Send message to Authors

Short abstract:

The use of PETs is critical to preserve data subjects’ privacy when processing and sharing data. At the same time, it can make the exercise of data subjects’ rights difficult. There is thus a paradox as more privacy through technical means can lead to less control of data subjects on their data.

Long abstract:

The exercise of data subjects’ rights, as provided for in Article 15 to 20 of the GDPR has been a cornerstone for data protection law as it established a right to informational self-determination, in line with the fundamental right to privacy. Another great achievement of the GDPR was to promote privacy by design and default as well as data security from a technical perspective. The GDPR thus sets a coherent series of obligations since it not only empowers data subjects with regard to the control of their data but it also encourages the technical protection of data. From this background, the use of Privacy Enhancing Technologies is critical to preserve data subjects’ privacy when collecting, storing or sharing data. At the same time, the use of such technologies can make the exercise of data subjects’ rights complex by making the identification of requesting data subjects harder. This results in a paradoxical situation where enhancing privacy through the use of PETs can undermine privacy by preventing data subjects from exercising the rights they hold on their data. These technical measures might even be implemented on purpose by data controllers to circumvent the application of the GDPR. This contribution aims to explore this paradox and see how EU data protection authorities as well as Member States’ courts have dealt with such a paradox so far.