Jensen, M., Rost, M.: Protection goals for privacy engineering. In: Security and Privacy Workshops (SPW). IEEE (2015)Google Scholar
  27. 27.
    Hoepman, J.-H.: Privacy design strategies. In: 2013 Privacy Law Scholars Conference (PLSC), Cornell University, Ithaca, NY, USA (2013)Google Scholar
  28. 28.
    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data (Data Protection Directive) OJ L 281, vol. OJ L 281, pp. 31–50 (1995)Google Scholar
  29. 29.
    Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of such data, and Repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119/1 (2016)Google Scholar
  30. 30.
    European Commission: Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (2017)Google Scholar
  31. 31.
    Porcedda, M.G.: On boundaries. In search for the essence of the right to the protection of personal data. In: de Hert, P., van Brakel, R., Leenes, R. (eds.) Proceedings of the 11th Computers, Privacy and Data Protection Conference, Hart (forthcoming)Google Scholar
  32. 32.
    United Nations, High Commissioner for Human Rights (OHCHR): Human Rights Indicators. A Guide to Measurement and Implementation (2012)Google Scholar
  33. 33.
    Candler, J., Holder, H., Hosali, S., Payne, A.M., Tsang, T., Vizard, P.: Human Rights Measurement Framework: Prototype Panels, Indicator Set and Evidence Base. Equality and Human Rights Commission, London (2011)Google Scholar
  34. 34.
    Fundamental Rights Agency: Using indicators to measure fundamental rights in the EU: challenges and solutions (2011)Google Scholar
  35. 35.
    Koops, B.-J., Clayton Newel, B., Timan, T., Skorvanek, I., Chokrevski, T., Galic, M.: A typology of privacy. Univ. Penn. J. Int. Law 38, 483 (2017)Google Scholar
  36. 36.
    Finn, R.L., Wright, D., Friedewald, M.: Seven types of privacy. In: Gutwirth, S., Leenes, R., de Hert, P., Poullet, Y. (eds.) European Data Protection: Coming of Age, pp. 3–32. Springer, Dordrecht (2013). Scholar
  37. 37.
    Convention for the Protection of Human Rights and Fundamental Freedoms (as amended by Protocols No 11 and 14), Council of Europe, ETS no 005, 4 November 1950, Rome (1950)Google Scholar
  38. 38.
    X and Others v. Austria, no. 19010/07 CE:ECHR:2013:0219JUD001901007 (2013)Google Scholar
  39. 39.
    Opinion 1/15 of the Court (Grand Chamber), ECLI:EU:C:2017:592 (2017)Google Scholar
  40. 40.
    Judgment of 5 October 2010 in McB, C-400/10 PPU, ECLI:EU:C:2010:582, (2010)Google Scholar
  41. 41.
    Judgment of 8 April 2014 in Digital Rights Ireland and Seitlinger and Others, Joined cases C-293/12 and C-594/12, ECLI:EU:C:2014:238 (2014)Google Scholar
  42. 42.
    Judgment of 13 May 2014 in Google Spain and Google, C-131/12, ECLI:EU:C:2014:317 (2014)Google Scholar
  43. 43.
    Convention for the Protection of Individuals with regard to automatic processing of personal data, Council of Europe, CETS n. 108, 28 January 1981. In: Europe, C.o. (ed.) vol. CETS No. 108, Strasbourg (1981)Google Scholar
  44. 44.
    Judgment of 6 October 2015 in Schrems, C-362/14, ECLI:EU:C:2015:650 (2015)Google Scholar
  45. 45.
    Gürses, S., Troncoso, C., Diaz, C., Engineering privacy by design. In: Paper Discussed at the 4th Computers, Privacy & Data Protection Conference, Brussels (2011)Google Scholar
  46. 46.
    Porcedda, M.G.: Patching the patchwork: appraising the EU regulatory framework on cyber security breaches. Comput. Law Secur. Rev. 34, 1077–1098 (2018)CrossRefGoogle Scholar
  47. 47.
    Porcedda, M.G., Wall, D.S.: Data science, data crime and the law. In: Berlee, A., Mak, V., Tjong Tijn Tai, E. (eds.) Research Handbook on Data Science and Law. Edwar Elgar, Cheltenham (2018, forthcoming)Google Scholar
  48. 48.
    Gürses, S., Troncoso, C., Diaz, C., Engineering privacy by design reloaded.

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Centre for Criminal Justice Studies, School of LawUniversity of LeedsLeedsUK

Personalised recommendations