Risk-based approach to data protection: risky for fundamental rights

By EDRi · September 24, 2014

On 18 September an EU Council document related to the draft EU data protection regulation was published. The document summarises the positions of Member States that have given their views on a so-called “risk-based approach to data protection”, within the context of the (so far) 30-month negotiations on a review of European data protection legislation. Reading the document, the first question that comes to mind is: Is this going to make the data protection standards any better? The answer is, broadly speaking,… no.

Risk assessment is “the determination of quantitative or qualitative value of risk related to a concrete situation and a recognised threat”. The main problem with a risk assessment in this context is the fact that personal privacy is a fundamental right. Measuring it with risk assessment methodology leads to an awkward misconception about what this fundamental right actually represents; The data controller cannot know about the context and dangers for individual people. Also the view that children’s personal data is somewhat more sensitive than their parents’ is incoherent. The fundamental rights of one part of the society cannot be more fundamental than the fundamental rights of another part of the society. There is strictly no difference between the two, neither from the human rights perspective nor from a practical perspective.

Such assessments make a lot of sense in technical environments where operators deals with their own operational risks, but it is entirely wrong to assume that there is an easy way for assessing third party risk processing operations, especially if its about a narrow, fundamental human right. This is what the risk-based approach is all about – identifying “specific risks”, assessing and categorising the rights of third parties and making decisions based on this.

When it comes to assessment, the exposure of large data sets generates a higher degree of public attention. However, this does not necessarily mean they lead to a more significant threat. The reality of IT shows that systems with a small set of very specific data are not less valuable nor less important for privacy concerns.

Apart from this misconception, it’s shocking to see the massive amount of comments and subtle, detrimental changes that are being proposed by the German delegation, which made as many comments as all of the other Member States put together. These comments and changes will make future negotiations in the trialogue (negotiations between Commission, Parliament and Council) a lot more complicated. Indeed, rather than being a constructive intervention, the German comments look like an effort to stall the progress of what was gained over the last months by bringing up new ideas which will most probably have the effect of delaying and weakening the reform.

Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) – Risk based approach (02.09.2014)

Wikipedia: Risk assessment

(Contribution by fukami, EDRi-member Chaos Computer Club, Germany)