Data Protection by Design: Promises and Perils in Crossing the Rubicon Between Law and Engineering

This article reports some main findings from a study of recent efforts towards building privacy and other fundamental rights and freedoms into smart ICT systems. It mainly focuses on the concept of 'Data Protection by Design and by Default' (DPbD), recently introduced by EU legislation, and as implemented through the new field of privacy engineering. We describe the new constellations of actors that gather around this legislative and engineering initiative as an emerging 'techno-epistemic network'. The article presents the empirical findings of a broad consultation with people involved in the making of this network, including policy makers, regulators, entrepreneurs, ICT developers, civil rights associations, and legal practitioners. Based on the findings from our consultations, we outline how DPbD is subject to differing, sometimes also conflicting or contradictory, expectations and requirements. We identify these as three main points of friction involved in the making of data protection by design: organisations versus autonomous data subjects; law versus engineering, and local versus global in the making of standards and infrastructures.