Still losing the race with technology? Understanding the scope of data controllers’ responsibility to implement data protection by design and by default

Privacy by Design (PbD) is crucial for fundamental privacy protection. However, PbD remains a voluntary initiative without any means to ensure its effective implementation. Article 25 GDPR codifies PbD as a legal obligation requiring technologies processing personal data to follow Data Protection by Design and by Default (DPbDD). However, Article 25 is only binding on controllers which limits its scope. For instance, the design of technologies may not coincide with the entry of the controller into the digital value chain. This implies that the burden of implementing DPbDD lies on the users of technology and not on its designers, questioning the true extent of protection by design if stages like product development and innovation are excluded. This paper explores the legislative motivation behind the personal scope of Article 25. A holistic interpretation of Article 25 in light of other provisions of the GDPR shows a possibility, albeit not direct, to influence the design phase of technologies. However, it remains unclear whether this possibility ensures a co-division of responsibility. To address this, we propose examining corporate supply chain due diligence, specifically the due diligence obligations of mother companies for actions of their subsidiaries and business relationships.