1.
Introduction ^
2.
The contradiction with the notion of risk in Art. 35 GDPR ^
«Where a type of processing (…) is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact (…) on the protection of personal data.»3
Quelle [2015, sec. 2.5] has duly noted this contradiction, and has perfectly summarised the situation, arguing that this might suggest that abidance by data protection principles, and mitigating the risks to the rights and freedoms of natural persons are two distinct things.4 In which case, one must wonder what is exactly meant by such rights and freedoms and how mitigating the risks that concern them is different from protecting the data subjects' personal data. One can add the following issue: if these are two different things indeed, then what is exactly the role for the rights and freedoms of the data subject, and how is such impact assessment different from the traditional compliance approach?
3.1.
Compliance risk: what is it and why it is not so bad? ^
The hypothesis put forward in this contribution is that the notion of risk which is at the heart of the GDPR is a compliance risk. Thus, instead of determining the chances that a given processing operation will violate the data subjects' fundamental rights and freedoms (and the severity thereof), its point is to determine the chances that a given processing operation will (not) comply with the GDPR (and the severity thereof).
3.2.
Why compliance risk? The debate between risk-based and rights based approaches and the conundrum of risk in the GDPR ^
3.3.
How to articulate a compliance risk with the assessment of the risk to the rights and freedoms of the data subjects? ^
The key in understanding the articulation between compliance issues and the violation of the data subjects' broader spectrum of fundamental rights can be found in the risk management step.
In other words, not-complying with data protection law has a number of negative consequences, which amount to the violation of the data subjects' fundamental rights and freedoms. It is precisely these violations that the data controller will need to take into account when deciding whether or not to pursue a processing operation.
4.
Conclusion: what protection to be expected from the risk-based approach? ^
As a way of concluding this piece, one may ask what exact type of protection the GDPR risk-based approach will achieve, and in particular, what is the role of the data subjects' rights and freedoms in this regard.
One may however ask what is the role of the data subjects' rights and freedoms in all this. The answer put forth in the present contribution is that addressing the potential violations of the data subjects' rights and freedoms contribute to the compliance of the data processing operations. In this sense, they are an integral part of the «protection on the ground» aspect of the risk-based approach, since they contribute to determining «in practice» what it means to be compliant.
Thus, and as a way to conclude one can indeed see that the GDPR has enshrined a notion of compliance risk. Such compliance risk manages to reconcile both the rights-based dimension of the EU fundamental right to the protection of personal data as well as the fact that data controllers are now explicitly tasked with managing the risks created by their processing operations.10 The potential violations of the data subjects' rights and freedoms stemming from processing activities can be factored in such compliance risk by bearing in mind that they are the consequences of low levels of compliance. In doing so, compliance risk ensures that in conformity with the rights-based approach the data protection principles remain upheld in all situations, and simultaneously allows for the taking into account of the broader dimension of data processing activities.
5.
Bibliography ^
Art. 29 WP, Opinion 1/98 Platform for Privacy Preferences (P3P) and the Open Profiling Standard (OPS), 1998.
Art. 29 WP, Opinion 3/2010 on the principle of accountability, 2010.
Art. 29 WP, Opinion 03/2013 on purpose limitation, 2013.
Art. 29 WP, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, 2014a.
Art. 29 WP, Statement on the role of a risk-based approach in data protection legal frameworks, 2014b.
Art. 29 WP/Working Party on Police and Justice, The Future of Privacy: Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to the protection of personal data, 2009.
Bernstein, P. L., Against The Gods – The Remarkable Story of Risk. New York: John Wiley & Sons, Inc 1996.
CNIL, Measures For The Pirvacy Risk Treatment, 2012a.
CNIL, Methodology For Privacy Risk Management: How to implement the Data Protection Act, 2012b.
de Sadeleer, N., EU Environmental Law and the Internal Market. Oxford: Oxford University Press 2014.
Gellert, R., We Have Always Managed Risks in Data Protection Law: European Data Protection Law Review 2016, 4(2), pp. 481–492.
González Fuster, G., The Emergence of Personal Data Protection as a Fundamental Right of the EU. Dordrecht: Springer 2014.
Hood, C. et al., Risk Management, in: The Royal Society (ed.), Risk: Analysis, Perception and Management – A Report of a Royal Society Study Group, London: The Royal Society 1992, pp. 135–201.
ISO, ISO: 31000 Risk management – Principles and guidelines, 2009.
Quelle, C., The data protection impact assessment: What can it contribute to data protection?, 2015.
Warner, F., Introduction, in: The Royal Society (ed.), Risk: Analysis, Perception and Management – A Report of a Royal Society Study Group, London: The Royal Society 1992, pp. 1–12.
Wright, D., The state of the art in privacy impact assessment. Computer Law & Security Review 2012, 28(1), pp. 54–61. http://doi.org/10.1016/j.clsr.2011.11.007.
Wright, D./Mordini, E., Privacy and Ethical Impact Assessment, in Wright, D./De Hert, P. (eds.), Privacy Impact Assessment, Dordrecht, Heidelberg, London, New York: Springer 2012, pp. 397–417.
- 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119.
- 2 For a summary of these debates, see Gellert 2016.
- 3 Emphasis by the author.
- 4 Quelle makes this point notably by paying heed to the differences between the respective GDPR proposals of the EU Commission, Parliament, and Council.
- 5 Recital 84 in particular provides that «In order to enhance compliance with this Regulation where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk.»
- 6 See for instance Bernstein 1996, p. 100: «any decision relating to risk involves two distinct and yet inseparable elements: the objective facts and a subjective view about the desirability of what is to be gained, or lost, by the decision».
- 7 See Hood et al. 1992, p. 137: «‹risk management› has been commonly used to refer to an analytic technique for evaluating risks against likely benefits».
- 8 See Recital 90: «a data protection impact assessment should be carried out by the controller in order to assess the particular likelihood and severity of the high risk».
- 9 The CNIL refers to risk factors as threats [CNIL 2012b, p. 6], and the ISO defines them as «elements, which, alone or in combination has the intrinsic potential to give rise to risk» [ISO 2009, p. 4].
- 10 This is for example very clear with Art. 24.1 enshrining the accountability principle, and which provides that data controllers should take into account «the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons».