Comments on EDPB Guidelines 4/2019

Linked here our full comments on the European Data Protection Board’s Guidelines 4/2019 on Article 25 Data Protection by Design and by Default

Submitted by Prof. Derek McAuley, Dr. Ansgar Koene and Dr. Jiahong Chen of Horizon Digital Economy Research Institute, University of Nottingham

16 January 2020

Summary: Overall, the EDPB’s adoption of the Guidelines represents a helpful step forward in promoting ethical and privacy-friend design and default approaches, and the current version has largely covered right issues with an appropriate level of details and useful examples. To sum up the specific comments outlined above, we provide three recommendations as to how the Guidelines can be improved in the final version:

  • Throughout the Guidelines, make a stronger case for technology providers to fully align with the DPbDD requirements as imposed on data controllers, and provide further examples on how this can be achieved;

  • In Section (“Elements to be taken into account”), specify certain PET approaches with examples that are already available and easy to implement for data controller to show better compliance with data protection principles;

  • In Section (“Implementing data protection principles […]”, in particular the “Transparency” and “Lawfulness” sub-sections), further clarify that data processing information and options should be provided in an objective and neutral way, avoiding any deceptive or manipulative language or design.
Written on January 16, 2020