Article 19 – Data protection by design and by default
|1. Member States shall provide that, having regard to the state of the art and the cost of implementation, the controller shall implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of provisions adopted pursuant to this Directive and ensure the protection of the rights of the data subject.2. The controller shall implement mechanisms for ensuring that, by default, only those personal data which are necessary for the purposes of the processing are processed.|
EDRi’s proposed amendment
|1. Member States shall provide that, having regard to the state of the art and the cost of implementation, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate
(a) technical measures relating to the technical design and architecture of the product or service; and
Where a controller has carried out a data protection impact assessment in accordance with the provisions adopted pursuant to Article 29a of this Directive.
2. The controller shall implement mechanisms for ensuring that, by default, only those personal data which are necessary for the purposes of the processing are processed and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. This shall be ensured using technical and/or organisational measures, as appropriate. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals.
This provision is the counterpart to Article 23 of the General Data Protection Regulation. However, the Commission’s wording here is significantly weaker than in the proposed Regulation. The proposed amendments brings this Article in line with its counterpart and the Regulation and EDRi’s suggested amendments to it (except the stipulation that these measures must ensure that data subjects can control their own data, as this does not translate well to the law enforcement context).