The Right to Customization: Conceptualizing the Right to Repair for Informational Privacy

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12703)


Terms of use of a digital service are often framed in a binary way: Either one agrees to the service provider's data processing practices, and is granted access to the service, or one does not, and is denied the service. Many scholars have lamented these ‘take-it-or-leave-it’ situations, as this goes against the ideals of data protection law. To address this inadequacy, computer scientists and legal scholars have tried to come up with approaches to enable more privacy-friendly products and services. In this article, we call for a right to customize the processing of user data. Our arguments build upon technology-driven approaches as well as on the ideals of privacy by design and the now codified data protection by design and default norm within the General Data Protection Regulation. In addition, we draw upon the right to repair that is propagated to empower consumers and enable a more circular economy. We propose two technologically-oriented approaches, termed ‘variants’ and ‘alternatives’ that could enable the technical implementation of a right to customization. We posit that these approaches cannot be demanded without limitation, and that restrictions will depend on how reasonable a customization demand is.


Right to customization Right to repair Consent GDPR Informational privacy 


  1. 1.
    Abadi, M., et al.: Deep learning with differential privacy. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 308–318. Association for Computing Machinery (2016)Google Scholar
  2. 2.
    Acquisti, A., Brandimarte, L., Loewenstein, G.: Privacy and human behavior in the age of information. Science 347(6221), 509–514 (2015)CrossRefGoogle Scholar
  3. 3.
    Agrawal, N., Binns, R., Van Kleek, M., Laine, K., Shadbolt, N.: Exploring design and governance challenges in the development of privacy-preserving computation. arXiv preprint arXiv:2101.08048 (2021)
  4. 4.
    Article 29 Working Party: WP29 Opinion 15/2011 on the definition of consent (WP 187) (2011).
  5. 5.
    Berliner Beauftragte für Datenschutz und Informationsfreiheit: Berliner Datenschutzbeauftragte verhängt Bussgeld gegen Immobiliengesellschaft, 5 November 2019 (2019).
  6. 6.
    Bietti, E.: Consent as a free pass: platform power and the limits of the informational turn. Pace Law Rev. 40, 307–397 (2020)Google Scholar
  7. 7.
    Bizer, C., Heath, T., Berners-Lee, T.: Linked data: the story so far. In: Semantic Services, Interoperability and Web Applications: Emerging Concepts, pp. 205–227. IGI global (2011)Google Scholar
  8. 8.
    Borgesius, F., Kruikemeier, S., Boerman, S., Helberger, N.: Tracking walls, take-it-or-leave-it choices, the GDPR, and the ePrivacy regulation. Eur. Data Protect. Law Rev. 3, 353–368 (2017)CrossRefGoogle Scholar
  9. 9.
    Brownsword, R.: Consent in data protection law: privacy, fair processing and confidentiality. In: Gutwirth, S., Poullet, Y., de Hert, P., de Terwangne, C., Nouwt, S. (eds.) Reinventing Data Protection?, pp. 83–110. Springer, Dordrecht (2009). Scholar
  10. 10.
    Burkert, H.: Privacy-enhancing technologies: typology, critique, vision. In: Agre, P., Rotenberg, M. (eds.) Technology and Privacy: The New Landscape, pp. 126–143. MIT Press, Boston (1997)Google Scholar
  11. 11.
    Buyle, R., et al.: Streamlining governmental processes by putting citizens in control of their personal data. In: Chugunov, A., Khodachek, I., Misnikov, Y., Trutnev, D. (eds.) EGOSE. CCIS, vol. 1135, pp. 346–359. Springer, Cham (2020). Scholar
  12. 12.
    Bygrave, L.A.: Hardwiring privacy. In: Brownsword, R., Scotford, E., Yeung, K. (eds.) The Oxford Handbook of Law, Regulation, and Technology, pp. 754–775. Oxford University Press, Oxford (2017)Google Scholar
  13. 13.
    Bygrave, L.A.: Privacy-enhancing technologies: caught between a rock and a hard place. Priv. Law Policy Rep. 9, 135–137 (2002)Google Scholar
  14. 14.
    Bygrave, L.A.: Article 25 data protection by design and by default. In: Kuner, C., Bygrave, L.A., Dockyes, C. (eds.) The EU General Data Protection Regulation (GDPR): A Commentary, pp. 571–581. Oxford University Press, Oxford (2020)Google Scholar
  15. 15.
    Carolan, E.: The continuing problems with online consent under the EU’s emerging data protection principles. Comput. Law Secur. Rev. 32(3), 462–473 (2016)CrossRefGoogle Scholar
  16. 16.
    Cavoukian, A.: Privacy by design: the 7 foundational principles, August 2009 (2011).
  17. 17.
    Choi, H., Park, J., Jung, Y.: The role of privacy fatigue in online privacy behavior. Comput. Hum. Behav. 81, 42–51 (2018)CrossRefGoogle Scholar
  18. 18.
    Clifford, D., Graef, I., Valcke, P.: Pre-formulated declarations of data subject consent: citizen-consumer empowerment and the alignment of data, consumer and competition law protections. German Law J. 20(5), 679–721 (2019)CrossRefGoogle Scholar
  19. 19.
    Custers, B., Dechesne, F., Pieters, W., Schermer, B., van der Hof, S.: Consent and privacy. In: Müller, A., Schaber, P. (eds.) The Routledge Handbook of the Ethics of Consent, pp. 247–258. Routledge, London (2018)CrossRefGoogle Scholar
  20. 20.
    Custers, B.: Click here to consent forever: Expiry dates for informed consent. Big Data Soc. 3(1), 1–6 (2016)CrossRefGoogle Scholar
  21. 21.
    Danezis, G., et al.: Privacy and data protection by design - from policy to engineering, European Union Agency for network and information security, ENISA, 12 January 2015 (2014).
  22. 22.
    Datatilsynet: Advance notification of an administrative fine, 20/02136-5, 24 January 2021 (2021).
  23. 23.
    De Hert, P., Papakonstantinou, V.: The new general data protection regulation: still a sound system for the protection of individuals? Comput. Law Secur. Rev. 32(2), 179–194 (2016)CrossRefGoogle Scholar
  24. 24.
    De Hert, P., Papakonstantinou, V., Malgieri, G., Beslay, L., Sanchez, I.: The right to data portability in the GDPR: towards user-centric interoperability of digital services. Comput. Law Secur. Rev. 34(2), 193–203 (2018)CrossRefGoogle Scholar
  25. 25.
    De Montjoye, Y.A., Shmueli, E., Wang, S.S., Pentland, A.S.: OpenPDS: protecting the privacy of metadata through safeanswers. PloS One 9(7), e98790 (2014)CrossRefGoogle Scholar
  26. 26.
    De Oliveira Rodrigues, C.M., de Freitas, F.L.G., Spósito Barreiros, E.F., de Azevedo, R.R., de Almeida Filho, A.T.: Legal ontologies over time: a systematic mapping study. Expert Syst. Appl. 130, 12–30 (2019)Google Scholar
  27. 27.
    Diker Vanberg, A.: The right to data portability in the GDPR: what lessons can be learned from the EU experience? J. Internet Law 21, 11–19 (2018)Google Scholar
  28. 28.
    Edenberg, E., Jones, M.L.: Analyzing the legal roots and moral core of digital consent. New Media Soc. 21, 1804–1823 (2019)CrossRefGoogle Scholar
  29. 29.
    Efroni, Z., Metzger, J., Mischau, L., Schirmbeck, M.: Privacy icons: a risk-based approach to visualisation of data processing. Eur. Data Protect. Law Rev. 5(3), 352–366 (2019)CrossRefGoogle Scholar
  30. 30.
    European Commission: Circular Economy Action Plan: For a cleaner and more competitive Europe (2020).
  31. 31.
    European Data Protection Board (EDPB): Guidelines 4/2019 on Article 25 Data Protection by Design and by Default (2019).
  32. 32.
    European Union Agency for Fundamental Rights (FRA): Freedom to conduct a business: exploring the dimensions of a fundamental right (2015).
  33. 33.
    Garcia, K., Zihlmann, Z., Mayer, S., Tamo-Larrieux, A.: Towards privacy-friendly smart products. Manuscript submitted for publication (2021).
  34. 34.
    Graef, I.: The opportunities and limits of data portability for stimulating competition and innovation. Compet. Policy Int. - Antitrust Chronicle 2, 1–8 (2020).
  35. 35.
    Gray, C., Santos, C., Bielova, N., Toth, M., Clifford, D.: Dark patterns and the legal requirements of consent banners: an interaction criticism perspective. arXiv preprint arXiv:2009.10194 (2020)
  36. 36.
    Grinvald, L.C., Tur-Sinai, O.: Intellectual property law and the right to repair. Fordham Law Rev. 88(1), 64–128 (2019)Google Scholar
  37. 37.
    Gürses, S., Troncoso, C., Diaz, C.: Engineering privacy by design. In: Fourth Conference on Computers, Privacy and Data Protection, 25–27 January 2011 (2011).
  38. 38.
    Hartzog, W.: Privacy’s Blueprint the Battle to Control the Design of New Technologies. Harvard University Press, Cambridge (2018)CrossRefGoogle Scholar
  39. 39.
    Hern, A.: WhatsApp loses millions of users after terms update. The Guardian, 24 January 2021 (2021).
  40. 40.
    Hernandez, R., Miranda, C., Goñi, J.: Empowering sustainable consumption by giving back to consumers the ‘right to repair’. Sustainability 12(3), 850 (2020)CrossRefGoogle Scholar
  41. 41.
    Janal, R.: Data portability - a tale of two concepts. JIPITEC 8, 59–69 (2017)Google Scholar
  42. 42.
    Jasmontaite, L., Kamara, I., Zanfir-Fortuna, G., Leucci, S.: Data protection by design and by default: framing guiding principles into legal obligations in the GDPR. Eur. Data Protect. Law Rev. 4, 168–189 (2018)CrossRefGoogle Scholar
  43. 43.
    Johnston, S.F.: The technological fix as social cure-all: origins and implications. IEEE Technol. Soc. Mag. 37, 47–54 (2018)CrossRefGoogle Scholar
  44. 44.
    Kokolakis, S.: Privacy attitudes and privacy behaviour: a review of current research on the privacy paradox phenomenon. Comput. Secur. 64, 122–134 (2017)CrossRefGoogle Scholar
  45. 45.
    Koops, B.-J.: The trouble with european data protection law. Int. Data Priv. Law 4(4), 250–261 (2014)CrossRefGoogle Scholar
  46. 46.
    Koops, B.-J., Leenes, R.: Privacy regulation cannot be hardcoded. A critical comment on the ‘privacy by design’ provision in data-protection law. Int. Rev. Law Comput. Technol. 28, 159–171 (2014)CrossRefGoogle Scholar
  47. 47.
    Kosta, E.: Consent in European Data Protection Law. Martinus Nijhoff Publishers, Leiden (2013)CrossRefGoogle Scholar
  48. 48.
    Kostova, B., Gürses, S., Troncoso, C.: Privacy engineering meets software engineering. On the challenges of engineering privacy by design. arXiv preprint arXiv:2007.08613 (2020).
  49. 49.
    Kotschy, W.: Article 6 lawfulness of processing. In: Kuner, C., Bygrave, L.A., Dockyes, C. (eds.) The EU General Data Protection Regulation (GDPR): A Commentary, pp. 321–344. Oxford University Press, Oxford (2020)Google Scholar
  50. 50.
    Lutz, C., Hoffmann, C.P., Ranzini, G.: Data capitalism and the user: an exploration of privacy cynicism in Germany. New Media Soc. 22(7), 1168–1187 (2020)CrossRefGoogle Scholar
  51. 51.
    Mathur, A., et al.: Dark patterns at scale. In: Proceedings of the ACM on Human-Computer Interaction, pp. 1–32. arXiv preprint arXiv:1907.07032 (2019)
  52. 52.
    McDonald, A.M., Cranor, L.F.: The cost of reading privacy policies. I/S J. Law Policy Inf. Soc. 4, 540–565 (2008)Google Scholar
  53. 53.
    Montello, S.: The right to repair and the corporate stranglehold over the consumer: profits over people. Tulane J. Technol. Intellect. Prop. 22, 165–184 (2020)Google Scholar
  54. 54.
    Morais Carvalho, J.: Sale of goods and supply of digital content and digital services – overview of directives 2019/770 and 2019/771. SSRN (2019).
  55. 55.
    Mourey, J.A., Waldman, A.E.: Past the privacy paradox: the importance of privacy changes as a function of control and complexity. J. Assoc. Consum. Res. 5(2), 162–180 (2020)CrossRefGoogle Scholar
  56. 56.
    Norberg, P.A., Horne, D.R., Horne, D.A.: The privacy paradox: personal information disclosure intentions versus behaviors. J. Consum. Affairs 41, 100–126 (2007)CrossRefGoogle Scholar
  57. 57.
    Norwegian Forbrukerrådet: Deceived by design: How tech companies use dark patterns to discourage us from exercising our rights to privacy (2018).
  58. 58.
    Nouwens, M., Liccardi, I., Veale, M., Karger, D., Kagal, L.: Dark patterns after the GDPR: scraping consent pop-ups and demonstrating their influence. In: Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, pp. 1–13. arXiv preprint arXiv:2001.02479 (2020)
  59. 59.
    Raynes-Goldie, K.: Aliases, creeping, and wall cleaning: understanding privacy in the age of Facebook. First Monday 15(1) (2010).
  60. 60.
    Reda, J., Selinger, J.: Article’s 17’s impact on freedom to conduct a business - part 2, Kluwer Copyright Blog, 21 January 2021 (2021).
  61. 61.
    Rosa-Aquino, P.: Fix, or toss? The ‘right to repair’ movement gains ground. New York Times, 23 October 2020 (2020).
  62. 62.
    Rubinstein, I., Good, N.: The trouble with Article 25 (and how to fix it): the future of data protection by design and default. Int. Data Priv. Law 10(1), 37–56 (2020)CrossRefGoogle Scholar
  63. 63.
    Šajn, N.: Consumers and repairs of products, Briefing of European Parliamentary Research Service (2019).
  64. 64.
    Sambra, A.V., et al.: Solid: a platform for decentralized social applications based on linked data. MIT CSAIL & Qatar Computing Research Institute, Techical report (2016).Google Scholar
  65. 65.
    Schartum, D.: Making privacy by design operative. Int. J. Law Inf. Technol. 24, 151–175 (2016)CrossRefGoogle Scholar
  66. 66.
    Schaub, F., Balebako, R., Durity, A., Cranor, L.: A Design space for effective privacy notices. In: Selinger, E., Polonetsky, J., Tene, O. (eds.) The Cambridge Handbook of Consumer Privacy, pp. 365–393. Cambridge University Press, Cambridge (2018)CrossRefGoogle Scholar
  67. 67.
    Schermer, B., Custers, B., van der Hof, S.: The crisis of consent: how stronger legal protection may lead to weaker consent in data protection. Ethics Inf. Technol. 16(2), 171–182 (2014). Scholar
  68. 68.
    Schiffner, S., et al.: Towards a roadmap for privacy technologies and the general data protection regulation: a transatlantic initiative. In: Medina, M., Mitrakas, A., Rannenberg, K., Schweighofer, E., Tsouroulas, N. (eds.) APF. LNCS, vol. 11079, pp. 24–42. Springer, Cham (2018). Scholar
  69. 69.
    Simonite, T.: Lawmakers take aim at insidious digital ‘dark patterns’. WIRED, 29 January 2021.
  70. 70.
    Solove, D.J.: Privacy self-management and the consent dilemma. Harv. Law Rev. 126, 1880–1903 (2013)Google Scholar
  71. 71.
    Solove, D.J.: The Myth of the Privacy Paradox. George Washington Law Rev. 89, 1–42 (2021)Google Scholar
  72. 72.
    Svensson, S., Richter, J.L., Maitre-Ekern, E., Pihlajarinne, T., Maigret, A., Dalhammer, C.: The emerging ‘right to repair’ legislation in the EU and the U.S. Paper presented at Going Green CARE Innovation (2018).
  73. 73.
    Tamò-Larrieux, A.: Designing for Privacy and Its Legal Framework: Data Protection by Design and Default for the Internet of Things. Springer, Cham (2018). Scholar
  74. 74.
    Tamò-Larrieux, A., Mayer, S., Zihlmann, Z.: Softcoding not hardcoding privacy. Workshop Paper Presented at the Digital Legal Talks (2020).
  75. 75.
    Teletrust and ENISA: IT Security Act (Germany) and EU General Data Protection Regulation: Guideline “state of the art” technical and organisational measures (2020).
  76. 76.
    The Royal Society: Protecting privacy in practice: the current use, development and limits of privacy enhancing technologies in data analysis. Technical report. The Royal Society (2019)Google Scholar
  77. 77.
    Utz, C., Degeling, M., Fahl, S., Schaub, F., Holz, T.: (Un)informed consent: studying GDPR consent notices in the field. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS 2019), pp. 973–990 (2019)Google Scholar
  78. 78.
    Vanberg, A., Ünver, M.: The right to data portability in the GDPR and EU competition law: odd couple or dynamic duo? Eur. J. Law Technol. 8(1), 1–22 (2017)Google Scholar
  79. 79.
    Van Hoboken, J.V.J.: Privacy disconnect. In: Human Rights in the Age of Platforms, pp. 255–284. The MIT Press, Cambridge (2019)Google Scholar
  80. 80.
    Veltri, G.A., Ivchenko, A.: The impact of different forms of cognitive scarcity on online privacy disclosure. Comput. Hum. Behav. 73, 238–246 (2017)CrossRefGoogle Scholar
  81. 81.
    Waldman, A.E.: Cognitive biases, dark patterns, and the ‘privacy paradox.’ Curr. Opin. Psychol. 31, 105–109 (2020)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2021

Authors and Affiliations

  1. 1.University of St. GallenSt. GallenSwitzerland
  2. 2.University of LucerneLucerneSwitzerland

Personalised recommendations