Personal data protection in the European Union: questions arising from the data protection impact assessment theory and practice
Nikolaos IOANNIDIS & Sergi VAZQUEZ MAYMIR
VRIJE UNIVERSITEIT BRUSSEL (VUB)
The European Union (EU)’s General Data Protection Regulation (GDPR) has brought to the fore a plethora of novel solutions aiming at, inter alia, better safeguarding interests of individuals whenever their personal data are being handled. Amongst these novelties is an obligation, imposed on data controllers, to carry out – before these data are handled – a process of data protection impact assessment (DPIA). This process is required to be conducted for data handlings capable of presenting “high risk” to the “rights and freedoms of natural persons” to “ensure the protection of personal data and to demonstrate compliance” with the law (Article 35 GDPR).
The HR-Recycler consortium functions under the TARES framework (Truthfulness, Authenticity, Respect, Equity and Social Responsibility), which comprises, among others, the requirement to conduct a data protection impact assessment pursuant to Article 35 of the GDPR. An impact assessment, in general, implies a proactive approach contributing to informed decision-making by considering potential consequences of the project, direct and indirect, to the rights and freedoms of natural persons before its occurrence.
However, the obligation of DPIA as such has seldom been an object of any judicial or extra-judicial proceedings. Due to the minimalistic contents of its main provisions and occasional vagueness of its terminology, the exact process of DPIA is still uncharted. Academics, practitioners, and policy makers still struggle to identify the modalities of the process of DPIA, in its theory and practice. Uncertainties in this legal requirement have already incited a considerable number of questions.
The legal and ethical partner Vrije Universiteit Brussel (VUB), and specifically d.pia.lab held a workshop some months ago. Several experts were invited, and its subject was to clarify the relationship between the DPIA requirement and (extra-)judicial proceedings. Its aim was to map and subsequently analyse possible legal questions concerning DPIA that might emerge in a set-up of legal proceedings, including preliminary questions to the Court of Justice of the EU (CJEU). A report from this workshop has recently been published, enumerating several questions that could arise out of such obligation.
Indicative list of questions
The questions were posed in a comprehensive and long structure, as if they would be addressed to a higher court of law, which would then propose a uniform interpretation of the rules. This would relate mostly to the scope of Articles 35 and 36 of the GDPR. In their majority, the topics of the questions formulated by the participants had to do with:
- the method of impact assessment
- the criteria which make it obligatory to perform or not
- the concept of the risk to a right
- the level of transparency of the DPIA
- the involvement of technical partners
- the balancing act, between benefits obtained and negative impacts
- the representativeness of the data subjects and its modalities
- the probability of infringement, compared to actual infringement
- the semantics of the proportionality test
- the clustering of data processing operations
- the level of objectivity required
- the concepts of data protection by design and default
- the value of the DPIA as evidence in the court
- the extent to which a court can scrutinize the content of the DPIA
- the role of risk assessment techniques
- the role of data protection authorities
- the role of public authorities in conducting a DPIA
- the role of the European Data Protection Board (EDPB)
- the development of standards and techniques (e.g., tailored-down templates)
- the liability arising from publishing the DPIA
- the resources allocated for the DPIA process by data controllers
Before the conclusion of the workshop, some of the questions were already discussed and a common approach was adopted by looking at the experience of impact assessment in other areas and jurisdictions. Other questions, exclusive to the DPIA, was decided that still need further clarification (e.g., assessing “high risk” to the “rights and freedoms of natural persons”).