What can we learn from law? Raphael Gellert & Niels van Dijk - - PowerPoint PPT Presentation

Raphael Gellert & Niels van Dijk (VUB/LSTS) Brno, 25 November 2016

Inroads into DPIA Methodologies What can we learn from law?

Data Protection Impact Assessment

“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes

• f

the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry

• ut

an assessment of the impact of the envisaged processing operations

• n the protection of personal

data.” Article 35 (1) GDPR

What do “risks to rights and freedoms” mean within the new regulation on data protection, and how could the concept be developed further?

Background: The knowledge dimension ~ Risk and Law

• Rights and risks belong within different

spheres of knowledge and social organisation,

– Law: defined through legal concepts, which takes place after the fact of an alleged breach of law – Risk management in organisations: defined through scientific concepts of probability, trying to deal with possible futures

• Mutual transformations through merging risks

with rights

Concept/Role

Risk-Right Relation Risk Conception Right Conception Aligned Expertise Type of Public

Sector/Institution

Government/ State Risk or Right

Probability Quantitative Political Right: (Mechanically) Balanced Weight

• Politics
• Intelligence Analysis
• Risk Assessment
• Information Security
• IT architecture

Public Interest at Risk (Phantom) public of political representation

Civil Society Right at Risk

Uncertainty Qualitative/Normative Perceived Threat Political Right: Moral Right, Social Value, Collective Good Social sciences

• PTA
• CTA
• STS
• Surveillance Studies

Public within Risk Concerned public of participation

Business

(current narrow DPIA version)

Right as Risk

Probability Quantitative Risk

• Organizational

Management

• Risk Assessment
• Information Security
• IT architecture

Public as Risk Public Relations & Perceptions

Court Risk within Right

Proportion Contestable Evidence Normative Harm Individual Legal Right: Proportionally Mediated Weight

• Law
• Science at the Bar

Public within Right Figure of Affected Public

DPIA

(lessons for a broader version)

Risk to a Right

Mutual Transformations

• Proportional
• Environmental

Proportion Contestable Evidence Normative Harm Perceived Threat Procedural (Fair Trial) Scope:

• Individual Legal
• Social Value

Ecology of expert practices Include insights from:

• Law (speculative

jurisprudence)

• Social sciences

Who participates?

• Affected public
• Concerned public

The DPIA has become based on a probabilistic risk assessment methodology

Framing Vocabulary Narrow Conception of Privacy

• > Computer Security

“Data Protection Risk Assessment” “Privacy Risks” “Likelihood”

Issues with DPIA methodologies

DPIAs: not a novelty

Titel van dia 1-12-2016 | 8

• Risk management methodologies have faced serious

criticism in other assessment fields like environmental and health law

• Main issue: pretence at objectivity

– Framed as objective, probabilistic, numerical exercises

• However:

– “risk is not completely determined by the evidence from nature alone, but is partly open-ended depending on what parameters are treated as the most significant” (Wynne, 1992).

• --» Risk and impact assessment methodologies =

subjective!!!

Issues with DPIA methodologies

Titel van dia 1-12-2016 | 9

What is a data protection risk? How can one measure it?

How to combine likelihood & severity?

Examples from PIA methodologies

Titel van dia 1-12-2016 | 10

• CNIL, 2012:
• NIST, 2015:

The choice of risk factors for probability

Examples from DPIA methodologies

Titel van dia 1-12-2016 | 11

• CNIL, 2012

– Choice of a security inspired-model

Threats Risk

Risk sources Supporting assets

Figure 2 Risk

Level of capabilities Level of vulnerabilities

How to measure harm?

Titel van dia 1-12-2016 | 12

• Data protection harm has an important subjective dimension

– Not everybody is affected in the same way – The same harm can produce different effects and these effects can manifest themselves at different moment – Tangible vs intangible harms

• Measurement?

– Surveys? – Public participation?

• How?
• Long term harms

– E.g., big data, profiling…

Examples from DPIA methodologies

Issues with DPIA methodologies

Titel van dia 1-12-2016 | 13

These methodological choices are at the heart of the type of protection afforded by DPIAs!!!

– Risk: DPIAs become the new box-ticking – NO!!!

Concept/Role

Risk-Right Relation Risk Conception Right Conception Aligned Expertise Type of Public

Sector/Institution

Government/ State Risk or Right

Probability Quantitative Political Right: (Mechanically) Balanced Weight

• Politics
• Intelligence Analysis
• Risk Assessment
• Information Security
• IT architecture

Public Interest at Risk (Phantom) public of political representation

Civil Society Right at Risk

Uncertainty Qualitative/Normative Perceived Threat Political Right: Moral Right, Social Value, Collective Good Social sciences

• PTA
• CTA
• STS
• Surveillance Studies

Public within Risk Concerned public of participation

Business

(current narrow DPIA version)

Right as Risk

Probability Quantitative Risk

• Organizational

Management

• Risk Assessment
• Information Security
• IT architecture

Public as Risk Public Relations & Perceptions

Court Risk within Right

Proportion Contestable Evidence Normative Harm Individual Legal Right: Proportionally Mediated Weight

• Law
• Science at the Bar

Public within Right Figure of Affected Public

DPIA

(lessons for a broader version)

Risk to a Right

Mutual Transformations

• Proportional
• Environmental

Proportion Contestable Evidence Normative Harm Perceived Threat Procedural (Fair Trial) Scope:

• Individual Legal
• Social Value

Ecology of expert practices Include insights from:

• Law (speculative

jurisprudence)

• Social sciences

Who participates?

• Affected public
• Concerned public

Concept/Role

Risk-Right Relation Risk Conception Right Conception Aligned Expertise Type of Public

Sector/Institution

Government/ State Risk or Right

Probability Quantitative Political Right: (Mechanically) Balanced Weight

• Politics
• Intelligence Analysis
• Risk Assessment
• Information Security
• IT architecture

Public Interest at Risk (Phantom) public of political representation

Civil Society Right at Risk

Uncertainty Qualitative/Normative Perceived Threat Political Right: Moral Right, Social Value, Collective Good Social sciences

• PTA
• CTA
• STS
• Surveillance Studies

Public within Risk Concerned public of participation

Business

(current narrow DPIA version)

Right as Risk

Probability Quantitative Risk

• Organizational

Management

• Risk Assessment
• Information Security
• IT architecture

Public as Risk Public Relations & Perceptions

Court Risk within Right

Proportion Contestable Evidence Normative Harm Individual Legal Right: Proportionally Mediated Weight

• Law
• Science at the Bar

Public within Right Figure of Affected Public

DPIA

(lessons for a broader version)

Risk to a Right

Mutual Transformations

• Proportional
• Environmental

Proportion Contestable Evidence Normative Harm Perceived Threat Procedural (Fair Trial) Scope:

• Individual Legal
• Social Value

Ecology of expert practices Include insights from:

• Law (speculative

jurisprudence)

• Social sciences

Who participates?

• Affected public
• Concerned public

A Role for Law

Towards the Design of a new Forum

What ecology of practices does a DPIA require? Can we have more law in assessing the impact to a right?

• Calculating privacy risks: Managing data protection as a

new source of risk (risk as forum, law as “target”,no mutual transformation), or

• Judging possible privacy infringements: Mediating legal

rights with risk as contestable knowledge according to a fair process (law as forum, risk as evidence).

DPIA as a Court of Upstream Adjudication

• GDPR 2018: MS courts have to work with the new

concept of a “data protection impact assessment”.

• Provide judgments when data controllers violate this
• bligation.
• This concept has no direct legal precedent. How will

they judge these cases?

• Familiar with “data protection” requirements, what

about the "impact assessment" in relation to DP?

Legal Lessons for DPIA

• Procedural Lessons

– Public Participation – Risk as Contestable Evidence – Proportional risk-right balancing

• Substantive Lessons

– Environment – Risk – Likelihood – Harm (Impact)

Legal Lessons for DPIA

• Procedural Lessons

– Public Participation – Risk as Contestable Evidence – Proportional risk-right balancing

• Substantive Lessons

– Environment – Risk – Likelihood – Harm (Impact)

Environments

Similarities with other Mandatory Impact Assessments

• Obligation for sustainability and health assessment

(Environmental Law)

• Obligation of health and safety assessments

(Labour and Consumer Law)

Reconceptualise as assessments of risks to individual’s rights.

• The employee’s “right to a safe and healthy working

environment” (Art. 3.1 ILO; Art. 7 ICESCR)

• A right to a healthy ecological environment?

(Art. 1 Aarhus Convention) Analogy to transport legal principles & obligations.

Differences with other Mandatory Impact Assessments

• The ecological concept "environment"

– Complex: chaotic & semi-predictability of systems for which the new technology might pose a risk. – Uncertainty or ambiguity.

• Data protection leave little space for uncertainties.

Possible violations are pre-formulated along a series of clear rights & obligations.

• Privacy leaves more openness, especially the right-

creating approach of the German Constitutional Court..

Risk Criteria: The locus of methodological choices

Risk

Titel van dia 1-12-2016 | 24

Choices about the risk criteria will determine what will count as a risk in the first place and include questions like:

–The nature and types of feared events –The manner in which they will be measured –How likelihoods will be defined –How the risks levels will be determined –The level at which risk becomes tolerable –The type of harm to be considered –The subject of harm (i.e., how is the risk socially distributed)? –The measurement of harms –How stakeholders’ views will be taken into account

What is at stake?

Risk criteria

Titel van dia 1-12-2016 | 25

• Risks, sources of risks, risk factors, impacts, etc.

not considered at this step will not be taken into account

• Implicit assumptions on what constitutes relevant

expert knowledge

– E.g., fully quantitative, semi-quantitative, lay knowledge ?, etc.

The case of personal data

Legal lessons and risk

• CNIL, 2012

– Personal data:

• Primary asset
• Risk factor for severity

For each processing of personal data, primary assets are the following:

processes: those of the processing (its features as such, insofar as they deal

with personal data) and those required by [Act-I&L] in orderto inform the data subjects (Article 32), obtain their consent (if appropriate, Article 7) and allow the exercise of the rights of opposition (Section 38), access (Article 39), correction and deletion (Article 40);

personal data: those directly concerned by the processing and those concerned by the

processes required by [Act-I&L].

Primary assets Level of identification

Still relevant to construct a risk around the notion of personal data?

Titel van dia 1-12-2016 | 27

• Profiling, big data…
• GDPR is still predicated on personal data as

identifying data BUT

– Recital 26: “singling out” – Borgesius 2016 (Behavioural targeting)

• “Many [data protection] risks remain, regardless of whether

companies tie a name to the information they hold about a person”

– CJEU Breyer,C-582/14:

• Dynamic IP address can be personal data

Probability

Probabilities of feared events are measured along short uniform scales

• Numeral terms (e.g. from 1 to 5),
• Qualitative terms (e.g. from Impossible to Certain).

Probability

• Probability is at the core of both the notions of

risk and legal evidence.

• Could function as a potential bridging element

between the two.

• Inspiration from different kinds of proof levels

required in evidence law.

Gee (2009) - Late Lessons from Early Warnings: Towards realism and precaution with Electro-Magnetic Fields?

Probability

Legal presumptions about when a claim is sufficiently proven. The nature and distribution of costs of being wrong in impact assessments determining appropriate level of evidence required. Differentiation in levels of proof according to data categories?

• sensitive data > personal data > pseudonymous data > anonymous data

Appropriate level of proof required could depend on:

• severity and nature of potential harm expected,
• benefits claimed in taking the risk,
• available alternatives and potential costs of being wrong here.

Risk criteria and harms

Legal lessons II

Titel van dia 1-12-2016 | 32

• List of harms
• pecuniary
• moral
• psychological
• social
• physical
• GDPR Recital 75:

– “data processing which could lead to physical, material or non-material damage”

• (CNIL, 2012, p. 13)

Case law

Legal lessons on harms

Titel van dia 1-12-2016 | 33

• Lessons from US privacy tort law

–emotional, reputational, and proprietary injuries

• Lessons from ECHR on privacy harms

–disability to secure employment (ECtHR, 2012, § 181) –social stigmatisation (ECtHR, 2008b)

• Lessons from CJEU on data protection

–Emotional/psychological harm (CJEU, Digital Rights Ireland, 2014, § 37)

Usefulness

Legal lessons on harms

Titel van dia 1-12-2016 | 34

• What harms for what data processing practices,
• Measurement
• Severity
• Subjects affected
• Probability/moment of occurrence
• What harm is considered grave enough to deserve

compensation/be considered a harm

• What are the eventual constraints (i.e., need to

acknowledge or repair new harms).

Conclusion

Incorporating conceptual lessons from legal practices in DPIAs. Transforms the concepts of risks, rights and their mutual relation

Conclusion

The concept of risk undergoes a normative turn by incorporating legal requirements (privacy and data protection).

– Locus of such normative turn = risk criteria step

• = place of methodological choices
• Determination of:

– What counts as risk, – How to measure it: likelihood + severity – What types of harms to take into account – Relevant knowledge

Conclusion

The risk–right relation undergoes an ecological turn through the concept of safe and healthy environments (nature, life, work). Assessments of the risks to the rights of individuals to their personal environments (both spatial & digital) Transformation of the concept of rights at stake.

THANK YOU