Data protection by design: from abstract principles to implementation
PhD ceremony: | E. Koulierakis |
When: | December 12, 2024 |
Start: | 09:00 |
Supervisor: | G.P. (Jeanne) Mifsud Bonnici, Prof |
Co-supervisor: | J. (Jonida) Milaj-Weishaar, PhD |
Where: | Academy building RUG |
Faculty: | Law |
Short Summary
This monograph explores the obligation of data protection by design, which is introduced in article 25 GDPR. The provision requires that data controllers implement technical and organisational measures in order to inscribe the data protection principles into the design of digital applications. The monograph starts by exploring how the abstract principles of data protection law can be part of digital architecture. Subsequently, the monograph analyses the requirements of article 25 GDPR in order to answer the question how data controllers can implement this abstract obligation. It is found that the law uses very open-ended formulations, which create uncertainty. This uncertainty is also present with respect to the use of anonymisation techniques as means of compliance by design.
To address the legal uncertainty, the monograph delves into officially approved Codes of Conduct and certification requirements in the field of data protection law. It finds out that these soft law texts offer very detailed guidance about compliance with the obligation of data protection by design. It is also argued that the data controllers who used the officially approved Codes of Conduct and certification criteria as guidance for compliance by design can, under certain conditions, be protected according to the EU law principle of legitimate expectations.
Lastly, the monograph explores Knowledge Graphs as technical tools that contribute towards the embedding of data protection rules into the design of technology. That is because Knowledge Graphs constructed with the use of Semantic Web technologies can be tools for expressing data protection rules into machine readable format. Thus, Knowledge Graphs can facilitate compliance with the obligation of data protection by design. The illustrative example of KGs shows that the same technical standards could themselves be sources of risks as well as solutions for the protection of the data subjects’ rights.