What can we learn from law? Raphael Gellert & Niels van Dijk - PowerPoint PPT Presentation

Inroads into DPIA Methodologies What can we learn from law? Raphael Gellert & Niels van Dijk (VUB/LSTS) Brno, 25 November 2016

Data Protection Impact Assessment “ Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. ” Article 35 (1) GDPR

What do “risks to rights and freedoms” mean within the new regulation on data protection, and how could the concept be developed further?

Background: The knowledge dimension ~ Risk and Law • Rights and risks belong within different spheres of knowledge and social organisation, – Law: defined through legal concepts, which takes place after the fact of an alleged breach of law – Risk management in organisations: defined through scientific concepts of probability, trying to deal with possible futures • Mutual transformations through merging risks with rights

Concept/Role Risk-Right Risk Conception Right Conception Aligned Expertise Type of Public Sector/Institution Relation - Politics Probability Political Right: - Intelligence Analysis Public Interest at Risk Government/ Risk or Right - Risk Assessment State Quantitative (Mechanically) - Information Security (Phantom) public of Balanced Weight - IT architecture political representation Uncertainty Political Right: Social sciences Public within Risk Civil Society Right at Risk Qualitative/Normative - PTA Perceived Threat Moral Right, - CTA Concerned public of Social Value, - STS participation Collective Good - Surveillance Studies Probability Risk - Organizational Public as Risk Business Right as Risk Management Quantitative - Risk Assessment Public Relations & ( current narrow - Information Security Perceptions DPIA version ) - IT architecture Proportion Individual Legal Right: - Law Public within Right Court Risk within Right Contestable Evidence - Science at the Bar Normative Proportionally Figure of Affected Harm Mediated Weight Public Proportion Procedural (Fair Trial) Ecology of expert practices Who participates? Risk to a Right DPIA Contestable Evidence Include insights from: - Affected public Normative Scope: - Law (speculative - Concerned public Mutual ( lessons for a - Individual Legal jurisprudence) Transformations broader version ) Harm - Social Value - Social sciences - Proportional Perceived Threat - Environmental

The DPIA has become based on a probabilistic risk assessment methodology

Framing Vocabulary “Privacy “Likelihood” Risks” “Data Protection Risk Assessment” Narrow Conception of Privacy -> Computer Security

DPIAs: not a novelty Issues with DPIA methodologies • Risk management methodologies have faced serious criticism in other assessment fields like environmental and health law • Main issue: pretence at objectivity – Framed as objective, probabilistic, numerical exercises • However: – “ risk is not completely determined by the evidence from nature alone, but is partly open-ended depending on what parameters are treated as the most significant ” (Wynne, 1992). • -- » Risk and impact assessment methodologies = subjective!!! Titel van dia 1-12-2016 | 8

Issues with DPIA methodologies What is a data protection risk? How can one measure it? Titel van dia 1-12-2016 | 9

Examples from PIA methodologies How to combine likelihood & severity? • CNIL, 2012: • NIST, 2015: Titel van dia 1-12-2016 | 10

Examples from DPIA methodologies The choice of risk factors for probability • CNIL, 2012 – Choice of a security inspired-model Risk Threats Supporting Risk sources assets Level of capabilities Level of vulnerabilities Figure 2 Risk Titel van dia 1-12-2016 | 11

Examples from DPIA methodologies How to measure harm? • Data protection harm has an important subjective dimension – Not everybody is affected in the same way – The same harm can produce different effects and these effects can manifest themselves at different moment – Tangible vs intangible harms • Measurement? – Surveys? – Public participation? • How? • Long term harms – E.g., big data , profiling… Titel van dia 1-12-2016 | 12

Issues with DPIA methodologies These methodological choices are at the heart of the type of protection afforded by DPIAs!!! – Risk: DPIAs become the new box-ticking – NO!!! Titel van dia 1-12-2016 | 13

Concept/Role Risk-Right Risk Conception Right Conception Aligned Expertise Type of Public Sector/Institution Relation - Politics Probability Political Right: - Intelligence Analysis Public Interest at Risk Government/ Risk or Right - Risk Assessment State Quantitative (Mechanically) - Information Security (Phantom) public of Balanced Weight - IT architecture political representation Uncertainty Political Right: Social sciences Public within Risk Civil Society Right at Risk Qualitative/Normative - PTA Perceived Threat Moral Right, - CTA Concerned public of Social Value, - STS participation Collective Good - Surveillance Studies Probability Risk - Organizational Public as Risk Business Right as Risk Management Quantitative - Risk Assessment Public Relations & ( current narrow - Information Security Perceptions DPIA version ) - IT architecture Proportion Individual Legal Right: - Law Public within Right Court Risk within Right Contestable Evidence - Science at the Bar Normative Proportionally Figure of Affected Harm Mediated Weight Public Proportion Procedural (Fair Trial) Ecology of expert practices Who participates? Risk to a Right DPIA Contestable Evidence Include insights from: - Affected public Normative Scope: - Law (speculative - Concerned public Mutual ( lessons for a - Individual Legal jurisprudence) Transformations broader version ) Harm - Social Value - Social sciences - Proportional Perceived Threat - Environmental

Concept/Role Risk-Right Risk Conception Right Conception Aligned Expertise Type of Public Sector/Institution Relation - Politics Probability Political Right: - Intelligence Analysis Public Interest at Risk Government/ Risk or Right - Risk Assessment State Quantitative (Mechanically) - Information Security (Phantom) public of Balanced Weight - IT architecture political representation Uncertainty Political Right: Social sciences Public within Risk Civil Society Right at Risk Qualitative/Normative - PTA Perceived Threat Moral Right, - CTA Concerned public of Social Value, - STS participation Collective Good - Surveillance Studies Probability Risk - Organizational Public as Risk Business Right as Risk Management Quantitative - Risk Assessment Public Relations & ( current narrow - Information Security Perceptions DPIA version ) - IT architecture Proportion Individual Legal Right: - Law Public within Right Court Risk within Right Contestable Evidence - Science at the Bar Normative Proportionally Figure of Affected Harm Mediated Weight Public Proportion Procedural (Fair Trial) Ecology of expert practices Who participates? Risk to a Right DPIA Contestable Evidence Include insights from: - Affected public Normative Scope: - Law (speculative - Concerned public Mutual ( lessons for a - Individual Legal jurisprudence) Transformations broader version ) Harm - Social Value - Social sciences - Proportional Perceived Threat - Environmental

A Role for Law Towards the Design of a new Forum What ecology of practices does a DPIA require? Can we have more law in assessing the impact to a right ? • Calculating privacy risks: Managing data protection as a new source of risk (risk as forum, law as “target”,no mutual transformation), or • Judging possible privacy infringements: Mediating legal rights with risk as contestable knowledge according to a fair process (law as forum, risk as evidence).

DPIA as a Court of Upstream Adjudication • GDPR 2018: MS courts have to work with the new concept of a “data protection impact assessment”. • Provide judgments when data controllers violate this obligation. • This concept has no direct legal precedent. How will they judge these cases? • Familiar with “data protection” requirements, what about the "impact assessment" in relation to DP?

Legal Lessons for DPIA • Procedural Lessons – Public Participation – Risk as Contestable Evidence – Proportional risk-right balancing • Substantive Lessons – Environment – Risk – Likelihood – Harm (Impact)

Legal Lessons for DPIA • Procedural Lessons – Public Participation – Risk as Contestable Evidence – Proportional risk-right balancing • Substantive Lessons – Environment – Risk – Likelihood – Harm (Impact)