Arti­kel-29-Arbeits­grup­pe zum “Risk based Approach”

State­ment on the role of a risk-based approach in data pro­tec­tion legal frameworks:

[…]the Working Par­ty is con­cer­ned that both in rela­ti­on to dis­cus­sions on the new EU legal frame­work for data pro­tec­tion and more wide­ly, the risk-based approach is being incre­a­sing­ly and wron­gly pre­sen­ted as an alter­na­ti­ve to well-estab­lished data pro­tec­tion rights and prin­ci­ples, rather than as a sca­lable and pro­por­tio­na­te approach to com­pli­ance. The pur­po­se of this state­ment is to set the record straight. 

The so-cal­led “risk-based approach” is not a new con­cept, sin­ce it is alre­a­dy well known under the cur­rent Direc­ti­ve 95/46/EC espe­ci­al­ly in the secu­ri­ty (Artic­le 17) and the DPA pri­or checking obli­ga­ti­ons (Artic­le 20). The legal regime appli­ca­ble to the pro­ce­s­sing of spe­cial cate­go­ries of data (Artic­le 8) can also be con­side­red as the appli­ca­ti­on of a risk-based approach: streng­the­ned obli­ga­ti­ons result from pro­ce­s­sing which is con­side­red ris­ky for the­per­sons con­cer­ned. It is important to note that – even with the adop­ti­on of a risk-basedap­proach – the­re is no que­sti­on of the rights of indi­vi­du­als being wea­k­en­ed in respect of their per­so­nal data. Tho­se rights must be just as strong even if the pro­ce­s­sing in que­sti­on is rela­tively ‘low risk’. Rather, the sca­la­bi­li­ty of legal obli­ga­ti­ons based on risk addres­ses com­pli­ance mecha­nisms. This means thata data con­trol­ler who­se pro­ce­s­sing is rela­tively low risk may not have to do as much to com­ply with its legal obli­ga­ti­ons as a data con­trol­ler who­se pro­ce­s­sing is high-risk.

Howe­ver, the risk-based approach has gai­ned much more atten­ti­on in the dis­cus­sions at the Euro­pean Par­lia­ment and at the Coun­cil on the pro­po­sed Gene­ral Data Pro­tec­tion Regu­la­ti­on. It has been intro­du­ced recent­ly as a core ele­ment of the accoun­ta­bi­li­ty prin­ci­ple its­elf (Artic­le 22). In addi­ti­on to the obli­ga­ti­on of secu­ri­ty (Artic­le 30) and the obli­ga­ti­on to car­ry out an impact assess­ment (Artic­le 33) alre­a­dy pre­scri­bed in the draft regu­la­ti­on, the risk-based approach­has been exten­ded and reflec­ted in other imple­men­ta­ti­on mea­su­res such as the data pro­tec­tion by design prin­ci­ple (Artic­le 23), the obli­ga­ti­on for docu­men­ta­ti­on (Artic­le 28) and the use of cer­ti­fi­ca­ti­on and codes of con­duct (Artic­les 38 and 39). It is appa­rent the­r­e­fo­re that the draft Regu­la­ti­on alre­a­dy con­ta­ins the tools – for exam­p­le in Artic­le 33 rela­ting to impact assess­ment – to pro­vi­de for a relia­ble and rela­tively objec­ti­ve assess­ment of risk. In par­al­lel, the con­cept has been pro­mo­ted in public deba­tes on data pro­tec­tion regu­la­ti­on in the con­text of “big data”. Its pro­mo­ters argue that coll­ec­tion should no lon­ger be con­side­red the main focus of regu­la­ti­on and that legal com­pli­ance should rather shift to the framing of data use. To com­ply, it is advo­ca­ted that a strong harm-based approach can help to pro­mo­te respon­si­ble data use based on risk manage­ment. Final­ly, the­re have been vigo­rous deba­tes at the Euro­pean Par­lia­ment and at the Coun­cil on the appli­ca­bi­li­ty of a ligh­ter legal regime for pseud­ony­mous or pseud­ony­mi­sed data con­side­ring that becau­se of their per­cei­ved less iden­ti­fia­ble natu­re, the pri­va­cy risks for data sub­jects are redu­ced. Tho­se con­tex­tu­al and back­ground ele­ments show the com­pel­ling need for the Working Par­ty­to com­mu­ni­ca­te the fol­lo­wing key mes­sa­ges on this issue.




Ähnliche Beiträge