The importance of the concept of risk and risk management in the data protection field has grown explosively with the adoption of the General Data Protection Regulation (2016/679). The article explores the concept and the role of risk, as well as associated risk regulation mechanisms in EU data protection law. It shows that with the adoption of the General Data Protection Regulation there is evidence of a two-fold shift: first on a practical level, a shift towards risk-based data protection enforcement and compliance, and second a shift towards risk regulation on the broader regulatory level. The article analyses these shifts to enhance the understanding of the changing relationship between risk and EU data protection law. The article also discusses associated potential challenges when trying to manage multiple and heterogeneous risks to the rights and freedoms of individuals resulting from the processing of personal data.
PhD Candidate, Tilburg Institute for Law, Technology and Society (TILT), Tilburg University. The author would like to thank Claudia Quelle, Damian Clifford and the anonymous reviewer for their helpful and constructive comments, which contributed to improving the final version of the paper. Any errors or omissions remain the responsibility of the author.
1 Spina, Alessandro, “A Regulatory Mariage de Figaro: Rica Ethics” (2017) 8(1) European Journal of Risk Regulation 88 .
2 ibid 92.
4 Joined Cases C-92/09 and C-93/09 Volker und Markus Schecke and Eifert  ECR I-11063. See also Recital 4 of the General Data Protection Regulation, which states: “The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity”; Article 29 Working Party: “The protection of personal data is a fundamental right. Personal data (which includes metadata) may not be treated solely as an object of trade, an economic asset or a common good” and “Data protection rights must be balanced with other fundamental rights, including non-discrimination and freedom of expression, which are of equal value in a democratic society”: Joint Statement of the European Data Protection Authorities assembled in the Article 29 Working Party, WP 227 (2014), 26 November 2014, 2.
5 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1.
6 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1995) OJ L281/31.
7 The General Data Protection Regulation, in addition to these two main goals, introduces several additional new goals, such as the accomplishment of an area of freedom, security and justice and an economic union, economic and social progress, the strengthening and the convergence of the economies within the internal market, and the well-being of natural persons (Recital 2).
8 Spina, supra, note 1. The term “riskification” has been borrowed for the title of this article from Spina, who was the first to use it in the data protection context. This term was first introduced in security studies and although used in a different policy domain can provide interesting insights for data protection, especially when thinking about information security risks. See Corry, Olaf, “Securitisation and ‘Riskification’: Second-order Security and the Politics of Climate Change” (2012) 40(2) Millennium 235 ; see also Clapton, William, “Risk in International Relations” (2011) 25(3) International Relations 280 .
9 Spina, supra, note 1, 89.
10 Spina, supra, note 1.
11 Part of the forward-looking research agenda delineated in the Cambridge Inaugural Issue: The Past, Present And Future of Risk Regulation (2017 (8(1)) of European Journal of Risk Regulation is dedicated to risk regulation, data protection and ethics: see Spina, supra, note 1.
12 Gellert, Raphaël, “Data protection: a risk regulation? Between the risk management of everything and the precautionary alternative” (2015) 5(1) International Data Privacy Law 3 ; Gellert, Raphaël, “We Have Always Managed Risks in Data Protection Law: Understanding the Similarities and Differences Between the Rights-Based and the Risk-Based Approaches to Data Protection” (2016) 2(4) European Data Protection Law Review 481 ; Dijka, Niels van, Gellerta, Raphaël and Rommetveitb, Kjetil, “A risk to a right? Beyond data protection risk assessments” (2016) 32(2) Computer Law & Security Review 286 .
13 Kuner, Christopher, et al, “Risk management in data protection” (2015) 5(2) International Data Privacy Law 95 .
14 One of the few existing comprehensive efforts to address risk-based approach in the GDPR is Quelle, Claudia, “The ‘risk revolution’ in EU data protection law: we can’t have our cake and eat it, too” in R Leenes et al (eds), Data Protection and Privacy: The Age of Intelligent Machines (Hart Publishing, forthcoming), available at <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3000382> accessed 25 August 2017. To a certain degree the notion of risk in the GDPR has been also recently analysed by Böröcz, István, “Risk to the Right to the Protection of Personal Data: An Analysis Through the Lenses of Hermagoras” (2016) 2(4) European Data Protection Law Review 467 (he distinguishes several basic attributes of risk to the right of personal data protection, such as the meaning of risk, subjects exposed to/conceptualising risk, the time and means to address risks).
15 See Fisher, E Risk Regulation and Administrative Constitutionalism (Hart Publishing, 2007).
16 Beck, U, Risk Society: Towards a New Modernity (Sage, 1992); Jasanoff, S, “The songlines of risk” (1999) 8 Environmental Values 135, 152 ; Hood, C, Rothstein, H and Baldwin, R, The Government of Risk: Understanding Risk Regulation Regimes (Oxford University Press, 2001); Garland, D, “The rise of risk” in R Ericson and A Doyle (eds), Risk and Morality (University of Toronto Press, 2003); Smith, M, “Mad cows and mad-money: problems of risk in the making and understanding of policy” (2004) 6(3) The British Journal of Politics and International Relations 312 ; Power, Michael, The Risk Management of Everything – Rethinking the Politics of Uncertainty (Demos, 2004).
17 Bridget M Hutter, “The Attractions of Risk-based Regulation: accounting for the emergence of risk ideas in regulation” (2005) Centre for Analysis of Risk and Regulation, Discussion paper No 33, 1, available at <www.lse.ac.uk/accounting/CARR/pdf/DPs/Disspaper33.pdf>, accessed 25 August 2017, 1.
18 ibid 1–3.
20 Rothstein, H et al, “A theory of risk colonization: the spiralling regulatory logics of societal and institutional risk” (2006) 35(1) Economy and Society 91 .
21 Black, Julia, “The role of risk in regulatory processes” in Robert Baldwin, Martin Cave, Martin Lodge (eds), The Oxford Handbook of Regulation (Oxford University Press, 2010) 302, 303 .
22 Rothstein et al, supra, note 20.
23 Black, supra, note 21, 303.
24 Beck, supra, note 16.
25 Power, supra, note 16.
26 Majone, G, “The Rise of the Regulatory State in Europe” (1994) 17 West European Politics 77 ; Loughlin, M and Scott, C, “The Regulatory State” in P Dunleavy et al (eds), Developments in British Politics (Macmillan, 1997) 5 .
27 Black, supra, note 21, 303.
28 Rothstein et al, supra, note 20, 97.
29 Black, supra, note 21, 303.
30 Black, J, “The emergence of risk-based regulation and the new public management in the United Kingdom” (2005) Public Law 512, 514 .
31 Claudio Ciborra, “Digital technologies and the duality of risk”, CARR discussion paper No 27, CARR LSE: London, available at <http://eprints.lse.ac.uk/36069/1/Disspaper27.pdf> accessed 25 August 2017; Power, supra, note 16 (Power argues that institutional risks are secondary risks in relation to the societal risks).
32 Rothstein et al, supra, note 20, 105.
33 Regulation (EC) No 882/2004 of the European Parliament and of the Council of 29 April 2004 on official controls performed to ensure the verification of compliance with feed and food law, animal health and animal welfare rules (2004) OJ L 165, with later amendments by Regulation (EC) No 1029/2008 (2008) OJ L 278 and Regulation (EC) No 596/2009 (2009) OJ L 188.
34 Alemanno, Alberto, “Regulating the European Risk Society” in Alberto Alemanno et al (eds), Better Business Regulation in a Risk Society (Springer, 2013) 37 .
35 Alemanno, supra, note 34.
36 Regulation (EC) No 178/2002 of the European Parliament and of the Council of 28 January 2002 laying down the general principles and requirements of food law, establishing the European Food Safety Authority and laying down procedures in matters of food safety (2002) OJ L 31.
37 Regulation (EC) No 1907/2006 of the European Parliament and of the Council of 18 December 2006 concerning the Registration, Evaluation, Authorisation and Restriction of Chemicals (REACH) and establishing a European Chemicals Agency (2006) OJ L 396/1, as amended.
38 Regulation (EC) No 1107/2009 of the European Parliament and of the Council of 21 October 2009 concerning the placing of plant protection products on the market and repealing Council Directives 79/117/EEC and 91/414/EEC (2009) OJ L 309/1.
39 Regulation (EC) No 1223/2009 of the European Parliament and of the Council of 30 November 2009 on cosmetic products (2009) OJ L 342/59.
40 Nordlander, Kristina, Simon, Carl-Michael and Pearson, Hazel, “Hazard v. Risk in EU Chemicals Regulation” (2010) 3 European Journal of Risk Regulation 239, 240 .
41 Directive 2001/83/EC of the European Parliament and of the Council of 6 November 2001 on the Community code relating to medicinal products for human use (2001) OJ L 311/67.
42 Some confusion exists between the terms “risk regulation”, “risk-based regulation” and “risk-based approach to regulation” due to the conflating meanings these terms are assigned by various authors. Black, for example, in her work refers to risk-based regulation as having two distinct meanings: (1) the regulation of societal risks to health, safety, the environment and financial wellbeing. In this sense, risk-based regulation determines whether public institutions should regulate specific activity and which preventive measures employ; (2) refers to the risk that a public institution will not meet its objectives (regulatory or institutional risk) and denotes procedures and decisions to prioritise activities and resources based on risk assessment that regulated entities pose: Black, supra, note 30, 514.
43 Baldwin, Robert, Cave, Martin, Lodge, Martin, Understanding Regulation: Theory, Strategy and Practice, 2nd edn (Oxford University Press, 2012) 281–282 .
44 Sunstein, Cass R, Risk and Reason: Safety, Law and the Environment (Cambridge University Press, 2002); Baldwin, Robert and Black, Julia, “Really Responsive Risk-Based Regulation” (2010) 32(2) Law and Policy 181 ; Black, Julia and Baldwin, Robert, “When risk-based regulation aims low: Approaches and challenges” (2011) 6(1) Regulation and Governance 2 ; Graham, D John, “Why Governments Need Guidelines for Risk Assessment and Management” in Risk and Regulatory Policy: Improving the Governance of Risk (OECD, 2010) 237 .
45 Black and Baldwin, supra, note 44, 184.
46 ibid 184.
47 Porter, Theodore M, Trust in Numbers: The Pursuit of Objectivity in Science and Public Life (Princeton University Press, 1995).
48 Black, supra, note 21, 323. Also Hood, C “The Risk Game and the Blame Game” (2002) 37 Government and Opposition 15.
49 Black, supra, note 21, 323.
51 See Philip Hampton, “Reducing Administrative Burdens: Effective Inspection and Enforcement” (Report) (March 2005) http://webarchive.nationalarchives.gov.uk/+/http:/www.bis.gov.uk/policies/better-regulation/improving-regulatory-delivery/assessing-our-regulatory-system> accessed 25 August 2017.
52 UK Department for Business, Innovation and Skills, “Better Regulation Delivery Office, Regulators’ Code”, (in particular, Principle 3 “Regulators should base their regulatory activities on risk”) (April 2014) <www.gov.uk/government/uploads/system/uploads/attachment_data/file/300126/14-705-regulators-code.pdf> accessed 25 August 2017.
53 Rothstein, Henry, Borraz, Olivier and Huber, Michael, “Risk and the limits of governance: Exploring varied patterns of risk-based governance across Europe” (2013) 7 Regulation & Governance 215 .
55 Quelle, supra, note 14.
56 Claudia Quelle, “The data protection impact assessment: what can it contribute to data protection?” (LLM thesis, Tilburg University 2015) 112, 127, available at <http://arno.uvt.nl/show.cgi?fid=139503> accessed 25 August 2017.
57 Gonçalves, ME, “The EU data protection reform and the challenges of big data: remaining uncertainties and ways forward” (2017) 26(2) Information & Communications Technology Law 90, 114 .
58 Quelle, supra, note 14.
59 N Robinson et al, “Review of the European Data Protection Directive” (The RAND Corporation technical report series 2009), 48–49, 51, available at <www.rand.org/content/dam/rand/pubs/technical_reports/2009/RAND_TR710.pdf> accessed 25 August 2017.
60 ibid 27. Support for the risk-based approach has been expressed also in the responses to the public consultations. See eg the Information Commissioner (United Kingdom), “Response to ‘A comprehensive approach on personal data protection in the European Union A Communication from the European Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions’” (2010), available at <http://ec.europa.eu/justice/news/consulting_public/0006/contributions/public_authorities/ico_infocommoffice_en.pdf> accessed 25 August 2017 (the UK, already leading in risk-based regulation, has expressed its support for a GDPR as risk-based framework, suggesting to focus obligations for data controllers on processing that poses genuine risk to individuals or society; to base the distinction between sensitive and ordinary data on the risk that particular processing poses to individuals in particular circumstances; to prioritise the areas of particular privacy risk as regards enforcement).
61 Article 29 Data Protection Working Party, “Statement on the Role of a Risk-based Approach in Data Protection Legal Frameworks”, WP 218, 30 May 2014, 4.
62 Quelle, supra, note 14.
63 Kuner, Christopher, “The European Commission’s Proposed Data Protection Regulation: A Copernican Revolution in European Data Protection Law” (2012) 11(6) Privacy & Security Law Report 1 .
64 Vivian Reding, “Towards a true Single Market of data protection” (Speech at the Meeting of the Article 29 Working Party “Review of the Data protection legal framework”, SPEECH/10/386, 14 July 2010), available at <http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/10/386> accessed 25 August 2017.
65 Digitaleurope, “Comments on the risk-based approach”, 28 August 2013, available at <http://teknologiateollisuus.fi/sites/default/files/file_attachments/elinkeinopolitiikka_digitalisaatio_tietosuoja_digitaleurope_risk_based_approach.pdf> accessed 25 August 2017.
66 Rubinstein, Ira, “Big Data: The End of Privacy or a New Beginning?” (2013) 3 International Data Privacy Law 74 ; Mireille Hildebrandt, “Slaves to Big Data. Or Are we?”, October 2013, at 7, available at <http://works.bepress.com/mireille_hildebrandt/52> accessed 25 August 2017; Tene, Omer and Polonetsky, Jules, “Big Data for All: Privacy and User Control in the Age of Analytics” (2013) 11 Northwestern Journal of Technology and Intellectual Property 239, 252 , available at <http://ssrn.com/abstract=2149364> at 242 and 259.
67 Kuner, Christopher et al, “The challenge of ‘big data’ for data protection” (2012) 2(2) International Data Privacy Law 47 .
68 European Commission, “Summary of Replies to the Public Consultation about the Future Legal Framework for Protecting Personal Data” (2010), available at <http://ec.europa.eu/justice/news/consulting_public/0003/summary_replies_en.pdf> accessed 25 August 2017; Summary of the Replies to the Public Consultation on the Commission’s Communication on a Comprehensive Approach on Personal Data Protection in the European Union (Annex 4) (2012), available at <http://ec.europa.eu/justice/data-protection/document/review2012/sec_2012_72_annexes_en.pdf> accessed 25 August 2017.
69 Cf “Adapting Legislation to Minimise Regulatory Burdens for SMEs: Best Practise Examples”, Group of High Level National Regulatory Experts – SME Working Group (2013), available at <http://ec.europa.eu/smart-regulation/impact/best_practices_examples/docs/eu/lighter_regimes_for_smes_oct_2013.pdf> accessed 25 august 2017.
70 European Commission, “Proposal for a Directive of the European Parliament and of the Council on improving the gender balance among non-executive directors of companies listed on stock exchanges and related measures” COM(2012) 614 final, 14 November 2012.
71 Directive 2009/128/EC of 21 October 2009 establishing a framework for Community action to achieve the sustainable use of pesticides, 24.11.2009, L 309/71.
72 de Terwangne, C, “Is a Global Data Protection Regulatory Model Possible” in Serge Gutwirth et al (eds), Reinventing Data Protection? (Springer, 2009) 180 .
73 Opinion of the European Data Protection Supervisor on the Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions “A comprehensive approach on personal data protection in the European Union”, 14.1.2011, (“The higher the risks, the higher the need to implement concrete measures that protect information at a practical level and deliver effective protection”, 21. EDPS claims that data protection law should be scalable, excluding the requirements of privacy by design, data protection officers and privacy impact assessments which should remain mandatory, 22–23).
74 WP 218, supra, note 61.
75 The Information Commissioner (United Kingdom), “Response to ‘A comprehensive approach on personal data protection in the European Union A Communication from the European Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions’”, supra, note 60.
76 DigitalEurope, supra, note 65, 3. See also similar academic interpretations: Gellert (2016), supra, note 12; L Moerel and C Prins, “Privacy for the Homo Digitalis: Proposal for a New Regulatory Framework for Data Protection in the Light of Big Data and the Internet of Things” (25 May 2016), available at <https://ssrn.com/abstract=2784123> accessed 25 August 2017 (Prins and Moerel suggest that the focus should be more on data use, but do not exclude data collection from legal safeguards).
77 DigitalEurope, supra, note 65.
78 Asia-Pacific Economic Cooperation (APEC), Privacy Framework, 2005, available at <https://www.apec.org/Groups/Committee-on-Trade-and-Investment/~/media/Files/Groups/ECSG/05_ecsg_privacyframewk.ashx> accessed 25 August 2017.
79 WP 218, supra, note 61, 2.
80 The reference to risk in terms of breaching the privacy of data subjects is also present in 3 Recitals of the Data Protection Directive, namely: Recital 46 in the context of security measures, Recitals 53–54 in the context of notification and prior checking procedures.
81 Kuner et al, supra, note 13.
82 For a comprehensive overview of national risk management and assessment methodologies see ENISA Inventory of risks assessment and risk management methods, 30 March 2006, available at <www.enisa.europa.eu/publications/inventory-of-risk-assessment-and-risk-management-methods> accessed 25 August 2017. For a global overview of standards development see Yost, Jeffrey R, “History of Computer Security Standards” in Karl de Leuuw (ed), History of Information Security (Elsevier Science, 2007) 595 .
83 Afhankelijkheids- en Kwetsbaarheidsanalyse (A&K analysis), RCC and Dutch ministry of internal affairs. Handbook: “Handleiding Afhankelijkheids- en Kwetsbaarheidsanalyse: stappenplan voor de uitvoering van een A&K-analyse” (in Dutch), version 1.01 (Ministry of Internal Affairs, The Hague, 1996).
84 CCTA Risk Analysis and Management Method, Central Communication and Telecommunication Agency.
85 Methodology of Analysis of Computer Risks directed by Levels, Club de la sécurité de l’information français, 1990.
86 IT Baseline Protection Manual (Federal Office for Information Security, 1994).
87 See also OECD Guidelines for the security of Information Systems and Networks of 25 July 2002.
88 ISO/IEC 27005:2011 Information technology – Security techniques – Information security risk management.
89 The early sources focus on computer rather than information security, eg Parker, Donn B, Fighting Computer Crime: A New Framework for Protecting Information (John Wiley & Sons, 1998); Russell, Deborah and Gangemi, GT , Sr, Computer Security Basics (Thunder Mountain Press, 1994).
90 Hanseth, Ole, “Introduction: integration-complexity-risk-the making of information systems out of control” in O Hanseth and Claudio Ciborra (eds), Risk, Complexity and ICT (Edward Elgar, 2007).
91 Calder, Alan and Watkins, Steve, IT Governance: An International Guide to Data Security and ISO27001/ISO27002, 6th edn (Kogan Page, 2015).
92 Council Resolution of 18 February 2003 on a European approach towards a culture of network and information security, OJ C 48, 28.2.2003, 1–2.
93 Vacca, John, Computer and Information Security Handbook, 2nd edn (Morgan Kaufmann, 2013) 906 .
94 Some sources distinguish more properties of information to be preserved, for example Regulation 526/2013 specifically in data rather than an information security context, refers in addition to “authentication” and defines all characteristics as follows: “‘availability’ means that data is accessible and services are operational; ‘authentication’ means the confirmation of an asserted identity of entities or users; ‘data integrity’ means the confirmation that data which has been sent, received, or stored are complete and unchanged; ‘data confidentiality’ means the protection of communications or stored data against interception and reading by unauthorised persons”. See Regulation (EU) No 526/2013 of the European Parliament and of the Council of 21 May 2013 concerning the European Union Agency for Network and Information Security (ENISA) and repealing Regulation (EC) No 460/2004, L 165/41, 18.6. 2013. ISO standards mention other additional possible information characteristics to be protected: authenticity (“property that an entity is what it claims to be”), accountability, non-repudiation (“ability to prove the occurrence of a claimed event (…) or action and its originating entities”), reliability (property of consistent intended behaviour and results”).
95 ISO/IEC, “Information technology – Security techniques – Information security risk management” ISO/IEC FIDIS 27005:2008 “the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of occurrence of an event and its consequence”.
96 Vacca, supra, note 93, 907.
97 For an overview of formal information security-related definitions used in the ISO27k standards see ISO/IEC 27000:2016 (E) Information technology – Security techniques – Information security management systems – Overview and vocabulary (fourth edition), available at <http://standards.iso.org/ittf/PubliclyAvailableStandards/c066435_ISO_IEC_27000_2016(E).zip> accessed 25 August 2017.
98 ENISA, “Threat Taxonomy, A tool for structuring threat information”, January 2016, available at <www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/etl2015/enisa-threat-taxonomy-a-tool-for-structuring-threat-information> accessed 25 August 2017.
99 For the latest yearly report, see ENISA Threat Landscape 2015, available at <www.enisa.europa.eu/publications/etl2015> accessed 25 August 2017.
101 Vacca, supra, note 93, 907.
103 NIST Privacy Engineering Objectives and Risk Model Discussion Draft, p 3, fn 9.
104 NIST Privacy Engineering Objectives and Risk Model - Discussion Deck Objective-Based Design for Improving Privacy in Information Systems, 2014, available at <http://csrc.nist.gov/projects/privacy_engineering/nist_privacy_engr_objectives_risk_model_discussion_deck.pdf> p 13 accessed 25 August 2017.
105 ISO/IEC 29100 Privacy framework, 15 December 2011.
106 Sourya Joyee De and Daniel Le Métayer, “PRIAM: A Privacy Risk Analysis Methodology”, Research Report RR-8876 (Inria – Research Centre Grenoble, 2016) available at <https://hal.inria.fr/hal-01302541/document> accessed 25 August 2017.
107 CNIL, “Privacy Impact Assessment (PIA), Methodology (how to carry out a PIA)”, June 2015, available at <www.cnil.fr/sites/default/files/typo/document/CNIL-PIA-1-Methodology.pdf> accessed 25 August 2017.
108 Available at <http://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf> accessed 25 August 2017, 17.
109 Ulrich Dammann and Spiros Simitis, EG-Datenschutzrichtlinie:Kommentar (Nomos, 1997) Art 17.7.
110 Art 18 does not mention the word “risk” as such, but refers to it as a likelihood of adverse effect to the rights and freedoms of data subjects.
111 Douwe Korff, EC Study on Implementation of Data Protection Directive (Study Contract Etd/2001/B5-3001/A/49) Comparative summary of national laws (2002), available at <http://18.104.22.168/documents/10160/10704/Stato+di+attuazione+della+Direttiva+95-46-CE> accessed 25 August 2017.
112 European Commission, First report on the implementation of the Data Protection Directive (95/46/EC), 15 March 2003, COM/2003/265 final (First Implementation Report). Communication on the follow-up of the Work programme for a better implementation of the Data Protection Directive, 7 March 2007, COM (2007)87 final (Second Implementation Report). Annex 2 to the Impact Assessment, Accompanying the General Data Protection Regulation and Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data, Brussels, 25 January 2012 SEC(2012) 72 final (Third Implementation Report).
113 Korff, supra, note 111. For a detailed overview of the operations subject to prior checking in different EU Member States see Gwendal Le Grand and Emilie Barrau, “Prior Checking, a Forerunner to Privacy Impact Assessments” in David Wright and Paul De Hert (eds), Privacy Impact Assessment (Springer, 2012) 97.
114 Amended proposal for a Council Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“Amended Proposal”), COM (92) 422 final – SYN 287, 15 October 1992. It can be accessed at the Archive of European Integration of the University of Pittsburgh, at <http://aei.pitt.edu/10375> accessed 25 August 2017.
115 De Hert, Paul and Papakonstantinou, Vagelis, “The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals” (2012) 28(2) Computer Law & Security Review 130 .
116 Poullet, Yves, “Data Protection between Property and Liberties – A Civil Law Approach” in Guy PV Vandenberghe, HWK Kaspersen and Ania Oskamp (eds), Amongst Friends in Computers and Law: A Collection of Essays in Remembrance of Guy Vandenberghe (Kluwer Law & Taxation Publishers, 1990) 161, 163 .
117 The notion “Sensitive data” is changed to “Special categories of personal data” in the Regulation and is meant as personal data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”.
118 Poullet, supra, note 116, 163.
119 Quelle, supra, note 14.
120 Spina, supra, note 1, 89–90.
121 Peter Hustinx, “EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed General Data Protection Regulation” (2014) 20, 38, available at <https://edps.europa.eu/sites/edp/files/publication/14-09-15_article_eui_en.pdf> accessed 25 August 2017.
123 Article 29 Data Protection Working Party, “Annex to the Letters from the Art. 29 WP to LV Ambassador Ilze Juhansone, MEP Jan Philip Albrecht, and Commissioner Vẽra Jourová in view of the trilogue” (17 June 2015) 15.
124 Quelle, supra, note 14.
125 WP 218, supra, note 61.
126 Baldwin, Cave and Lodge, supra, note 43, 282.
128 Black, Julia, “Risk Based Regulation: Choices, Practices and Lessons Being Learned” in Risk and Regulatory Policy: Improving the Governance of Risk (OECD, 2010).
129 Information Commissioner’s Office, ‘Conducting Privacy Impact Assessments’ (2014) Code of Practice, available at <https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf> accessed 25 August 2017; Agencia Espanola de Proteccion de Datos, “Guía para una Evaluación del Impacto en la Protección de Datos Personales” (2014), available at <www.agpd.es/portalwebAGPD/canaldocumentacion/publicaciones/common/Guias/Guia_EIPD.pdf> accessed 25 August 2017; Commission Nationale de l’Informatique et des Libertés (CNIL), “Privacy Impact Assessment (PIA) Methodology (how to carry out a PIA)” (2015), available at <www.cnil.fr/sites/default/files/typo/document/CNIL-PIA-1-Methodology.pdf> accessed 25 August 2017.
130 Article 29 Data Protection Working Party, “Statement on the Role of a Risk-based Approach in Data Protection Legal Frameworks” 4.
131 Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, WP 248, 4 April 2017.
132 Baldwin, Cave and Lodge, supra, note 43, 282.
133 Dutch Data Protection Authority, “Beleidsregels handhaving door het CBP (DPA policy rules for enforcement)” (2011), available at <https://cbpweb.nl/sites/default/files/atoms/files/beleidsregels_handhaving_cbp_0.pdf> accessed 14 February 2015.
134 The new approach of Information Commissioner’s Office (UK) (taken as from 1 April 2014) as regards its supervisory powers is described in Public Consultation paper “Our new Approach to Data Protection Concerns” (2013) , available at <https://ico.org.uk/media/about-the-ico/consultations/2019/a-new-approach-consultation.pdf> accessed 25 August 2017.
135 Black, supra, note 21, 311.
136 Permanand, Govin and Vos, Ellen, “EU regulatory agencies and health protection” in Elias Mossialos et al (eds), Health Systems Governance in Europe (Cambridge University Press, 2010) 134 .
137 Black, supra, note 21, 311.
139 Levi-Faur, David. “Regulatory networks and regulatory agencification: towards a Single European Regulatory Space’ (2011) 18(6) Journal of European Public Policy 810, 813 .
141 Article 29 Data Protection Working Party, “Rules of Procedure of the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data”, 15 February 2010, available at <http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/rules-art-29_en.pdf> accessed 25 August 2017.
142 Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, WP 248, 4 April 2017.
143 European Commission, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions Safeguarding Privacy in a Connected World A European Data Protection Framework for the 21st Century, COM/2012/09 final.
144 Regulation (EC) No 45/2001 of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, OJ L 8, 12 January 2001.
145 The Article 29 Working Party has already started providing guidelines on high risk data processing operations see Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, WP 248, 4 April 2017.
146 de Hert, Paul and Papakonstantinou, Vagelis, “The new General Data Protection Regulation: Still a sound system for the protection of individuals?” (2016) 32(2) Computer Law & Security Review 179, 193.
147 Black, supra, note 21, 309.
148 Wright, David and Mordini, Emilio, “Privacy and Ethical Impact Assessment” in David Wright and Paul de Hert (eds), Privacy Impact Assessment (Springer, 2012) 397, 402 .
149 David Wright et al, “A Privacy Impact Assessment Framework for data protection and privacy rights”, PIAF project Deliverable D1 (2011), A Report of the PIAF Consortium Prepared for the European Commission, <www.piafproject.eu> accessed 10 February 2015.
150 Information Commissioner’s Office, supra, note 129.
151 ibid 18.
152 Wright and Mordini, supra, note 148, 402.
153 Wright, David, “The state of the art in privacy impact assessment” (2012) 28(1) Computer Law & Security Review 54–61 .
154 David Wright, et al, “Precaution and privacy impact assessment as modes towards risk governance” in René von Schomberg (ed), Towards Responsible Research and Innovation in the Information and Communication Technologies and Security Technologies Fields, A Report from the European Commission Services, 95, available at <http://philpapers.org/archive/VONTRR.pdf> accessed 25 August 2017. (they claim “companies are not obliged to be as ‘democratic’ and participatory as governments in developed countries have to be. And the involvement of stakeholders in the development is notoriously difficult and costly even if the products, services or policies have the potential for intrusion on privacy or are ethically dubious. Furthermore, competition in the private sector, especially in the development and promotion of new products and services, often involves secrecy in the early stages”).
155 Centre for Information Policy Leadership, “A Risk-based Approach to Privacy: Improving Effectiveness in Practice” (2014), available at <www.hunton.com/files/upload/Post-Paris_Risk_Paper_June_2014.pdf> accessed 20 June 2017.
156 ibid 7.
157 Baldwin, Cave and Lodge, supra, note 43, 281.
158 ibid 281–282.
159 Although the goal of the EU Data Protection Directive is not framed in terms of addressing risks to privacy, the goal of other data protection laws and statutes, eg the first data protection legislation of the German Lander of Hesse or 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, may be considered to address the risks to privacy stemming from the development of new technologies. See Mayer-Schönberger, Viktor, “Generational Development of Data Protection in Europe” in Phillip E Agre and Marc Rotenberg (eds), Technology and Privacy: The New Landscape (The MIT Press, 1997) 219 (he states that the first data-protection laws were enacted in response to the emergence of electronic data processing within government and large corporations and the plans to centralise all personal data files in gigantic national data banks); Gellert (2015), supra, note 12 (he claims that the explicit object of many data protection statutes is to address the “risks to privacy” stemming from the development of ICTs).
160 Anton, Donald K and Shelton, Dinah L, Environmental Protection and Human Rights (Cambridge University Press, 2011) 38 .
161 Lynskey, Orla, The Foundations of EU Data Protection Law (Oxford University Press, 2015).
162 ibid 195.
163 Paul de Hert and Serge Gutwirth, “Data Protection in the Case Law of Strasbourg and Luxemburg: Constitutionalisation in Action” in Gutwirth, et al (eds), supra, note 72, 3; Lynskey, supra, note 161; Bernal, Paul, Internet Privacy Rights: Rights to Protect Autonomy (Cambridge University Press, 2014).
164 Bing, J, “A Comparative Outline of Privacy Legislation” (1978) Comparative Law Yearbook vol 2, 170 .
165 Vedder, Anton, “Privacy 3.0” in S Van der Hof and M Groothuis (eds), Innovating Government: Normative, Policy and Technological Dimensions of Modern Government (Springer/TMC Asser Press, 2011).
166 Privacy can be conceptualised in different ways, most importantly as a right “to be let alone”, limited access to the self, secrecy, control over one’s personal data, personhood (the ability to develop personal relations and make choices without undue interference), intimacy: see Solove, Daniel J, “Conceptualizing Privacy” (2002) 90 California Law Review 1087 .
167 Kristina Irion and Giacomo Luchetta, “Online personal data processing and the EU data protection reform”, Regulatory Policy, CEPS Task Force Reports (2013) 23.
168 Koops, Bert-Jaap, “The trouble with European data protection law” (2014) 4(4) International Data Privacy Law 250 . See also Kuner, Christopher, et al, “The language of data privacy law (and how it differs from reality)” (2016) 6(4) International Data Privacy Law 259.
169 Koops, supra, note 168, 258.
170 Kuner, Christopher, et al, “The data protection credibility crisis” (2015) 5(3) International Data Privacy Law 161 .
171 Koops, supra, note 168.
172 Hempel, L and Lammerant, H, “Impact Assessments as Negotiated Knowledge” in S Gutwirth, R Leenes, and P De Hert (eds), Reforming European Data Protection Law (Springer, 2015) 130 .
174 Koops, supra, note 168, 255 (“I fear that, as long as data protection is not in the hearts and minds of data controllers – and the law so far has done a poor job in reaching those hearts and minds […] – mandatory data protection impact assessments will function as paper checklists that controllers duly fill in, tick off, and file away to duly show to auditors or supervisory authorities if they ever ask for it. Procedure followed, problem solved.”)
175 Koops, supra, note 168, 254–55.
176 van Dijk, Gellert, and Rommetveit, supra, note 12, 300.
177 Gonçalves, supra, note 57, 114.
178 For a detailed review of risk definitions see Renn, Ortwin, “Concepts of Risk: A Classification” in S Krimsky and D Golding (eds), Social Theories of Risk (Praeger, 1992) 53 .
179 Aven, Terje and Renn, Ortwin, Risk Management and Governance: Concepts, Guidelines and Applications (Springer, 2010).
180 Lupton, Deborah (ed), Risk and Sociocultural Theory: New Directions and Perspectives (Cambridge University Press, 2000).
181 Renn, supra, note 178, 59.
182 Lupton, supra, note 180.
183 Taylor-Gooby, P and Zinn, JO (eds), Risk in Social Science (Oxford University Press, 2006); Krimsky and Golding, supra, note 178; also on a cultural approach see Douglas, M and Wildavsky, AB, Risk and Culture: An Essay on the Selection of Technical and Environmental Dangers (University of California Press, 1982); Thompson, M and Wildavsky, A, “A Proposal to Create a Cultural Theory of Risk” in HC Kunrreuther and EV Ley (eds), The Risk Analysis Controversy. An Institutional Perspective (Springer, 1982) 145 . On system theory see Luhmann, N, Risk: a Sociological Theory (A de Gruyter, 1993). On risk society see Beck, supra, note 16; Beck, U, Giddens, A and Lash, S (eds), Reflexive Modernisation: Politics, Tradition and Aesthetics in the Modern Social Order (Polity Press, 1994). On the governmentality approach, see Foucault, M, “Governmentality” in G Burchell et al (eds), The Foucault Effect (Harvester Wheatsheaf, 1991) 87 .
184 On a more detailed model of the risk continuum ranging from a realist approach offered in technico-scientific approaches to a highly relativist constructionist approach see Lupton, supra, note 180, Ch 2. On a taxonomy of sociological approaches to risk see Renn, supra, note 178, 67–72 (Renn orders sociological approaches to risk according to two dimensions: (1) individualistic versus structural; (2) objective versus constructivist. These approaches are: the rational actor concept, social mobilisation theory, organisational theory, systems theory, neo-Marxist and critical theory, and social constructionist theory).
185 Renn, supra, note 178, 72.
186 Lupton, supra, note 180, 6.
187 Proposal for a Council Directive concerning the protection of individuals in relation to the processing of personal data, COM (1990)314–2, 1990/0287/COD (“Initial Proposal”).
188 Proposal for a Council Directive concerning the protection of personal data and privacy in the context of public digital telecommunications networks, in particular the integrated services digital network (ISDN) and public digital mobile networks, COM/90/314FINAL – SYN 288, OJ C 277, 5.11.1990; Proposal for a Council Decision in the field of information security, COM/90/314FINAL, OJ C 277, 5.11.1990.
189 For example, commentary on Art 17 “Security of Processing” refers to the “potential danger to the data subject’s right to privacy” emanating from a data controller or a third party (Amended Proposal, 27).
190 Supra, note 114.
191 Luhmann, Niklas, “The morality of risk and the risk of morality” (1987)1(3) International Review of Sociology 87 (notes that risk refers to a possibility of negative effect attributable to one’s own decision, danger refers to the possibility of being caused harm by an external source without individual’s choice).
192 Council of the European Union, “Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) – Risk based approach” 12267/2/14 REV 2, 2 September 2014, available at <http://register.consilium.europa.eu/doc/srv?l=EN&f=ST%2012267%202014%20REV%202> accessed 25 August 2017.
193 See also eg ISO/IEC 27002 security standard “Information technology – Security techniques – Code of practice for information security management”.
194 Ryan Calo, M, “The Boundaries of Privacy Harm” (2011) 86 Indiana LawJournal 1131 ; Lynskey, supra, note 161, 86.
195 National Institute of Standards and Technology, “NIST Privacy Engineering Objectives and Risk Model Discussion Draft” (2014), 3. Some efforts to articulate privacy harms, however, include: Centre for Information Policy Leadership at Hunton &Williams LLP, “A Risk-based Approach to Privacy: Improving Effectiveness in Practice 2” (2014), see also Centre for Information Policy Leadership at Hunton &Williams LLP, “The Role of Risk Management in Data Protection” (2014).
196 Spina, supra, note 1, 89–90.
197 Ellen J Helsper et al, “Country Classification: Opportunities, Risks, Harm and Parental Mediation” (2013) LSE-EU Kids Online, available at <http://eprints.lse.ac.uk/52023/> accessed 30 August 2017.
198 Gellert (2015), supra, note 12.
200 Lynskey, supra, note 161, 86.
201 See Harremoës, Paul et al (eds), The Precautionary Principle in the 20th Century: Late Lessons from Early Warnings (Earthscan, 2002) 22 .
202 Power, supra, note 16, 19.
203 Gellert (2015), supra, note 12, 16.
204 ibid 16–17. See also Stuart S Shapiro, “Situating Anonymization Within a Privacy Risk Model,” Homeland Security Systems Engineering and Development Institute (2012) 2, available at <www.mitre.org/sites/default/files/pdf/12_0353.pdf> accessed 25 August 2017, who claims that similarly in the US the Fair Information Practice Principles “encourage framing of privacy harms purely in terms of principle violations, as opposed to the actual impact on individuals.”
205 Commission Nationale de l’Informatique et des Libertés (CNIL), “Methodology for Privacy Risk Management” (2012), available at <www.cnil.fr/fileadmin/documents/en/CNIL-ManagingPrivacyRisks-Methodology.pdf> accessed 25 August 2017; Commission Nationale de l’Informatique et des Libertés (CNIL), “Measures for the privacy risk treatment” (2012) A Catalogue of good practices, <www.cnil.fr/fileadmin/documents/en/CNIL-ManagingPrivacyRisks-Measures.pdf> accessed 15 February 2015. See also CNIL (2015), supra, note 107.
206 Methodology for Privacy Risk Management, supra, note 205, 6.
207 Gellert (2015), supra, note 12, 17.
* PhD Candidate, Tilburg Institute for Law, Technology and Society (TILT), Tilburg University. The author would like to thank Claudia Quelle, Damian Clifford and the anonymous reviewer for their helpful and constructive comments, which contributed to improving the final version of the paper. Any errors or omissions remain the responsibility of the author.
Email your librarian or administrator to recommend adding this journal to your organisation's collection.
* Views captured on Cambridge Core between <date>. This data will be updated every 24 hours.
Usage data cannot currently be displayed