Data Protection Authorities (DPAs) across the EU have been strictly enforcing the GDPR’s Article 25 rules on Data Protection by Design & by Default (DPbD&bD), with orders and penalties in most EU countries. On the other hand, organizations across the EU are increasingly relying on technical measures to protect their stakeholders’ personal data. This panel will explore DPbD&bD enforcement precedents, as well as their relationship with data integrity and confidentiality principles as they relate to the adoption of Privacy-Enhancing Technologies (PETs). Corrective actions from regulators may illustrate scenarios in which implementing specific PETs is appropriate to comply with GDPR requirements. However, further clarity may be needed in the form of explicit guidance from the European Data Protection Board (EDPB) and alignment with policymakers and watchdogs in other jurisdictions.
• How are DPAs applying Article 25 GDPR when it comes to the adoption of technical measures by data controllers and processors?
• What are the most mentioned PETs in DPAs’ enforcement record?
• Are there under-explored technical solutions in corrective actions in Europe?
• Could clear guidance from EU regulators generate confidence for wide-ranging adoption of PETs in different countries, sectors and settings?
