Presented at BILETA 2016, University of Hertfordshire, where it won the Google Award for Best Postgraduate Paper. It was later published as Opening the Black Box: Petri Nets and Privacy by Design.
With the text of the European Data Protection Regulation now agreed, the requirement for “data protection by design” is soon to be a reality. But there is still uncertainty around what the term “by design” means. Data controllers are concerned about the term’s interpretation, and about how a practical implementation of a system with “privacy by design” should function. The situation is complicated further because the state-of-the-art already provides an array of post hoc measures for protecting privacy, and it is not clear whether and to what extent (if any) these overlap with the aims of privacy by design. Arguably they are insufficient in terms of protecting users’ rights, promoting innovative uses of personal data, and achieving the longer-term changes in privacy practice envisaged by European legislators and the originators of the privacy by design notion. Notwithstanding such difficulties, or perhaps deliberately to encourage creative solutions, European institutions appear to want to avoid issuing top-down ordinances on the matter.
One way to interpret the term “by design” is to focus not on the product or service per se, but on the software design environment in which it is created. Shifting the point of regulatory influence to the earliest possible stage in the product lifecycle enables us to aim for designs which are compliant from the outset, thus reducing wasted forays into regulatorily troublesome areas, the expense of post hoc regulatory enforcement, and of course the likelihood of users’ rights being undermined – mistakenly or otherwise – by the code which implements that design.
This paper investigates an approach which uses a 1960s process visualisation technique known as a Petri Net to link together models of the law and of a digital system. Although in its early stages, the potential strength of the approach is that it can help to bridge the knowledge gap that often exists between those in the legal and technical domains. Intuitive visual representations of the status of a system and the flow of information within and between legal and system models enable privacy experts and software developers to gain a better understanding of the behaviour of a system vis-à-vis the data protection framework. Developers can embody the aims of the legislation from the very beginning of the software design process, while lawyers can gain an understanding of the inner workings of the software without needing to understand code. The approach can also facilitate automatic formal verification of the models’ interactions, paving the way for machine-assisted privacy by design and, potentially, “compliance by design” more generally.
 Article 23.
 See A. Cavoukian, ‘Privacy by design: The 7 foundational principles’ (2009, revised 2011). Retrieved from https://www.ipc.on.ca/images/resources/7foundationalprinciples.pdf (accessed 7 Jan 2016).
 See European Data Protection Supervisor, ‘EDPS Recommendations on the EU’s Options for Data Protection Reform’ (2015) Opinion 3/2015, p. 8 and Amendment 27 of the Opinion of the Committee on the Internal Market and Consumer Protection on an earlier draft of the GDPR (European Parliament A7-0402/2013).
 C. A. Petri, ‘Kommunikation mit automaten’ (1962), University of Bonn. Retrieved from http://epub.sub.uni-hamburg.de/informatik/volltexte/2011/160/.