Amsterdam Privacy Conference 2015

    Activiteit: Academic presentationAcademic


    Legal perspectives on the difficult relationship between the concept of Privacy by Design and the principle of purpose limitation at European level. Abstract: Since the 1990s, the concept of Privacy by Design has become very popular among privacy experts and policy makers. The idea behind the concept is to implement privacy and data protection principles into the design of products and services, i.e. from their conception. From its origin until now, the concept has taken different forms and has had different meanings. Criticized for not being ‘practical’ or ‘implementable’, several computer scientists have proposed engineering versions of the concept. In Europe, the concept has gained ground in the past years. It has been officially introduced in the proposal for the General Data Protection Regulation, which should replace the current Data Protection Directive. But despite all the existing literature and initiatives on the issue, the scope and exact definition of the concept are still missing. From a legal point of view, the article will argue that if Privacy by Design - whatever its name, form or meaning - is necessary, it cannot take into account all data protection principles. It will demonstrate in particular that the principle of purpose limitation is hard to implement into the design of products or services. This lies in the nature of the principle, which requires a case-by-case analysis to determine the cases in which the re-use of personal data might be compatible with the original purpose of collection. The article will build on the guidance and factors of assessment provided by the Article 29 Working Party in Opinion 03/2013 on purpose limitation. The article will raise the issue of personal data originally collected by public authorities and re-used by law enforcement authorities. It will illustrate the issue with the case of a biometric sensor developed for border controls but which could also be used for law enforcement activities. The article will introduce a distinction between the design of products and services on one side and the use of the products and services on the other side. Designing a product or a service in a data protection compliant way does not guarantee that its use will automatically comply with the data protection rules. Moreover, Privacy by Design imposes obligations on producers and manufacturers, whereas the principle of purpose limitation imposes obligations on data controllers.
    EvenementstitelAmsterdam Privacy Conference 2015
    LocatieAmsterdam, NetherlandsToon op kaart