Co-regulation in EU personal data protection: the case of technical standards and the privacy by design standardisation 'mandate'


  • Irene Kamara Tilburg University


The recently adopted General Data Protection Regulation (GDPR), a technology-neutral law, endorses self-regulatory instruments, such as certification and technical standards. Even before the adoption of the General Data Protection Regulation, standardisation activity in the field of privacy management and data security had emerged. In 2015, the European Commission issued the first standardisation request to the European Standardisation Organisations to develop privacy management standards based on art. 8 of the EU Charter of Fundamental Rights. There is a rising shift from command-and-control regulation to the inclusion of co-regulation tools in the EU data protection legislation. The aim of this article is to provide insights on the role of standardisation as a form of co-regulation in the data protection context. 

Keywords: technical standards; Internet of Things; personal data protection; co-regulation; self-regulation; privacy by design; technology neutrality