Data protection standardisation: The role and limits of technical standards in the EU data protection law

Research output: ThesisDoctoral Thesis


Data Protection Standardisation. The role and limits of technical standards in the European Union
data protection law


In response to challenges to effective protection of the individual and loss of control over one’s personal data, the dissertation assesses whether standards offer a solution to the problems data protection legislation is facing, and the extent to which standards provide answers to those problems. The dissertation in other words explores and analyses to what extent standards may have a role in protecting the individual’s fundamental right to personal data protection by supplementing the Union data protection legislation.

Standards perform a pre-law function of informing the legislative reform of the Privacy in Electronic Communications (ePrivacy) Directive 2002/58/EC (amended by 2009/136/EC), and several post-law functions in the General Data Protection Regulation EU/679/2016, the ePrivacy Directive, and the 2017 ePrivacy Regulation Commission Proposal. The post-law functions of standards in support of the EU data protection law are grouped into standards that provide rules for the implementation of the regulation (‘meta-rules function’), standards that concern the data controllers, processors (‘regulatees function’) and standards for data subjects (‘beneficiaries function’). In terms of standards for regulatees, standardisation can play the role of calibrating and specifying technical and organisational measures so that those measures are appropriate to the risks likely to occur from data processing operations, and the characteristics and conditions of processing. This aspect of standardisation in data protection law is closely linked to the risk based approach, introduced in the GDPR alongside the introduction of the accountability principle. In relation to beneficiaries, standards may provide the (technical) means to data subjects to have their wishes and preferences heard such expressing their preference on tracking. One limitation of this function concerns the voluntary nature of standards. Unless standards are vested with technical or legal enforceability, the function of data protection standards as an empowerment instrument cannot materialise, since data subjects are dependent on the choices of controllers and processors to voluntarily adhere to standards and respect their choices. The role of standards would be then limited to communication of the preferences of data subjects, without any guarantee that those will be respected. Next, standards as meta-rules in data protection law may play a role in decreasing fragmentation and enhancing coordination among different regimes or rules. The use of standards for implementing data protection certification mechanisms in the GDPR provided one such example. In general, seals and marks that are not easily recognisable for data subjects defeat their transparency purpose. Thus, a degree of uniformity is important for the effectiveness of the data protection certification mechanisms. Those standards are intended to prescribe to both private regulators (i.e. certification bodies) and public regulators (supervisory authorities and Member States) common requirements and implementation rules. The identified functions are of facilitating or enabling nature, depending on the necessity of standardisation for the materialisation of the goal of the relevant legal provision. Standards, as facilitators, are a useful, but not necessary, tool to achieve a goal laid down in data protection law. The enabling nature concerns usually aspects of duties or compliance measures with a strong technical component, such as pseudonymisation and encryption of personal data.

Several limitations of the role of standards concern the material scope of standards and the data protection legislation. The difference in the scope and regulatory target of standards and data protection, as those are framed by the definitions of their constitutive elements (product, system, etc.) essentially means that, from a data protection point of view, standards may regulate peripheral components of a processing operation. Further limitations stem from procedural legitimacy issues, the risk of conferral of public powers to standardisation bodies, especially due to the possibility of standards becoming de facto mandatory, and the overall decisional power of standardisation bodies as regards the content of international and European (harmonised) standards. The decisional power varies depending on the development mode of standards (committee-based, co-development, etc.), the integration mechanism in the EU legal order and the type of the data protection act.
Original languageEnglish
QualificationJoint degree
Awarding Institution
  • TILT
  • Vrije Universiteit Brussel – LSTS
  • Kosta, Eleni, Promotor
  • Stuurman, Kees, Promotor
  • de Hert, Paul, Promotor
Award date21 Jun 2021
Publication statusPublished - 21 Jun 2021


Dive into the research topics of 'Data protection standardisation: The role and limits of technical standards in the EU data protection law'. Together they form a unique fingerprint.

Cite this