On May 30, 2014, the European Union’s Article 29 Data Protection Working Party adopted “Statement on the role of a risk-based approach in data protection legal frameworks” (WP281). The Working Party, made up of EU member state national data protection authorities, confirmed its support for a risk-based approach in the EU data protection legal framework, particularly in relation to the proposed reform of the current data protection legislation. However, with a view to “set the record straight,” the Working Party also addresses its concerns as to the interpretation of such an approach and sets out its “key messages” on the issue.
In support of the risk-based approach, which broadly calls for increased obligations proportionate to the risks involved in data processing, the Working Party sets out examples of its application in the current Data Protection Directive (95/46/EC) and the proposed General Data Protection Regulation. The Working Party confirms that the risk-based approach must result in the same level of protection for data subjects, no matter the size of the particular organisation or the amount of data processed. However, the Working Party clarifies that the risk-based approach should not be interpreted as an alternative to established data protection rights, but instead a “scalable and proportionate approach to compliance.” Consequently, the Working Party accepts that low-risk data processing may involve less stringent obligations on data controllers than comparatively high-risk data processing.
To conclude its views on the risk-based approach, the Working Party establishes 13 key messages – in summary:
- Protection of personal data is a fundamental right and any processing should respect that right;
- Whatever the level of risk involved, data subjects’ legal rights should be respected;
- While the levels of accountability obligations can vary according to the risk of the processing, data controllers should always be able to demonstrate compliance with their data protections obligations;
- While fundamental data protection principles relating to data controllers should remain the same whatever the risks posed to data subjects, such principles are still inherently scalable;
- Accountability obligations should be varied according to the type and risk of processing involved;
- All data controllers should document their processing, although the form of documentation can vary according to the level of risk posed by the processing;
- Objective criteria should be used when determining risks which could potentially negatively impact a data subject’s rights, freedoms and interests;
- A data subject’s rights and freedoms primarily concerns the right to privacy, but also encompasses other fundamental rights, such as freedom of speech, thought and movement, prohibition on discrimination, and the right to liberty, conscience and religion;
- Where specific risks are identified, additional measures should be taken – data protection authorities should be consulted regarding highly risky processing;
- WHile pseudonymising techniques are important safeguards that can be taken into account when assessing compliance, such techniques alone do not justify a reduced regime on accountability obligations;
- The risk-based approach should be assessed on a very wide scale and take into account every potential/actual adverse effect;
- The legitimate interest pursued by data controllers or third parties is not relevant when assessing the risks for data subjects; and
- Under the proposed General Data Protection Regulation, data protection authorities will have an active role in respect of the risk-based approach, including inter alia developing guidelines on impact assessments and targeting enforcement activity on areas of greater risk.