LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is the difference between "privacy by policy" and "privacy by architecture"?

Privacy by policy protects data through rules and laws (what people are permitted to do); privacy by architecture protects it through technology that makes violations difficult or impossible.

Real privacy protection needs both — they cover each other's weaknesses.

Approach How it protects Example Weakness
Privacy by policy Laws, contracts, self-regulation, consequences for violations GDPR, a company's privacy policy, fines Relies on actors choosing to comply; only catches violations after the fact
Privacy by architecture Technical design that prevents misuse Encryption, anonymization, on-device processing, Privacy by Design Optional unless mandated; can be omitted by a careless or hostile builder

Why neither alone is enough:

  • Laws without enforcing technology are toothless — a rule that "you mustn't read this data" doesn't stop someone who can technically read it.
  • Technology without legal backing is optional — encryption helps only if someone bothers to deploy it.

The synthesis: strong privacy regimes pair a legal mandate (policy) with technical enforcement (architecture) — e.g., GDPR (policy) requiring Privacy by Design (architecture).

Tip: When evaluating any system, ask both questions: "What are they allowed to do with my data?" (policy) and "What are they technically able to do with it?" (architecture). The gap between the two is where privacy risk lives.

From Quiz: PRIVACY / Introduction to Privacy and Data Protection | Updated: Jul 14, 2026