Statement on the role of a risk-based approach in data protection legal frameworks:
[…]the Working Party is concerned that both in relation to discussions on the new EU legal framework for data protection and more widely, the risk-based approach is being increasingly and wrongly presented as an alternative to well-established data protection rights and principles, rather than as a scalable and proportionate approach to compliance. The purpose of this statement is to set the record straight.
The so-called “risk-based approach” is not a new concept, since it is already well known under the current Directive 95/46/EC especially in the security (Article 17) and the DPA prior checking obligations (Article 20). The legal regime applicable to the processing of special categories of data (Article 8) can also be considered as the application of a risk-based approach: strengthened obligations result from processing which is considered risky for thepersons concerned. It is important to note that – even with the adoption of a risk-basedapproach – there is no question of the rights of individuals being weakened in respect of their personal data. Those rights must be just as strong even if the processing in question is relatively ‘low risk’. Rather, the scalability of legal obligations based on risk addresses compliance mechanisms. This means thata data controller whose processing is relatively low risk may not have to do as much to comply with its legal obligations as a data controller whose processing is high-risk.
However, the risk-based approach has gained much more attention in the discussions at the European Parliament and at the Council on the proposed General Data Protection Regulation. It has been introduced recently as a core element of the accountability principle itself (Article 22). In addition to the obligation of security (Article 30) and the obligation to carry out an impact assessment (Article 33) already prescribed in the draft regulation, the risk-based approachhas been extended and reflected in other implementation measures such as the data protection by design principle (Article 23), the obligation for documentation (Article 28) and the use of certification and codes of conduct (Articles 38 and 39). It is apparent therefore that the draft Regulation already contains the tools – for example in Article 33 relating to impact assessment – to provide for a reliable and relatively objective assessment of risk. In parallel, the concept has been promoted in public debates on data protection regulation in the context of “big data”. Its promoters argue that collection should no longer be considered the main focus of regulation and that legal compliance should rather shift to the framing of data use. To comply, it is advocated that a strong harm-based approach can help to promote responsible data use based on risk management. Finally, there have been vigorous debates at the European Parliament and at the Council on the applicability of a lighter legal regime for pseudonymous or pseudonymised data considering that because of their perceived less identifiable nature, the privacy risks for data subjects are reduced. Those contextual and background elements show the compelling need for the Working Partyto communicate the following key messages on this issue.