Data Protection by Design: An analysis of art. 25 (1) in the General Data Protection Regulation

Daniel Kim Rasmussen & Eydun Tr├║gvason

Student thesis: Master thesis


In the context of the rapid evolution of the digital world, the EU has developed the General Data Protection Regulation (GDPR) in replacement of the current Data Protection Directive. The overall aim of this thesis is to examine the economic efficiency of the introduction of the Data Protection by Design provision in Article 25 (1). The analysis starts off by investigating the substantive content of the notion of Data Protection by Design. According to the report of the Danish Ministry of Justice, the notion is not new, since it is already covered by Article 17 of the current directive. All though this might be the case, others are claiming that this new explicit provision will be broader, as it will no longer only include security measures, as was the case with Article 17. Based on the analysis, it can be concluded that the provision covers more than security measures - especially when it is to be interpreted in accordance with Ann Cavoukian's term. The provision therefore entails a change in relation to applicable law. Next, the economic analysis investigates if the principle of Data Protection by Design has an economic value for companies. It is concluded that some companies may implement the principle on their own initiative, since it gives them a competitive advantage. However, due to the lack of data protection demand and the high value of personal data, most companies will not have incentives to introduce the principle. This low demand for data protection may be due to market failures, which can justify regulation from an economic viewpoint. In conclusion, the economic efficiency of the provision is investigated. The efficiency of the provision depends in part on whether the market failures are effectively corrected. Here are two conditions. Firstly, it is crucial that the legislator has chosen the optimal data protection level, which corresponds to what rational individuals with complete information would have demanded. Secondly, there must be effective enforcement so that the data controller complies with the provision. However, the efficiency of the provision also depends on whether it is efficient in relation to the purpose of the legislation, and what other effects it has on companies and thus society. The analysis concludes that although the provision presumably corrects the market failures in part, it is still not considered to be efficient, since it is deemed to be innovation retardant, and thus inhibiting economic growth, which is one of the overall purposes of the EU.

EducationsMSc in Commercial Law, (Graduate Programme) Final Thesis
Publication date2018
Number of pages125