25-27 January 2017
CPDP 2017 - Computers, Privacy & Data Protection: The Age of Intelligent Machines
Roundtable: Brace for Impact Assessments - How to be prepared? (organized by d.pia.lab)
Chair: Paul Quinn, VUB-LSTS (BE)
Roundtable: Massimo Attoresi, EDPS (EU), Roger Clarke, Xamax Consultancy (AU), Dariusz Kloza, VUB-LSTS (BE) & PRIO (NO) Eugenio Mantovani, VUB-LSTS (BE), Claudia Quelle, Tilburg University (NL), Paolo Sinibaldi, European Investment Fund (LU), Niels van Dijk, VUB-LSTS (BE)
With the adoption of the European Union’s General Data Protection Regulation and the Criminal Justice Data Protection Directive in April 2016, furthermore with the ongoing modernisation of Council of Europe’s Convention 108, the well-established concept of ‘impact assessment’ was adapted to the needs and reality of European data protection law. Some have welcomed this novelty with enthusiasm, some with reserve. In any case, it has sparked continuous debates on its rationale, efficiency and practical application, further urged by the imminently upcoming applicability of the new laws. Therefore, this roundtable will tackle four pertinent issues:
25-27 January 2017
CPDP 2017 - Computers, Privacy & Data Protection: The Age of Intelligent Machines
EDPL Young Scholar Award (organised by European Data Protection Law Review (EDPL))
Chair: Bart van der Sloot, TILT (NL)
Panel: István Böröcz, VUB (BE), Worku Gedefa Urgessa, University of Oslo (NO), Raphaël Gellert, LSTS-VUB (BE), Franziska Boehm, Karlsruhe Institute for Technologies (DE), Maja Brkan, Maastricht University (NL)
Award presented by: Serge Gutwirth, LSTS-VUB (BE)
The Young Scholars Award, hosted by the European Data Protection Law Review, is given annually to outstanding emerging researchers in the field of privacy and data protection law. During this panel session, the three best young academics will present their research, discuss it with the competition jury members and the audience. Serge Gutwirth (LSTS, VUB) will present the award to the winning young scholar during a ceremony at the end of the panel.
The topics of the finalists:
Risk to the right to the protection of personal data - an analysis through the lenses of Hermagoras /István Böröcz/
One of the novelties of the General Data Protection Regulation will be the application of the risk-based approach in European data protection law on a larger scale. Although the Regulation uses the term ‘risk’ in numerous provisions, it does not answer the question ‘What is risk to a right and how should it be assessed?’ Although Article 35. (Data Protection Impact Assessment, DPIA) provides a tool to assess these risks, to keep the GDPR suitable for assessing new technologies, the conduct of a DPIA should be based on solid and clear understanding of the provisions. The applicability and suitability of a risk assessment process is yet to be discovered if the risk relates to a fundamental right. A unified perception of risk to a right is necessary as it is the core element of the risk-based approach, furthermore, a varying perception of risk to a right would undermine the endeavours of the GDPR relating to harmonisation. This contribution elaborates on the attributes of risk to a right and advises a unified understanding of risk to a right and risk to the right to the protection of personal data.
We Have Always Managed Risks in Data Protection Law: Understanding the Similarities and Differences Between the Rights-Based and the Risk-Based Approaches to Data Protection /Raphaël Gellert/
Recent years have seen the emergence of a so-called risk-based approach to data protection. It is meant to address the purported shortcomings of the traditional EU data protection principles (such as data minimisation, purpose limitation, etc) with regard to evolving data processing practices (eg, profiling, big data). It does so by replacing these principles with risk analysis tools, the goal of which is to assess the benefits and harms of each processing operation and on this basis to manage the risk, that is, to take a decision whether or not to undertake the processing at stake. Such risk-based approach has been hailed as diametrically opposite to the legal, rightsbased nature of data protection. This contribution investigates this opposition and finds that the two approaches (risk-based and rights-based) are actually much more similar than is currently acknowledged. Both aim at managing the risks stemming from data rocessing operations. This is epitomised by the fact that they have the exact same modus operandi namely, two balancing tests, with risk reduction measures (known as safeguards in the legal context) associated to the second balancing. Yet, if both approaches manage data processing risks, they nonetheless do so differently. Whereas the risk-based approach manages risks in a contextual, tailor-made manner, the rights-based approach manages risks from the outset once and for all. The contribution concludes with a discussion and possible policy recommendations highlighting the benefits and drawbacks of each approach.
25-26 November 2016
Brno, Czech Republic
Cyberspace 2016 - 14th International Conference
Data Protection & Privacy Impact Assessments (special track organized by d.pia.lab)
Impact assessment in the European Union’s new data protection law /Dariusz Kloza, István Böröcz/
The reform process of the European Union’s legal framework for personal data protection was culminated on 27 April 2016 with the enactment of General Data Protection Regulation and – less popular – Police and Criminal Justice Data Protection Directive. Both instruments bring to the fore multiple uncharted novelties and one of them is a ‘data protection impact assessment’ (‘DPIA’). Upon the entry into force of the new legal framework (28 May 2018), an obligation will be imposed on data controllers to conduct such an assessment for personal data handlings that are “likely to result in a high risk to the rights and freedoms of natural persons” (cf. Art 35 of the Regulation and Art 27 of the Directive). All these novelties have sparked continuous debates on their effectiveness, efficiency and practical application, further urged by the imminently upcoming applicability of the new laws.
Therefore we could not help but to take part in this debate and reflect on the way the well-established concept of impact assessment was adapted to the needs and reality of European data protection law. Having briefly overviewed the history of impact assessments in the areas of environment, technology and privacy, we critically assess the two legal requirements for a ‘DPIA’ set forth by the new Regulation and the Directive. We point out their positive, acceptable and negative elements. We conclude that these ‘DPIA’ requirements – predominantly due to their limited scope – have rather failed to live up to the expectations vested therein. Yet this failure could be remedied by a complimentary policy on impact assessment that would genuinely safeguard both individual and collective interests related to privacy. We therefore conclude with a few modest suggestions as to the contents of such a policy.
Addressing issues with DPIA methodologies: What can we learn from law? /Raphaël Gellert, Niels van Dijk/
The introduction of data protection impact assessments (DPIAs) are one of the novelties of the General Data Protection Regulation. They present new elements and challenges to data protection practice. At their core, DPIAs seem to consist of risk management methodologies (imported from organisational and business spheres), aiming to assess and manage “risks to the rights and freedoms of data subjects” resulting from data processing operations.
The idea of assessing risks to rights is however not as straightforward as it might seem. Beyond the fact that risks and rights are very different practices (one probabilistic and anticipatory, the other drawing on legal knowledge and operating ex post), this contribution wants to focus on challenges concerning DPIA methodology. Risk management methodologies have faced serious criticism in other assessment fields like environmental and health law. Of particular importance, their pretence at objectivity has been at the centre of discussions, due to their tendency to reduce “the full range of uncertainties to the more comforting illusion of controllable, probabilistic but deterministic processes”. This however already presupposes a number of epistemic and theoretical commitments, which often mask subjective choices. In other words, whereas these methodologies present themselves as objective, the notion of risk has an inherent subjective dimension.
These findings have serious implications for the type and quality of data protection to be expected from DPIAs. Depending on the methodological choices, DPIAs could amount to little more than a managerialisation of data protection, telling us very little about what “risks to the rights and freedoms of data subjects” are, and could ultimately even undermine the data protection legal framework. Alternatively, a robust management methodology might have the potential to improve the protection of personal data, not least because of its anticipatory nature.
In this paper we argue that one way to ensure that DPIAs amount to more than “the new risk-based box-ticking” is to integrate lessons from legal practices with experience in articulating relations between risks and fundamental rights. This requires an analysis of case law concerning privacy and data protection on the one hand, and impact assessments on the other hand. We will extract two kinds of lessons. The procedural lessons will relate to how to organize the process of assessment, the status of risk as contestable evidence, the participation of those affected by the technology, and the proportional balancing of risk and right based knowledge. The substantive legal lessons will relate to the concepts of risk, harm and probability at the core of DPIAs. We will explore whether the incorporation of such foundational legal lessons can have the potential of transforming the DPIA into a tool that can anticipate data protection issues in a legal fashion, which we call a court of upstream adjudication.
The Potential for Impact Assessments in Projects Related to eHealth and mHealth /Paul Quinn/
The use of Impact assessments has gradually become more common in areas of technological innovation or novel practices where questions of privacy arise. This trend will likely take further root given the requirement set forth by article 35 of the General Regulation on Data Protection (GDPR). This article requires that data controllers conduct an impact assessment in a number of instances, including where the rights and freedoms of data subjects are at risk. As this presentation will discuss, the nature of such an impact assessment and the situations in which it is required make it ideal for use in projects related to eHealth and mHealth. Such projects frequently make use of large amounts of sensitive data and raise risks in terms of a number of important rights, including but not limited to rights linked to data protection. The broad nature of the impact assessment invoked in article 35 GDPR is suitable for not only considering questions linked to data protection and privacy but also issues related to stigmatisation, discrimination and other ethical issues that are often linked to health care projects. This presentation will discuss the potential use of impact assessments in such instances and discuss the benefits they can bring.