Balance is hard, very hard.

Balance is hard, very hard.

For those businesses which collect, process and exploit personal data, the draft of Chapter IV of the forthcoming EU General Data Protection Regulation is particularly relevant as it foresees the possible future compliance obligations of data controllers and data processors.

Considering the last position of the Council of the European Union regarding this chapter, a ‘risk-based‘ approach to compliance is a core element of the accountability principle itself.1)See article 22 of the Council’s document.

In fact, the Article 29 Working Party2)The Article 29 Working Party gathers a representative of the supervisory authority designated by each EU Member State; a representative of the authority established for the EU institutions and bodies; and a representative of the European Commission. recently issued a statement supporting a ‘risk-based‘ approach in the EU data protection legal framework.

But what is it meant by the concept of a ‘risk-based‘ approach?

It mainly refers to the consideration of any potential adverse effects associated with the processing and implies different levels of accountability obligations of data controllers, depending on the risks involved within each specific processing activity. It is therefore quite different from the ‘one size fits all‘ approach, as initially proposed by the European Commission.

In this context, the respect and protection of the data subjects’ rights (for instance, right of access, of objection, of rectification, of erasure, and rights to transparency, to data portability and to be forgotten) shall be granted throughout the data processing activities, regardless the level of risks involved in these activities.

However, principles as legitimacy, transparency, data minimization, data accuracy, purpose limitation and data integrity and the compliance obligations impending upon controllers shall be proportionate to the nature, scope, context and purposes of the processing.

This ‘risk-based‘ approach is developed throughout Chapter IV, namely regarding provisions related to the data protection by design principle3)See article 23., the obligation for documentation4)See article 28., the obligation of security5)See article 30., the obligation to carry out an impact assessment6)See article 33., and the use of certification and codes of conduct7)See articles 38 and 39..

These accountability obligations, in each phase of the processing, will vary according to the type of processing and the risks to privacy and to other rights and freedoms of individuals.

In this context, the proportionality exercise will have an effect on the requirements of privacy by design8)See article 23., which consists on assessing the potential risks of the data processing and implementing suitable privacy and data protection tools and measures in order to address that risk before initiating these activities.

Besides, the introduction of the ‘risk-based‘ approach is also likely to be relevant in respect of controllers not established in the EU, as they most surely won’t be required to designate a representative in the EU, regarding occasional processing activities which are unlikely to result in a risk for the rights and freedoms of individuals 9)See article 25..

Moreover, a ‘risk-based‘ approach will be implemented as well regarding the security of the processing, as technical and organisational measures, adequate to the likelihood and severity of the risk for the rights and freedoms of individuals, shall be adopted10)See article 30..

In parallel, it has been foreseen that the obligation to report data breaches is restricted to the breaches which are likely to result in an high risk for the rights and freedoms of individuals. In this context, if the compromised data is encrypted, for instance, the data controller won’t be required to report a verified breach.11)See article 31 and 32.

The weighing assessment is expected to be also relevant regarding the data protection impact assessment12)See article 33. required for the processing activities that will likely result in a ‘high risk’ to the rights and freedoms of individuals, such as discrimination, identity theft, fraud or financial loss.

Another important requirement is the consultation of a Data Protection Authority prior to the processing of personal data when the impact assessment indicates that the processing would result in a high degree of risk in the absence of measures to be taken by the controller to mitigate the risk.13)See article 34.

Of course “nothing is agreed until everything is agreed” and this chapter will be subjected to further revisions. There is, indeed, a vast room for improvement.

For instance, it is questionable if a ‘risk-based‘ approach does make data protection standards stronger, considering the inadequacy of the risk assessment methodology regarding fundamental rights.

In parallel, the definition of ‘high risk‘ is still too broad, including almost all businesses which are operating online. Similarly,  the impact assessment process presents itself as complex, burdensome and costly. At the current state of play, small businesses and start-ups are most likely to be negatively affected by the administrative and financial burden that some of the abovementioned provisions will entail. This is quite ironic, considering that it was precisely that concern that is at the core of the understanding according to which SMEs should be exempted from the obligation to assign a Data Protection Officer.

However, it is important for businesses to try to anticipate how the compliance requirements will be set in the future in order to be prepared for their implementation.

We will see in due time how onerous the regime will be. Whilst we do not know the exact content of the text that will eventually be adopted, it is evident now that substantive accountability obligations will be imposed upon businesses handling personal data.

References   [ + ]

1. See article 22 of the Council’s document.
2. The Article 29 Working Party gathers a representative of the supervisory authority designated by each EU Member State; a representative of the authority established for the EU institutions and bodies; and a representative of the European Commission.
3. See article 23.
4. See article 28.
5. See article 30.
6. See article 33.
7. See articles 38 and 39.
8. See article 23.
9. See article 25.
10. See article 30.
11. See article 31 and 32.
12. See article 33.
13. See article 34.