Skip to main content

The Right to Customization: Conceptualizing the Right to Repair for Informational Privacy

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12703)


Terms of use of a digital service are often framed in a binary way: Either one agrees to the service provider's data processing practices, and is granted access to the service, or one does not, and is denied the service. Many scholars have lamented these ‘take-it-or-leave-it’ situations, as this goes against the ideals of data protection law. To address this inadequacy, computer scientists and legal scholars have tried to come up with approaches to enable more privacy-friendly products and services. In this article, we call for a right to customize the processing of user data. Our arguments build upon technology-driven approaches as well as on the ideals of privacy by design and the now codified data protection by design and default norm within the General Data Protection Regulation. In addition, we draw upon the right to repair that is propagated to empower consumers and enable a more circular economy. We propose two technologically-oriented approaches, termed ‘variants’ and ‘alternatives’ that could enable the technical implementation of a right to customization. We posit that these approaches cannot be demanded without limitation, and that restrictions will depend on how reasonable a customization demand is.


  • Right to customization
  • Right to repair
  • Consent
  • GDPR
  • Informational privacy

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions


  1. 1.

  2. 2.

  3. 3.

  4. 4.

  5. 5.

  6. 6.

    E.g., the service in Switzerland.

  7. 7.

    E.g., European Parliament report on a longer lifetime for products ((2016/2272(INI)) <>; European Parliament resolution of 31 May 2018 on the implementation of the Ecodesign Directive (2009/125/EC) (2017/2087(INI)) <>; European Parliament, towards a more sustainable single market for business and consumers (2020/2021(INI)) <>.

  8. 8.

    European Commission, Communication from the Commission, The European Green Deal (COM/2019/640 final) <>.

  9. 9.

    Directive (EU) 2019/771 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the sale of goods, amending Regulation (EU) 2017/2394 and Directive 2009/22/EC, and repealing Directive 1999/44/EC (Text with EEA relevance) OJ L 136, 22.5.2019, p. 28–50.

  10. 10. (last access 29.01.2021).

  11. 11.

  12. 12.

  13. 13.

    Council of the European Union, Draft regulation concerning respect for private life and the protection of personal data in electronic communications and repealing directive 2002/58/EC (regulation on privacy and electronic communications) – Council mandate<>.


  1. Abadi, M., et al.: Deep learning with differential privacy. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 308–318. Association for Computing Machinery (2016)

    Google Scholar 

  2. Acquisti, A., Brandimarte, L., Loewenstein, G.: Privacy and human behavior in the age of information. Science 347(6221), 509–514 (2015)

    CrossRef  Google Scholar 

  3. Agrawal, N., Binns, R., Van Kleek, M., Laine, K., Shadbolt, N.: Exploring design and governance challenges in the development of privacy-preserving computation. arXiv preprint arXiv:2101.08048 (2021)

  4. Article 29 Working Party: WP29 Opinion 15/2011 on the definition of consent (WP 187) (2011).

  5. Berliner Beauftragte für Datenschutz und Informationsfreiheit: Berliner Datenschutzbeauftragte verhängt Bussgeld gegen Immobiliengesellschaft, 5 November 2019 (2019).

  6. Bietti, E.: Consent as a free pass: platform power and the limits of the informational turn. Pace Law Rev. 40, 307–397 (2020)

    Google Scholar 

  7. Bizer, C., Heath, T., Berners-Lee, T.: Linked data: the story so far. In: Semantic Services, Interoperability and Web Applications: Emerging Concepts, pp. 205–227. IGI global (2011)

    Google Scholar 

  8. Borgesius, F., Kruikemeier, S., Boerman, S., Helberger, N.: Tracking walls, take-it-or-leave-it choices, the GDPR, and the ePrivacy regulation. Eur. Data Protect. Law Rev. 3, 353–368 (2017)

    CrossRef  Google Scholar 

  9. Brownsword, R.: Consent in data protection law: privacy, fair processing and confidentiality. In: Gutwirth, S., Poullet, Y., de Hert, P., de Terwangne, C., Nouwt, S. (eds.) Reinventing Data Protection?, pp. 83–110. Springer, Dordrecht (2009).

    CrossRef  Google Scholar 

  10. Burkert, H.: Privacy-enhancing technologies: typology, critique, vision. In: Agre, P., Rotenberg, M. (eds.) Technology and Privacy: The New Landscape, pp. 126–143. MIT Press, Boston (1997)

    Google Scholar 

  11. Buyle, R., et al.: Streamlining governmental processes by putting citizens in control of their personal data. In: Chugunov, A., Khodachek, I., Misnikov, Y., Trutnev, D. (eds.) EGOSE. CCIS, vol. 1135, pp. 346–359. Springer, Cham (2020).

    CrossRef  Google Scholar 

  12. Bygrave, L.A.: Hardwiring privacy. In: Brownsword, R., Scotford, E., Yeung, K. (eds.) The Oxford Handbook of Law, Regulation, and Technology, pp. 754–775. Oxford University Press, Oxford (2017)

    Google Scholar 

  13. Bygrave, L.A.: Privacy-enhancing technologies: caught between a rock and a hard place. Priv. Law Policy Rep. 9, 135–137 (2002)

    Google Scholar 

  14. Bygrave, L.A.: Article 25 data protection by design and by default. In: Kuner, C., Bygrave, L.A., Dockyes, C. (eds.) The EU General Data Protection Regulation (GDPR): A Commentary, pp. 571–581. Oxford University Press, Oxford (2020)

    Google Scholar 

  15. Carolan, E.: The continuing problems with online consent under the EU’s emerging data protection principles. Comput. Law Secur. Rev. 32(3), 462–473 (2016)

    CrossRef  Google Scholar 

  16. Cavoukian, A.: Privacy by design: the 7 foundational principles, August 2009 (2011).

  17. Choi, H., Park, J., Jung, Y.: The role of privacy fatigue in online privacy behavior. Comput. Hum. Behav. 81, 42–51 (2018)

    CrossRef  Google Scholar 

  18. Clifford, D., Graef, I., Valcke, P.: Pre-formulated declarations of data subject consent: citizen-consumer empowerment and the alignment of data, consumer and competition law protections. German Law J. 20(5), 679–721 (2019)

    CrossRef  Google Scholar 

  19. Custers, B., Dechesne, F., Pieters, W., Schermer, B., van der Hof, S.: Consent and privacy. In: Müller, A., Schaber, P. (eds.) The Routledge Handbook of the Ethics of Consent, pp. 247–258. Routledge, London (2018)

    CrossRef  Google Scholar 

  20. Custers, B.: Click here to consent forever: Expiry dates for informed consent. Big Data Soc. 3(1), 1–6 (2016)

    CrossRef  Google Scholar 

  21. Danezis, G., et al.: Privacy and data protection by design - from policy to engineering, European Union Agency for network and information security, ENISA, 12 January 2015 (2014).

  22. Datatilsynet: Advance notification of an administrative fine, 20/02136-5, 24 January 2021 (2021).

  23. De Hert, P., Papakonstantinou, V.: The new general data protection regulation: still a sound system for the protection of individuals? Comput. Law Secur. Rev. 32(2), 179–194 (2016)

    CrossRef  Google Scholar 

  24. De Hert, P., Papakonstantinou, V., Malgieri, G., Beslay, L., Sanchez, I.: The right to data portability in the GDPR: towards user-centric interoperability of digital services. Comput. Law Secur. Rev. 34(2), 193–203 (2018)

    CrossRef  Google Scholar 

  25. De Montjoye, Y.A., Shmueli, E., Wang, S.S., Pentland, A.S.: OpenPDS: protecting the privacy of metadata through safeanswers. PloS One 9(7), e98790 (2014)

    CrossRef  Google Scholar 

  26. De Oliveira Rodrigues, C.M., de Freitas, F.L.G., Spósito Barreiros, E.F., de Azevedo, R.R., de Almeida Filho, A.T.: Legal ontologies over time: a systematic mapping study. Expert Syst. Appl. 130, 12–30 (2019)

    Google Scholar 

  27. Diker Vanberg, A.: The right to data portability in the GDPR: what lessons can be learned from the EU experience? J. Internet Law 21, 11–19 (2018)

    Google Scholar 

  28. Edenberg, E., Jones, M.L.: Analyzing the legal roots and moral core of digital consent. New Media Soc. 21, 1804–1823 (2019)

    CrossRef  Google Scholar 

  29. Efroni, Z., Metzger, J., Mischau, L., Schirmbeck, M.: Privacy icons: a risk-based approach to visualisation of data processing. Eur. Data Protect. Law Rev. 5(3), 352–366 (2019)

    CrossRef  Google Scholar 

  30. European Commission: Circular Economy Action Plan: For a cleaner and more competitive Europe (2020).

  31. European Data Protection Board (EDPB): Guidelines 4/2019 on Article 25 Data Protection by Design and by Default (2019).

  32. European Union Agency for Fundamental Rights (FRA): Freedom to conduct a business: exploring the dimensions of a fundamental right (2015).

  33. Garcia, K., Zihlmann, Z., Mayer, S., Tamo-Larrieux, A.: Towards privacy-friendly smart products. Manuscript submitted for publication (2021).

  34. Graef, I.: The opportunities and limits of data portability for stimulating competition and innovation. Compet. Policy Int. - Antitrust Chronicle 2, 1–8 (2020).

  35. Gray, C., Santos, C., Bielova, N., Toth, M., Clifford, D.: Dark patterns and the legal requirements of consent banners: an interaction criticism perspective. arXiv preprint arXiv:2009.10194 (2020)

  36. Grinvald, L.C., Tur-Sinai, O.: Intellectual property law and the right to repair. Fordham Law Rev. 88(1), 64–128 (2019)

    Google Scholar 

  37. Gürses, S., Troncoso, C., Diaz, C.: Engineering privacy by design. In: Fourth Conference on Computers, Privacy and Data Protection, 25–27 January 2011 (2011).

  38. Hartzog, W.: Privacy’s Blueprint the Battle to Control the Design of New Technologies. Harvard University Press, Cambridge (2018)

    CrossRef  Google Scholar 

  39. Hern, A.: WhatsApp loses millions of users after terms update. The Guardian, 24 January 2021 (2021).

  40. Hernandez, R., Miranda, C., Goñi, J.: Empowering sustainable consumption by giving back to consumers the ‘right to repair’. Sustainability 12(3), 850 (2020)

    CrossRef  Google Scholar 

  41. Janal, R.: Data portability - a tale of two concepts. JIPITEC 8, 59–69 (2017)

    Google Scholar 

  42. Jasmontaite, L., Kamara, I., Zanfir-Fortuna, G., Leucci, S.: Data protection by design and by default: framing guiding principles into legal obligations in the GDPR. Eur. Data Protect. Law Rev. 4, 168–189 (2018)

    CrossRef  Google Scholar 

  43. Johnston, S.F.: The technological fix as social cure-all: origins and implications. IEEE Technol. Soc. Mag. 37, 47–54 (2018)

    CrossRef  Google Scholar 

  44. Kokolakis, S.: Privacy attitudes and privacy behaviour: a review of current research on the privacy paradox phenomenon. Comput. Secur. 64, 122–134 (2017)

    CrossRef  Google Scholar 

  45. Koops, B.-J.: The trouble with european data protection law. Int. Data Priv. Law 4(4), 250–261 (2014)

    CrossRef  Google Scholar 

  46. Koops, B.-J., Leenes, R.: Privacy regulation cannot be hardcoded. A critical comment on the ‘privacy by design’ provision in data-protection law. Int. Rev. Law Comput. Technol. 28, 159–171 (2014)

    CrossRef  Google Scholar 

  47. Kosta, E.: Consent in European Data Protection Law. Martinus Nijhoff Publishers, Leiden (2013)

    CrossRef  Google Scholar 

  48. Kostova, B., Gürses, S., Troncoso, C.: Privacy engineering meets software engineering. On the challenges of engineering privacy by design. arXiv preprint arXiv:2007.08613 (2020).

  49. Kotschy, W.: Article 6 lawfulness of processing. In: Kuner, C., Bygrave, L.A., Dockyes, C. (eds.) The EU General Data Protection Regulation (GDPR): A Commentary, pp. 321–344. Oxford University Press, Oxford (2020)

    Google Scholar 

  50. Lutz, C., Hoffmann, C.P., Ranzini, G.: Data capitalism and the user: an exploration of privacy cynicism in Germany. New Media Soc. 22(7), 1168–1187 (2020)

    CrossRef  Google Scholar 

  51. Mathur, A., et al.: Dark patterns at scale. In: Proceedings of the ACM on Human-Computer Interaction, pp. 1–32. arXiv preprint arXiv:1907.07032 (2019)

  52. McDonald, A.M., Cranor, L.F.: The cost of reading privacy policies. I/S J. Law Policy Inf. Soc. 4, 540–565 (2008)

    Google Scholar 

  53. Montello, S.: The right to repair and the corporate stranglehold over the consumer: profits over people. Tulane J. Technol. Intellect. Prop. 22, 165–184 (2020)

    Google Scholar 

  54. Morais Carvalho, J.: Sale of goods and supply of digital content and digital services – overview of directives 2019/770 and 2019/771. SSRN (2019).

  55. Mourey, J.A., Waldman, A.E.: Past the privacy paradox: the importance of privacy changes as a function of control and complexity. J. Assoc. Consum. Res. 5(2), 162–180 (2020)

    CrossRef  Google Scholar 

  56. Norberg, P.A., Horne, D.R., Horne, D.A.: The privacy paradox: personal information disclosure intentions versus behaviors. J. Consum. Affairs 41, 100–126 (2007)

    CrossRef  Google Scholar 

  57. Norwegian Forbrukerrådet: Deceived by design: How tech companies use dark patterns to discourage us from exercising our rights to privacy (2018).

  58. Nouwens, M., Liccardi, I., Veale, M., Karger, D., Kagal, L.: Dark patterns after the GDPR: scraping consent pop-ups and demonstrating their influence. In: Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, pp. 1–13. arXiv preprint arXiv:2001.02479 (2020)

  59. Raynes-Goldie, K.: Aliases, creeping, and wall cleaning: understanding privacy in the age of Facebook. First Monday 15(1) (2010).

  60. Reda, J., Selinger, J.: Article’s 17’s impact on freedom to conduct a business - part 2, Kluwer Copyright Blog, 21 January 2021 (2021).

  61. Rosa-Aquino, P.: Fix, or toss? The ‘right to repair’ movement gains ground. New York Times, 23 October 2020 (2020).

  62. Rubinstein, I., Good, N.: The trouble with Article 25 (and how to fix it): the future of data protection by design and default. Int. Data Priv. Law 10(1), 37–56 (2020)

    CrossRef  Google Scholar 

  63. Šajn, N.: Consumers and repairs of products, Briefing of European Parliamentary Research Service (2019).

  64. Sambra, A.V., et al.: Solid: a platform for decentralized social applications based on linked data. MIT CSAIL & Qatar Computing Research Institute, Techical report (2016).

    Google Scholar 

  65. Schartum, D.: Making privacy by design operative. Int. J. Law Inf. Technol. 24, 151–175 (2016)

    CrossRef  Google Scholar 

  66. Schaub, F., Balebako, R., Durity, A., Cranor, L.: A Design space for effective privacy notices. In: Selinger, E., Polonetsky, J., Tene, O. (eds.) The Cambridge Handbook of Consumer Privacy, pp. 365–393. Cambridge University Press, Cambridge (2018)

    CrossRef  Google Scholar 

  67. Schermer, B., Custers, B., van der Hof, S.: The crisis of consent: how stronger legal protection may lead to weaker consent in data protection. Ethics Inf. Technol. 16(2), 171–182 (2014).

    CrossRef  Google Scholar 

  68. Schiffner, S., et al.: Towards a roadmap for privacy technologies and the general data protection regulation: a transatlantic initiative. In: Medina, M., Mitrakas, A., Rannenberg, K., Schweighofer, E., Tsouroulas, N. (eds.) APF. LNCS, vol. 11079, pp. 24–42. Springer, Cham (2018).

    CrossRef  Google Scholar 

  69. Simonite, T.: Lawmakers take aim at insidious digital ‘dark patterns’. WIRED, 29 January 2021.

  70. Solove, D.J.: Privacy self-management and the consent dilemma. Harv. Law Rev. 126, 1880–1903 (2013)

    Google Scholar 

  71. Solove, D.J.: The Myth of the Privacy Paradox. George Washington Law Rev. 89, 1–42 (2021)

    Google Scholar 

  72. Svensson, S., Richter, J.L., Maitre-Ekern, E., Pihlajarinne, T., Maigret, A., Dalhammer, C.: The emerging ‘right to repair’ legislation in the EU and the U.S. Paper presented at Going Green CARE Innovation (2018).

  73. Tamò-Larrieux, A.: Designing for Privacy and Its Legal Framework: Data Protection by Design and Default for the Internet of Things. Springer, Cham (2018).

    CrossRef  Google Scholar 

  74. Tamò-Larrieux, A., Mayer, S., Zihlmann, Z.: Softcoding not hardcoding privacy. Workshop Paper Presented at the Digital Legal Talks (2020).

  75. Teletrust and ENISA: IT Security Act (Germany) and EU General Data Protection Regulation: Guideline “state of the art” technical and organisational measures (2020).

  76. The Royal Society: Protecting privacy in practice: the current use, development and limits of privacy enhancing technologies in data analysis. Technical report. The Royal Society (2019)

    Google Scholar 

  77. Utz, C., Degeling, M., Fahl, S., Schaub, F., Holz, T.: (Un)informed consent: studying GDPR consent notices in the field. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS 2019), pp. 973–990 (2019)

    Google Scholar 

  78. Vanberg, A., Ünver, M.: The right to data portability in the GDPR and EU competition law: odd couple or dynamic duo? Eur. J. Law Technol. 8(1), 1–22 (2017)

    Google Scholar 

  79. Van Hoboken, J.V.J.: Privacy disconnect. In: Human Rights in the Age of Platforms, pp. 255–284. The MIT Press, Cambridge (2019)

    Google Scholar 

  80. Veltri, G.A., Ivchenko, A.: The impact of different forms of cognitive scarcity on online privacy disclosure. Comput. Hum. Behav. 73, 238–246 (2017)

    CrossRef  Google Scholar 

  81. Waldman, A.E.: Cognitive biases, dark patterns, and the ‘privacy paradox.’ Curr. Opin. Psychol. 31, 105–109 (2020)

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Aurelia Tamò-Larrieux .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Tamò-Larrieux, A., Zihlmann, Z., Garcia, K., Mayer, S. (2021). The Right to Customization: Conceptualizing the Right to Repair for Informational Privacy. In: Gruschka, N., Antunes, L.F.C., Rannenberg, K., Drogkaris, P. (eds) Privacy Technologies and Policy. APF 2021. Lecture Notes in Computer Science(), vol 12703. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-76662-7

  • Online ISBN: 978-3-030-76663-4

  • eBook Packages: Computer ScienceComputer Science (R0)