A risk to a right? Beyond data protection risk assessments

Abstract The proposal for a new European Data Protection Regulation introduces the novel obligation of performing data protection assessments. Since these assessments will become a mandatory exercise for those in control of data processing systems, they will become an important apparatus for the governance of new and emerging information technologies. This tool, and in particular the notion of “risks to the rights and freedoms of data subjects” which is at its core, epitomises the shift from classical legal practice to more risk-based approaches. Merging risks and rights in the proposed fashion could change their meanings into something hardly predictable. This contribution proposes to explore the nature of the relation between both concepts within the assessment of a “risk to a right”. It will start by mapping out the various relations that exist between risks and rights in different practices. This should serve to identify gaps in the way DPIAs are currently operationalised and might well determine whether the introduction of this methodology in its current form might itself pose a risk to the rights of privacy and data protection. In turn however, it can provide opportunities for improvement and for lessons to be drawn from other practices and expertise that strike different relations between risks and rights, like the ones found in environmental governance and courts.

[1]  Daniel J. Solove A Taxonomy of Privacy , 2006 .

[2]  Serge Gutwirth,et al.  The legal construction of privacy and data protection , 2013, Comput. Law Secur. Rev..

[3]  S. Davies Re-engineering the right to privacy: how privacy has been transformed from a right to a commodity , 1997 .

[4]  Roger Clarke,et al.  Privacy impact assessment: Its origins and development , 2009, Comput. Law Secur. Rev..

[5]  Herbert George Wells,et al.  The Shape of Things to Come , 1933 .

[6]  Arie Rip,et al.  TAKING EUROPEAN KNOWLEDGE SOCIETY SERIOUSLY Report of the Expert Group on Science and Governance to the Science, Economy and Society Directorate, Directorate-General for Research, European Commission , 2007 .

[7]  Andrew Stirling,et al.  Risk at a turning point , 1998 .

[8]  Colin J. Bennett,et al.  The Governance of Privacy: Policy Instruments in Global Perspective , 2006 .

[9]  M. Calo The Boundaries of Privacy Harm , 2010 .

[10]  Zygmunt J. Haas,et al.  Personal Environment Service for Mobile Users , 2006, IEEE Vehicular Technology Conference.

[11]  Ortwin Renn Risk Governance: Coping with Uncertainty in a Complex World , 2008 .

[12]  M. Callon,et al.  Acting in an Uncertain World: An Essay on Technical Democracy , 2009 .

[13]  David Wright,et al.  Surveillance: Extending the Limits of Privacy Impact Assessment , 2012 .

[14]  T. Murphy,et al.  IS HUMAN RIGHTS PREPARED? RISK, RIGHTS AND PUBLIC HEALTH EMERGENCIES , 2009, Medical law review.

[15]  Danielle Keats Citron,et al.  Mainstreaming Privacy Torts , 2010 .

[16]  K. Vries,et al.  A Bump in the Road. Ruling Out Law from Technology , 2013 .

[17]  Brian Wynne,et al.  Sheepfarming after Chernobyl: A Case Study in Communicating Scientific Information , 1989 .

[18]  P. Hert A Human Rights Perspective on Privacy and Data Protection Impact Assessments , 2012 .

[19]  M. Korstanje The Risk Society: Towards a new modernity , 2009 .

[20]  S. Jasanoff Introduction: Rewriting Life, Reframing Rights , 2012 .

[21]  J. Ruggie,et al.  Report of the Special Representative of the Secretary-General on the Issue of Human Rights and Transnational Corporations and other Business Enterprises , 2011 .

[22]  H Roberts,et al.  Risk Society: Towards a New Modernity , 1994 .

[23]  Charles Oppenheim,et al.  Privacy Impact Assessments: International Study of Their Application and Effects , 2007 .

[24]  David Gee,et al.  Late Lessons from Early Warnings: Towards realism and precaution with EMF? , 2009, Pathophysiology : the official journal of the International Society for Pathophysiology.

[25]  Kerem Altiparmak,et al.  European Court of Human Rights , 2006, European Constitutional Law Review.

[26]  G. Edmond Legal Engineering , 2002 .

[27]  A. Boyle Human Rights or Environmental Rights?: A Reassessment , 2008 .

[28]  Michael Decker Interdisciplinarity in technology assessment : implementation and its chances and limits , 2001 .

[29]  N. Marres,et al.  Recipe for tracing the fate of issues and their publics on the Web , 2005 .

[30]  S. Spiekermann The RFID PIA – Developed by Industry, Endorsed by Regulators , 2011 .

[31]  C. Raab,et al.  Privacy principles, risks and harms , 2014 .

[32]  Philip Brey,et al.  Disclosive computer ethics , 2000, CSOC.

[33]  B. Wynne Risk and Environment as Legitimatory Discourses of Technology: Reflexivity Inside Out? , 2002 .

[34]  C. Raab Networks for Regulation: Privacy Commissioners in a Changing World , 2011, Institutions and Governance in Comparative Policy Analysis Studies.

[35]  Roger Clarke,et al.  An evaluation of privacy impact assessment guidance documents , 2011 .

[36]  Sheila Jasanoff,et al.  Science at the Bar , 1995 .

[37]  Neil M. Richards,et al.  Prosser's Privacy Law: A Mixed Legacy , 2010 .

[38]  B. Wynne,et al.  Misunderstanding science? : the public reconstruction of science and technology , 1996 .

[39]  Laurent Beslay,et al.  Double-Take: Getting to the RFID PIA Framework , 2012 .

[40]  David Wright,et al.  The state of the art in privacy impact assessment , 2012, Comput. Law Secur. Rev..

[41]  Florian Schaub Dynamic privacy adaptation in ubiquitous computing , 2014 .

[42]  P. Grandjean,et al.  Late lessons from early warnings: science, precaution, innovation , 2013 .

[43]  A. Irwin The Politics of Talk , 2006 .

[44]  Thierry Balzacq Security Versus Freedom?: A Challenge for Europe's Future , 2006 .

[45]  Brian Wynne,et al.  Public Participation in Science and Technology: Performing and Obscuring a Political–Conceptual Category Mistake , 2007 .

[46]  Brian Wynne,et al.  Misunderstood misunderstanding: social identities and public uptake of science , 1992 .

[47]  George Huitema,et al.  The Neglected Consumer: The Case of the Smart Meter Rollout in the Netherlands , 2011 .

[48]  B. Wynne Uncertainty and environmental learning: reconceiving science and policy in the preventive paradigm. , 1992 .

[49]  S. Gutwirth,et al.  Privacy, Data Protection and Law Enforcement. Opacity of the Individual and Transparency of Power , 2022, Direito Público.

[50]  J. Waldron,et al.  Security and Liberty: The Image of Balance* , 2003 .

[51]  Chris Hilson Risk and the European convention on human rights: Towards a new approach , 2009 .

[52]  Michael Friedewald,et al.  Precaution and privacy impact assessment as modes towards risk governance , 2011 .

[53]  Stephen Coleman,et al.  The Wisdom of Which Crowd? On the Pathology of a Listening Government , 2011 .

[54]  George E. Rejda,et al.  Insurance and risk , 1964 .

[55]  Louis D. Brandeis,et al.  The Right to Privacy , 1890 .

[56]  Kristrun Gunnarsdottir,et al.  The Technolife Project: an experimental approach to new ethical frameworks for emerging science and technology , 2013 .

[57]  Arie Rip,et al.  Controversies as Informal Technology A ssessment , 1986 .