Jusletter IT

Privacy Impact Assessments as a Means to Achieve the Objectives of Procedural Justice

  • Author: Dariusz Kloza
  • Category: Articles
  • Region: Belgium
  • Field of law: Data Protection
  • Collection: Tagungsband IRIS 2014
  • Citation: Dariusz Kloza, Privacy Impact Assessments as a Means to Achieve the Objectives of Procedural Justice, in: Jusletter IT 20 February 2014
Since the participation of stakeholders in privacy impact assessments (PIAs) is considered insufficient, the theory of procedural justice can inspire the strengthening the public voice in the governance of privacy. However, the relationship between PIAs and procedural justice is more complex. This papers attempts to demonstrate the way in which PIAs serve the idea of procedural justice as well as what PIAs can learn from procedural justice. In conclusion it is argued that PIAs living up to the procedural justice standards are a good means to achieve the fairness of the proceedings.

Inhaltsverzeichnis

  • 1. Why this research?
  • 2. The concept of (ideal) privacy impact assessments
  • 2.1. In the privacy protection field, attention has shifted from reactive measures towards more anticipatory ones. The governance of privacy has focused nowadays on accountability
  • 2.2. The PIA process is based on a logic of accountability and transparency
  • 2.3. However, stakeholders
  • 3. The theory of procedural justice
  • 3.1. People care not only about the outcome of the proceedings but also about the way they were handled (distributive vs. procedural justice)
  • 3.2. Procedural justice influences satisfaction and compliance with the decisions made as well as strengthens legitimacy of both the decisions made and of decision-makers
  • 3.3. Procedural justice is based on participation (voice), neutrality, respect and trust
  • 4. Privacy impact assessments serve the idea of procedural justice
  • 5. Procedural justice can improve privacy impact assessment
  • 5.1. For the benefit of stakeholders
  • 5.2. For the benefit of organisations and assessors
  • 6. Concluding remarks
  • 7. References

1.

Why this research? ^

[1]

One of the many problems and open questions identified in the policy and practice of privacy impact assessments (PIAs) is the insufficient participation of stakeholders.1 In an attempt to remedy this situation, among others, a comparative analysis of the framework for public participation in environmental decision-making, and in particular of the environmental impact assessments (EIAs), the «older brothers» of PIAs, suggested the adaptation of the so-called «environmental democracy» to the reality and needs of the governance of privacy, thus creating the «privacy democracy» (Kloza 2013, 94–95).

[2]
Further inspiration can come from the social psychological theory of procedural justice, according to which the proceedings are considered fair if the principles of voice (participation), neutrality, respect and trust are satisfied. In remedying the above-mentioned problem of inadequate stakeholders participation in PIAs, the principle of participation can strengthen the public voice therein. Yet, from a broader perspective, the relationship between PIAs and procedural justice is more complex. On the one hand, PIAs can be seen as a means to achieve the fairness of proceedings. On the other, applying the criteria of procedural justice to PIAs enhances the fairness of decision-making that has been subjected to PIAs. From an even broader perspective, since PIAs represent one of many types of impact assessments (IAs) – others being environmental, social, etc. – it could be argued that IAs in general are means to achieve procedural justice and that IAs satisfying the procedural justice criteria enhance the fairness of proceedings.
[3]
In this paper I intend to explore further these ideas. Using PIAs as an example of IAs, I attempt to demonstrate in which way PIAs serve the concept of procedural justice (chapter 4) as well as how procedural justice principles can improve PIAs in order to enhance the fairness of proceedings (chapter 5). For the sake of clarity, I start with an overview of the concepts of (ideal) PIAs (chapter 2) and of procedural justice (chapter 3). In the conclusions (chapter 6), I argue that PIAs living up to the procedural justice standards are a good means to achieve the fairness of the proceedings, thus bringing all the benefits of procedural justice.

2.

The concept of (ideal) privacy impact assessments ^

2

2.1.

In the privacy protection field, attention has shifted from reactive measures towards more anticipatory ones. The governance of privacy has focused nowadays on accountability ^

[4]

A PIA is usually defined as «a process for assessing the impacts on privacy of a project, policy, programme, service, product or other initiative and, in consultation with stakeholders, for taking remedial actions as necessary in order to avoid or minimise the negative impacts» (De Hert, Kloza, and Wright 2012, 5). In practice, PIAs constitute a tool for supporting decision-making.

[5]

Building on the positive experience of environmental impact assessments (EIAs), the growing interest in PIAs is caused by public distrust in emerging technologies in general, by the robust development of privacy-invasive tools, by a belated public reaction against the increasingly privacy-invasive actions of both public authorities and corporations as well as by a natural development of rational management techniques (Davies and Wolf-Phillips 2006, 57; Clarke 2009, 124; De Hert, Kloza, and Wright 2012, 5). From the governance viewpoint, PIAs have shifted the attention from reactive measures towards more anticipatory instruments in the belief in the rationale of an «ounce of prevention» (Bennett and Raab 2003, 204). PIAs are considered effective accountability tools that have decentralised the enforcement of privacy by focusing on the very actors involved; this is clearly visible in the 2012 European Commission’s proposal for the new EU data protection framework (Kuner 2012, 7).

2.2.

The PIA process is based on a logic of accountability and transparency ^

[6]

The research project PIAF, having examined the PIA best practices worldwide, was concluded by a set of recommendations for PIA policy-makers and practitioners. These recommendations identified a number of core characteristics of an ideal PIA policy and process:3

  1. Embodiment in the lifecycle of the project: a PIA is a process that starts as early as possible (so that it can influence the design of the project), continues throughout the lifecycle of the project and is revisited afterwards, if new privacy risks are discovered. If a project «moves» to another organisation, continuity of the PIA process is ensured (i.e. PIAs as a «living instrument»). Finally, PIAs are reviewed and/or audited.
  2. Scalability: Because organisations vary greatly in size, because the extent to which their activities intrude on privacy varies, and because their experience in dealing with privacy issues differs, organisations carry out PIAs appropriate to their own circumstances.
  3. All privacy types and beyond: PIAs address all types of privacy4 and not only informational aspects thereof. If necessary, PIAs might address also ethical implications (Wright and Mordini 2012, 397-418) as well as issues related to surveillance (Raab and Wright 2012, 363–383).
  4. Accountability: in the privacy protection arena, accountability not only consists of adopting and implementing the appropriate measures (i.e. the requirement of efficiency) but also in of being able to demonstrate – upon request – that such measures have been taken (i.e. the requirement of transparency) (Art 29 Working Party 2010, 9). An organisation carrying out PIAs as well as assessors and senior officials are accountable for their actions and omissions related thereto. To demonstrate that the PIA process has been properly carried out and its recommendations implemented, an external audit and/or review may be conducted.
  5. Transparency: a PIA process enjoys at least a minimum level of transparency. Both the assessors and the stakeholders must have all relevant information to assess the privacy implications of the proposed project. The requirement of transparency in PIAs is of a twofold nature: (1) of the process itself, and (2) about disclosure of relevant information, which is further split into: (a) stakeholders’ participation, (b) publication of the PIA report, and (c) public registry of PIAs actually carried out. None of these precludes due respect for sensitive information.
    1. Stakeholdersinvolvement: in the PIA process, stakeholders, as representative as possible, including the public, if applicable, are identified and informed about the planned project and of the PIA process. Their views are sought and subsequently duly taken into consideration.
    2. Report: having concluded a PIA process, the final report is made public and is easy accessible.
    3. Public registry: all PIAs are listed in a public central registry, preferably in a digital form, and are easily accessible.
    4. Sensitive information: all these «externalities» of the PIA process, i.e. stakeholders» participation, reports and registries, beg a question about state secrets and commercially sensitive information. These are not necessarily meant to reach the public; stakeholders are usually external to an organisation carrying out PIAs. Thus, they might be consulted e.g. through closed discussion sessions with non-disclosure agreements. As far as PIA reports are concerned, an organisation could redact the documents and place confidential information in an annex and publish only the main body of the report, which is later on fed into the registry. Alternatively, an organisation might create and publish a meaningful summary of the report.
  6. Risk management and a legal compliance check – the core elements of PIAs. Based on a proper risk management methodology, all possible risks and other negative privacy impacts are identified, assessed and – ideally – mitigated. Residual risks, if any, are justified. The assessors ensure the project’s compliance with any legislative or other regulatory requirements.
  7. Internal «privacy culture»: PIAs are only good as the process that supports them (Wright 2012, 58). An organisation, having set out the terms of reference of the PIA process, ensures professional and personal independence of the assessor. PIAs could be carried out in-house by e.g. a data protection officer, whose independence is sanctioned by law and by appropriate resources at her disposal (time, money, manpower) or they could be equally outsourced to an external entity whose independence is beyond any doubt. Assessors recognise the bias and subjectivity that they might bring to the task and declare that in the report.
  8. External «privacy culture»: PIAs needs high-level support of policy-makers, regulators and private sector. In particular, data protection authorities (DPAs) play a key role here. They promote and facilitate the PIA process by providing expertise, guidance and advice for policy-makers, organisations and assessors5 as well as – possibly – by reviewing and providing feedback of (selected) PIAs actually carried out.

2.3.

However, stakeholders ^

[7]

One of the main problems of PIA governance is the issue of stakeholders’ participation. Within the PIAF project, a study indicated that only few PIA frameworks explicitly provide for stakeholder participation: apart from the European Union, only four out of thirteen examined frameworks worldwide clearly foresee stakeholders’ participation, i.e. Australia, the Australian state of Victoria, Ireland and the United Kingdom (Wright et al. 2011, 177–178; Clarke 2011, 111–120). In practice, the final PIA reports often fail to acknowledge the importance of stakeholders’ consultation, give it limited berth, details on such consultations are lacking or the stakeholders are not adequately identified (Wright et al. 2011, 193). Furthermore, the public has often difficulties in benefiting from reports of PIAs actually carried out (Stoddart 2012, 434). Also, the majority of EU data protection authorities do not support compulsory stakeholders’ participation in the PIA process (Hosein and Davies 2012, 16).

3.

The theory of procedural justice ^

3.1.

People care not only about the outcome of the proceedings but also about the way they were handled (distributive vs. procedural justice) ^

[8]

The social psychological theory of procedural justice has been coined in the United States in 1960s and was further developed by Tyler and his associates in 1980s (cf. e.g. Lind and Tyler 1988). Put the most simply, procedural justice can be defined as the fairness of process (Hollander-Blumoff 2010, 381). In the words of Brems and Lavrysen, «procedural justice emphasizes the fundamental importance of procedural fairness judgments in shaping citizens’ satisfaction and compliance with the outcome of a legal process and in strengthening the legitimacy of legal institutions» (Brems and Lavrysen 2013, 176). Although their definition focuses predominantly on courts and alterative dispute resolution fora (i.e. legal institutions), the idea of procedural justice can equally be applied to any proceedings in which (an authoritative) decision is made by a third party, be it a public authority or a private entity. In general, the theory of procedural justice plays a vital role in designing institutions through which the law and policies are being created and implemented in an efficient manner. These hypotheses make it possible to analyse PIAs through the lens of procedural justice.

[9]

The underlying assumption of procedural justice is an empirical hypothesis that in a contact with a decision-making machinery people care not only about the outcome of the proceedings (i.e. distributive justice) and its favourability but also about the way in which these proceedings were conducted (i.e. procedural justice) (Tyler 2008, 26–28; Brems and Lavrysen 2013, 177). Yet procedural justice is by no means intended as a substitute for distributive justice; the former is meant to complement the latter (Brems and Lavrysen 2013, 182).

3.2.

Procedural justice influences satisfaction and compliance with the decisions made as well as strengthens legitimacy of both the decisions made and of decision-makers ^

[10]

The idea of procedural justice promises a lot of benefits. First and foremost, whether the proceedings were fair or not has a strong impact on whether people accept and abide the decisions, both immediately and over time. From the governance viewpoint, especially with an unfavourable decision, acceptance is more advantageous than mere compliance as acceptance does not necessitate the spending of enormous resources to compel people by threat or force. The procedural justice approach results in «losing» being more acceptable as it minimizes the degree to which problems are framed in terms of winning and losing (Tyler 2008, 28).

[11]

Second, procedural justice influences how people evaluate the decision made, the decision-makers as well as the rules both governing the proceedings and substantiating the decision made, in particular the law. Third, linked to the two previous arguments, procedural justice influences the perception of legitimacy, which in turn impacts behavioural compliance (Tyler 2006, 103). In other words, legitimacy becomes a central motivation for obedience (Tyler 2014).

3.3.

Procedural justice is based on participation (voice), neutrality, respect and trust ^

[12]

The idea of procedural justice is based on four main principles: participation (voice), neutrality, respect and trust. Their elaboration by Tyler (2008, 30–31) merits reproduction in its entirety:

    Voice. People want to have the opportunity to tell their side of the story in their own words before decisions are made about how to handle the dispute or problem. Having an opportunity to voice their perspective has a positive effect upon people’s experience with the legal system irrespective of their outcome, as long as they feel that the authority sincerely considered their arguments before making their decision. This desire for voice is found to be one of the reasons that informal legal procedures such as mediation are very popular. People value the chance to communicate with the mediator, indicating what they view the problem as being and making suggestions concerning how it should be handled.

    Neutrality. People bring their disputes to the court because they view judges as neutral, principled decision makers who make decisions based upon rules and not personal opinions, and who apply legal rules consistently across people and over cases. To emphasize this aspect of the court experience, judges should be transparent and open about how the rules are being applied and how decisions are being made. Explanations emphasizing how the relevant rules are being applied are helpful.

    Respect. Legal authorities, whether police officers, court clerks, or judges, represent the state and communicate important messages to people about their status in society. Respect for people and their rights affirm to people that they are viewed as important and valuable, and are included within the rights and protections that form one aspect of the connection that people have to government and law. People want to feel that when they have concerns and problems both they and their problems will be taken seriously by the legal system.

    Respect matters at all stages, and involves police officers and court clerks as well as judges. It includes both treating people well, that is, with courtesy and politeness, and showing respect for people’s rights. For example, when people come to court they are often confused about how cases are handled. Providing people with information about what to do, where to go, and when to appear, all demonstrate respect both for those people and for their right to have their problems handled fairly by the courts. Brochures or websites explaining court procedures, as well as aids such as help desks, are found to be valuable.

    Trust. Studies of legal and political authorities consistently show that the central attribute that influences public evaluations of legal authorities is an assessment of the character of the decision maker. The key elements in this evaluation involve issues of sincerity and caring. People infer whether they feel that court personnel, such as judges, are listening to and considering their views; are being honest and open about the basis for their actions; are trying to do what is right for everyone involved; and are acting in the interests of the parties, not out of personal prejudices.

[13]

The concept of procedural justice develops. With regard to the first principle, i.e. participation (voice), Brems and Lavrysen distinguish between «formal participation» (telling one’s own story in their own words) and «substantive participation» (duly considering all parties’ views). In the case of an unfavourable outcome, the decision maker has to communicate that the individual’s views were taken into account, but they unfortunately could not influence the decision made (2013, 181). When it comes to the second principle, i.e. neutrality, Brems and Lavrysen further add: (1) the importance of the perceptions of independence and impartiality, (2) equal treatment of the parties, as well as (3) accuracy («judges have to base their opinion on information that is correct») and correctability («opportunities should exist to correct decisions that are unfair or incorrect») (2013, 181). With regard to the third principle, i.e. respect, Solum adds that «a fair procedure must, at a minimum, strike a fair or reasonable balance between the benefits of accurate outcomes and the costs imposed by the system of procedures» (Solum 2004, 185).

4.

Privacy impact assessments serve the idea of procedural justice ^

[14]

Having compared (ideal) PIAs with the principles of procedural justice, it could be safely adduced that the former serves the idea of the latter. Let me briefly analyse the most apparent links:

  1. Perhaps the most visible link between PIAs and procedural justice relies on the participation principle. The requirement of formal participation is in PIAs fulfilled by ensuring transparency of the PIA process as well as by identifying and informing stakeholders and subsequently seeking their views. The substantive participation requirement is fulfilled therein by duly taking stakeholder’s views into consideration.
  2. However, the core link between PIAs and procedural justice lies in the principle of neutrality, as it guarantees a true and objective outcome of the proceedings. In particular:
    1. The requirement that an honest and impartial decision is based upon rules is in PIAs served predominantly by an independent, preferably external, and unbiased assessor. Ideal PIAs require her independence to be legally sanctioned, equipped with enough personnel, money and time to conduct the assessment. Her personal views should not affect the assessment. Assessors should use proper methodologies for risk management and ensure legal compliance of the project. All these are subsequently subjected to an external audit and review.
    2. The requirement of equal treatment is fulfilled in PIAs by stakeholders’ participation, as representative as possible, by which a broader picture of privacy implications is sought.
    3. The requirement of transparency and openness is fulfilled in PIAs by (1) the transparency of the PIA process itself, and (2) by the disclosure of relevant information, i.e. stakeholders’ participation, publication of the PIA report and a central registry of PIAs carried out.
    4. The requirement of accuracy builds in PIAs on four elements. In the quest for a «complete picture», first, PIAs are embodied in the lifecycle of the project. Second, the PIA process is based on solid and complete information (an exhaustive description of the project, information flows as well as views of internal experts and of external stakeholders and, if necessary, consultation with a DPA). Third, assessed are all privacy implications and not only informational aspects thereof. Fourth, views of the stakeholders contribute to a complete and accurate picture of privacy implications. Finally, risk management, based on a proper methodology, and a legal compliance check are the core elements of PIA.
    5. Correctability is achieved in PIAs by their «living» nature: PIAs are updated when necessary and subjected to an external audit and/or review.
  3. The requirement of respect in procedural justice builds on the fact that stakeholders are taken seriously throughout the proceedings. In PIAs, this is achieved predominantly by their formal and substantive participation. As a prerequisite, stakeholders should be provided with enough information in order for their participation to be meaningful and this is achieved by duly informing them, and – to some extent – publishing PIA report and placing these reports in a central registry.
  4. As the principle of trust in procedural justice relies on the character of the decision-maker, both professional and personal independence of the assessor matter in PIAs. In order for the assessors to show their sincerity, carrying, honesty and openness, a PIA process should be transparent. The assessors are supposed to carefully listen and consider stakeholders views, giving them equal weight.
[15]

The table below tentatively tries to sum up and to illustrate these links. Although it is a rough basic sketch, it shows which building blocks of PIAs serve the four principles of procedural justice; it is immediately apparent that some of these blocks can serve a more than one principle.

Table 1: A rough sketch of the ways in which PIAs serve the idea of procedural justice 

5.

Procedural justice can improve privacy impact assessment ^

5.1.

For the benefit of stakeholders ^

The relationship between PIAs and procedural justice can be mutually beneficial and the concept of PIAs can be improved by drawing a few lessons from the idea of procedural justice. Although ideal PIAs already satisfy majority of the procedural justice principles, there is still some room for improvement and at least five ideas could be found:
  1. From the viewpoint of the principle of voice, participation of stakeholders should be a core element of the PIA process. Currently many PIAs framework make such participation optional, the PIA practice leaves much to be desired in this respect as well as DPAs usually oppose mandatory stakeholder’s participation (cf. supra, at 2.3). Therefore, applying the principle of voice to PIAs in its entirety is the first means to strengthen the public voice in privacy governance.
  2. The principle of neutrality requires that conducting PIAs should not be limited just to a «clearance» that an organisation wishes to obtain. In particular, PIAs should not be used to legitimise political decisions. This is strongly linked to the requirements of sincerity and honesty, which are building blocks of trust. If organisations «fake» procedural justice, their legitimacy is undermined.6 Therefore, PIAs should be a genuinely honest process aiming at limiting the negative privacy implications.
  3. Consistency deals here with a broader approach to privacy policy in an organisation in general and into PIAs in particular, i.e. an organisation should have a consistent approach to conducting PIAs for each project, at least if it is likely to pose risks to privacy.
  4. Procedural justice’s criterion of neutrality requires equal treatment. Thus, in PIAs, arguments brought by the internal experts and external stakeholders should be ideally given an equal weight.
  5. Procedural justice’s criterion of respect requires the proceedings not to be unreasonably long and not to involve excessive costs. Thus, from a PIA viewpoint, emphasis should be placed on making stakeholders’ participation easy and affordable.

5.2.

For the benefit of organisations and assessors ^

Applying procedural justice criteria to PIA can be beneficial not only for the stakeholders, but also to those «on the other side of the barricade»: an organisation and its assessors. Generally speaking, PIAs living up the procedural justice criteria enhance informed decision-making:

    [a] PIA has often been described as an early warning system. It provides a way to detect potential privacy problems, take precautions and build tailored safeguards before, not after, the organisation makes heavy investments. The costs of fixing a project (using the term in its widest sense) at the planning stage will be a fraction of those incurred later on. If the privacy impacts are unacceptable, the project may even have to be cancelled altogether. Thus, a PIA helps reduce costs in management time, legal expenses and potential media or public concern by considering privacy issues early. It helps an organisation to avoid costly or embarrassing privacy mistakes (Wright 2012, 55).

From a pragmatic viewpoint, the most visible benefit comes with an opportunity to get a more complete and accurate picture of privacy implications, predominantly by participation and accuracy criteria, thus contributing positively to the quality of decision-making. Next, a positive relationship with stakeholders will allow understanding their perspectives, escaping negative public relations, avoiding loss of reputation as well as gaining public confidence. In this sense, PIAs are public relation tools. Finally, it is about costs and delays, for which both sides wish to have them low. In result, from a broader perspective, procedural justice enhances mutual trust and respect between both «sides». On top of that, the leadership of DPA is predominantly beneficial for the organisations: as the PIA process usually requires huge time and assets, DPAs should offer some guidance material and advice in case of doubt. In addition, the criteria of procedural justice do not stand in opposition to the integration of PIAs with other areas in which an impact assessment (or risk management) is conducted. This flexibility allows for the reduction of costs.From a governance viewpoint, procedural justice argues that people’s willingness to accept and to voluntarily abide the decision made is closely linked to fairness of the proceedings leading to such a decision. Conducting PIAs will usually seek some «justification», though socially and legally acceptable, for some level of privacy interference, thus by definition making a project subjected to PIAs unfavourable to the individuals concerned. Once the project is deployed their privacy might be somehow «limited». In case a conducted PIA lives up to the procedural justice standards, these individuals – seeing that organisations care about their concerns and well-being – are more likely to accept even a less favourable outcome thereof and are more likely to evaluate the decision-maker positively, thus, in result, enhancing the legitimacy of both.

6.

Concluding remarks ^

The initial hypothesis of the present research was that of procedural justice remedying insufficient public participation in PIAs. However, as the research progressed, the relationship between PIAs and procedural justice became much more complex. In this paper, having overviewed the concepts of ideal PIAs and of procedural justice, and having assumed that procedural justice criteria can be applied outside courts, I argued that the usage of PIAs in decision-making serves the idea of just proceedings. In particular, applying the participation principle to PIAs is the first means to strengthen the public voice in privacy governance. Yet, PIAs can be improved, by looking at some building blocks of procedural justice, for the benefit of both stakeholders and organisations. From an even broader perspective, it could be argued that IAs in general are means to achieve procedural justice and that IAs living up to the procedural justice criteria enhance the fairness of proceedings.In result, PIAs living up to procedural justice criteria enhance the legitimacy of the decision made, of the proceedings leading thereto and of the decision-makers. In turn, procedural justice criteria make decisions that are based on PIAs more acceptable, especially unfavourable ones, and shape people’s satisfaction. All these lead to a conclusion that «fair» PIAs are excellent means to achieve the procedural justice’s goals.

7.

References ^

Art 29 Working Party. 2010. «Opinion 3/2010 on the Principle of Accountability». Bruxelles.

 

Bennett, Colin, and Charles D. Raab. 2003. The Governance of Privacy: Policy Instruments in Global Perspective. Ashgate Publishing, Limited.

 

Brems, Eva, and Laurens Lavrysen. 2013. «Procedural Justice in Human Rights Adjudication: The European Court of Human Rights.» Human Rights Quarterly 35 (1): 176–200.

 

Clarke, Roger. 2009. «Privacy Impact Assessment: Its Origins and Development.» Computer Law & Security Review 25 (2): 123–135.

———. 2011. «An Evaluation of Privacy Impact Assessment Guidance Documents.» International Data Privacy Law 1 (2) (February 15): 111–120.

 

Davies, Keith G, and Jonathan Wolf-Phillips. 2006. «Scientific Citizenship and Good Governance: Implications for Biotechnology.» Trends in Biotechnology 24 (2) (February): 57–61.

 

De Hert, Paul, Dariusz Kloza, and David Wright. 2012. «Recommendations for a Privacy Impact Assessment Framework for the European Union». Brussels – London. http://www.piafproject.eu/ref/PIAF_D3_final.pdf

 

Finn, Rachel L., David Wright, and Michael Friedewald. 2013. «Seven Types of Privacy.» In European Data Protection: Coming of Age, edited by Serge Gutwirth, Ronald Leenes, Paul de Hert, and Yves Poullet, 3–32. Springer Netherlands.

 

Hollander-Blumoff, Rebecca. 2010. «Just Negotiation.» Washington University Law Review 88 (2).

 

Hosein, Gus, and Simon Davies. 2012. «Empirical Research of Contextual Factors Affecting the Introduction of Privacy Impact Assessment Frameworks in the Member States of the European Union». London. http://www.piafproject.eu/ref/PIAF_deliverable_d2_final.pdf

 

Kloza, Dariusz. 2013. «Public Voice in Privacy Governance: Lessons from Environmental Democracy.» In KnowRights 2012 Proceedings, edited by Erich Schweighofer, Ahti Saarenpää, and Janos Böszörmenyi, 80–97.

 

Kuner, Christopher. 2012. «The European Commission’s Proposed Data Protection Regulation: A Copernican Revolution in European Data Protection Law.» Privacy and Security Law Report: 1–15.

 

Lind, E A, and Tom R Tyler. 1988. The Social Psychology of Procedural Justice. Springer.

 

Raab, Charles D., and David Wright. 2012. «Surveillance: Extending the Limits of Privacy Impact Assessment.» In Privacy Impact Assessment, edited by David Wright and Paul Hert, 6:363–383. Springer Netherlands.

 

Solum, Lawrence B. 2004. «Procedural Justice.» Southern California Law Review 78: 181–321.

 

Stoddart, Jennifer. 2012. «Auditing Privacy Impact Assessments: The Canadian Experience.» In Privacy Impact Assessment, edited by David Wright and Paul De Hert.

 

Tyler, Tom R. 2006. Why People Obey the Law. Princeton University Press.

———. 2008. «Procedural Justice and the Courts.» Court Review 44: 26–31.

———. 2014. «Legitimacy in Everyday Law.» In «Procedural Justice and the Courts: Normative Dimensions» Seminar, Gent, Belgium, 17 January.

 

Wright, David. 2012. «The State of the Art in Privacy Impact Assessment.» Computer Law & Security Review 28 (1): 54–61.

 

Wright, David, and Paul De Hert, ed. 2012. Privacy Impact Assessment. Dordrecht: Springer.

 

Wright, David, and Emilio Mordini. 2012. «Privacy and Ethical Impact Assessment.» In Privacy Impact Assessment, edited by David Wright and Paul Hert, 6:397–418. Springer Netherlands.

 

Wright, David, Kush Wadhwa, Paul De Hert, and Dariusz Kloza. 2011. «A Privacy Impact Assessment Framework for Data Protection and Privacy Rights.» Brussels-London. http://www.piafproject.eu/ref/PIAF_D1_21_Sept2011Revlogo.pdf


 

Dariusz Kloza

Vrije Universiteit Brussel (VUB) – Research Group on Law, Science, Technology and Society (LSTS)

Pleinlaan 2, 1050 Elsene, Brussels, Belgium

dariusz.kloza@vub.ac.be; http://www.vub.ac.be/LSTS

 

I wish to thank Irina Baraliuc and Paul De Hert for their useful comments. 

 


  1. 1 The research on PIAs was conducted within the project PIAF (Privacy Impact Assessment Framework for Data Protection and Privacy Rights) (2011-2012), which aimed at proposing an adoption of a progressive PIA policy in the EU as a means of addressing contemporary needs and challenges related to privacy protection. PIAF was co-funded by the European Union under its Fundamental Rights and Citizenship Programme, http://www.piafproject.eu. For its main scientific output, cf. Wright, Wadhwa, De Hert & Kloza 2011, (Hosein and Davies 2012) and (De Hert, Kloza, and Wright 2012). The contents of this paper are the sole responsibility of the author and can in no way be taken to reflect the views of the European Commission.
  2. 2 Unless otherwise stated, this chapter summarises the findings of (Wright and De Hert 2012).
  3. 3 For the sake of simplicity, I abandoned here the distinction between PIA policy and practice, which was originally made in the set of recommendations of the PIAF project (i.e. De Hert, Kloza, and Wright 2012). I also omit here typical policy issues, such as whether PIAs should be mandatory.
  4. 4 I.e. privacy of a person, of thought and feelings, of location and space, of data and image, of behaviour and action, of communications, and of association, including group privacy (Finn, Wright, and Friedewald 2013).
  5. 5 A number of authorities DPAs worldwide have developed various guidance materials for assessors conducing a PIA. For a non-exhaustive list thereof, cf. e.g. (Clarke 2009, 123–135; Clarke 2011, 111–120).
  6. 6 I thank Paul De Hert, Mireille Hildebrandt and Eva Brems, respectively, for bringing these three arguments to my attention.