European Privacy by Design

Three competing forces are shaping the concept of European Privacy by Design (PbD): laws and regulations, business goals and architecture designs. These forces carry their own influence in terms of ethics, economics, and technology. In this research we undertook the journey to understand the concept of European PbD. We examined its nature, application, and enforcement. We concluded that the European PbD is under-researched in two aspects: at organizational level (compared to the individual level); and mainly in the way it is enforced by authorities. We had high hopes especially with regards to the latter, and eager to bring significant scientific contribution on this field. We were interested to learn if data protection authorities are having such impacts looking at European PbD, that can pioneer new approaches to privacy preservation. This is why we elaborated on possible ways to measure their activity, in a manner that both legal and non-legal experts can understand our work. We promised a response to the research question can the enforcement of European PbD be measured and if yes, what are possible ways to do so? We conducted data analytics on quantitative and qualitative data to answer this question the best way possible. Our response is a moderate yes, the enforcement of PbD can be measured. Although, at this point, we need to settle with only good-enough ways of measure and not dwell into choosing the most optimal or best ways. One reason for this is that enforcement of PbD cases are highly customized and specific to their own circumstances. We have shown this while creating models to predict the amount of administrative fines for infringement of GDPR. Clustering these cases was a daunting task. Second reason for not delivering what could be the best way of measure is lack of data availability in Europe. This problem has its roots in the philosophical stance that the European legislator is taking on the topic of data collection within the EU. Lawmakers in Europe certainly dislike programs that collect gigantic amounts of personal data from EU citizens. Third reason is a causal link between the inconsistent approach between the data protection authorities’ practices. This is due to the different levels of competencies, reporting structures, personnel numbers, and experience in the work of data protection authorities. Looking beyond the above limitations, there are certainly ways to measure the enforcement of European PbD. Our measurements helped us formulate the following statements: a. The European PbD operates in ‘data saver’ mode: we argue that analogous to the data saving mode on mobile phones, where most applications and services get background data only via Wi-Fi connection, in Europe data collection and data processing is kept to minimal. Therefore, we argue that European PbD is in essence about data minimization. Our conviction that this concept is more oriented towards data security have been partially refuted. b. The European PbD is platform independent: we elaborated in the thesis on various infrastructures and convergent technologies that found compatibility with the PbD principles. We consider that the indeed the concept is evolutionary and technology –neutral. c. The European PbD is a tool obligation: we argue that the authorities are looking at PbD as a tool utilization obligation. In a simple language, companies should first perform a privacy impact assessment in order to find out which tools are supporting their data processing activities and then implement these, as mandated PbD. d. The European PbD is highly territorial: we reached the conclusion that enforcement of PbD is highly dependent on geographical indicators (i.e. countries and counties). The different level of privacy protection cultures are still present in Europe. On a particular level, what is commonly true across all countries is that European PbD mandates strong EU data sovereignty.