Arti­kel-29-Arbeits­grup­pe zum “Risk based Approach”

State­ment on the role of a risk-based approach in data pro­tec­tion legal frameworks:

[…]the Working Par­ty is con­cer­ned that both in rela­ti­on to dis­cus­sions on the new EU legal frame­work for data pro­tec­tion and more wide­ly, the risk-based approach is being incre­a­singly and wron­gly pre­sen­ted as an alter­na­ti­ve to well-estab­lished data pro­tec­tion rights and princi­ples, rather than as a scala­b­le and pro­por­tio­na­te approach to com­pli­an­ce. The pur­po­se of this state­ment is to set the record straight. 

The so-cal­led “risk-based approach” is not a new con­cept, sin­ce it is alrea­dy well known under the cur­rent Direc­ti­ve 95/46/EC espe­cial­ly in the secu­ri­ty (Arti­cle 17) and the DPA pri­or checking obli­ga­ti­ons (Arti­cle 20). The legal regime app­li­ca­ble to the pro­ces­sing of spe­cial cate­go­ries of data (Arti­cle 8) can also be con­si­de­red as the app­li­ca­ti­on of a risk-based approach: streng­t­he­ned obli­ga­ti­ons result from pro­ces­sing which is con­si­de­red ris­ky for the­per­sons con­cer­ned. It is important to note that – even with the adop­ti­on of a risk-basedap­proach – the­re is no que­sti­on of the rights of indi­vi­du­als being wea­ke­ned in respect of their per­so­nal data. Tho­se rights must be just as strong even if the pro­ces­sing in que­sti­on is rela­tively ‘low risk’. Rather, the sca­la­bi­li­ty of legal obli­ga­ti­ons based on risk addres­ses com­pli­an­ce mecha­nisms. This means thata data con­trol­ler who­se pro­ces­sing is rela­tively low risk may not have to do as much to com­ply with its legal obli­ga­ti­ons as a data con­trol­ler who­se pro­ces­sing is high-risk.

Howe­ver, the risk-based approach has gai­ned much more atten­ti­on in the dis­cus­sions at the Euro­pean Par­lia­ment and at the Coun­cil on the pro­po­sed Gene­ral Data Pro­tec­tion Regu­la­ti­on. It has been intro­du­ced recent­ly as a core ele­ment of the accoun­ta­bi­li­ty princip­le its­elf (Arti­cle 22). In addi­ti­on to the obli­ga­ti­on of secu­ri­ty (Arti­cle 30) and the obli­ga­ti­on to car­ry out an impact assess­ment (Arti­cle 33) alrea­dy pre­scri­bed in the draft regu­la­ti­on, the risk-based approachhas been exten­ded and reflec­ted in other imple­men­ta­ti­on mea­su­res such as the data pro­tec­tion by design princip­le (Arti­cle 23), the obli­ga­ti­on for docu­men­ta­ti­on (Arti­cle 28) and the use of cer­ti­fi­ca­ti­on and codes of con­duct (Arti­cles 38 and 39). It is appa­rent the­re­fo­re that the draft Regu­la­ti­on alrea­dy con­tains the tools – for examp­le in Arti­cle 33 rela­ting to impact assess­ment – to pro­vi­de for a reli­able and rela­tively objec­ti­ve assess­ment of risk. In par­al­lel, the con­cept has been pro­mo­ted in public deba­tes on data pro­tec­tion regu­la­ti­on in the con­text of “big data”. Its pro­mo­ters argue that collec­tion should no lon­ger be con­si­de­red the main focus of regu­la­ti­on and that legal com­pli­an­ce should rather shift to the framing of data use. To com­ply, it is advo­ca­ted that a strong harm-based approach can help to pro­mo­te respon­si­ble data use based on risk manage­ment. Final­ly, the­re have been vigo­rous deba­tes at the Euro­pean Par­lia­ment and at the Coun­cil on the app­li­ca­bi­li­ty of a ligh­ter legal regime for pseud­ony­mous or pseud­ony­mi­sed data con­si­de­ring that becau­se of their per­cei­ved less iden­ti­fia­ble natu­re, the pri­va­cy risks for data sub­jects are redu­ced. Tho­se con­tex­tu­al and back­ground ele­ments show the com­pel­ling need for the Working Par­ty­to com­mu­ni­ca­te the fol­lo­wing key messages on this issue.