Impact assessments are essentially risk management tools, whether they are concerned with the environment, society, business, or personal data. In case of personal data, Article 35 of the GDPR requires controllers to conduct a data protection impact assessment (“DPIA”) prior to undertaking processing activities that are likely to pose high risk to the rights and freedoms of natural persons. This is essentially a holistic risk assessment taking into account the nature, scope, context and purposes of the processing.
There are several sample forms and documents on DPIA methodology published by different supervisory authorities (“SAs”) that could be relied upon by controllers to guide them in designing their DPIA processes. For a detailed description of the steps to be borne in mind while conducting a DPIA, you can download our whitepaper.
However, before conducting a DPIA, it is necessary to determine whether or not a DPIA is required in the first place. This pre-assessment is based on the level of risk posed by the envisaged processing operation(s). In this blogpost we analyse the very need to do a DPIA (or the pre-assessment) rather than the DPIA itself.
The GDPR and the WP29 Guidelines on Data Protection Impact Assessment (DPIA) determine whether processing is likely to result in a high risk based on a non-exhaustive list of characteristics. These characteristics, hereafter referred to as “EU Triggers” determine the need for a full assessment:
- Evaluation/Scoring (including profiling and predicting);
- Automated decision making with legal/similarly significant effect;
- Systematic monitoring (including of publicly accessible area);
- Special categories of data or personal data relating to criminal convictions or offences;
- Data processed on a large scale;
- Data concerning vulnerable subjects;
- Matching/ Combining data sets;
- Innovative use/ applying new technological/organisational solution; and
- Processing that prevents data subjects from exercising a right/using a service/ contract.
The Guidelines state a rule of thumb: in case two or more of the above criteria apply, a full DPIA is necessary. However, the rule has exceptions and controllers must reason the necessity of conducting a DPIA in any case, after seeking the advice of the data protection officer and other stakeholders including the data subjects.
Member State Triggers
In line with the margin of manoeuvre available to member states (“MSs”) under the GDPR, Articles 35(4) and 35(5) of the GDPR empower the competent supervisory authorities (“SAs”) of MSs to supplement these lists. Accordingly, most of the SAs have published lists that specify characteristics that would require a DPIA (“Black List”). Some, such as the Belgian SA, have also published the list of processing activities that are exempted from the DPIA requirement (“White List”).
EDPB Consistency Opinion
Given that the underlying legislative intent behind the GDPR is to ensure consistency in data protection practices across the EU and facilitate the free flow of data in order to aid the internal market, there ought not to be divergences that would hamper the goal of cross-border data flow. Hence, the SAs are required to follow the consistency mechanism laid down under the GDPR (cf. art. 35(4) and 35(6)), in cases where the processing of personal data:
a) relates to the offering of goods or services to data subjects; or
b) relates to the monitoring of their behaviour in several MSs; or
c) may substantially affect the free movement of personal data within the Union.
In light of this, the SA lists are required to be communicated to the European Data Protection Board (“EDPB”) established under Article 68 of the GDPR. As per Article 64(1) of the GDPR, the EDPB is responsible for issuing opinions to the SAs on these lists, and the SAs are required to take utmost account of these opinions by adopting the proposed changes or communicating reasons for failing to do so, to the EDPB.
Currently, the EDPB has already published opinions on 26 SA lists, highlighting the ultimate goal of “establishing a harmonised approach” and “protecting consistency that can affect the free flow of personal data of natural persons across the European Union”. Some of the clarifications, as discussed hereafter, definitely take a step towards achieving consistent application of the GDPR. A few of the key clarifications are as follows:
- Non-Exhaustive Nature The EDPB has emphasised the non-exhaustive nature of the SA lists and their supplementary status to the list of EU Triggers which are always applicable. This clarifies that even if the envisaged processing operation does not meet any of the triggers listed in the applicable SA list, the controller would nevertheless have to vet its processing operations against the EU Triggers.
- Biometric, Genetic and Location Data The EDPB has clarified that the processing of any such data in conjunction with at least one other criterion would trigger the need for a DPIA, but that it is not a trigger by itself.
- Personal Data from Third Parties In this case as well, the EDPB clarified that this would trigger a DPIA only when it involves at least one other criterion representing high risk.
In spite of the consistency opinions published by the EDPB, in our view certain uncertainties still persist upon examination of a combination of the lists with the EU Triggers. Some of these are crucial for businesses to achieve legal certainty with respect to processing operations involving more than one MS.
- Jurisdictional Scope of SA lists As per Article 35(1) of the GDPR, the obligation to conduct a DPIA is on the controller. Article 35 also clarifies that it is possible to conduct one DPIA for a set of similar processing operations, even where there is more than one controller. Furthermore, the scope of the GDPR may extend to controllers based outside the EU but conducting processing operations or affecting data subjects in more than one MS within the EU. In all these circumstances, it is unclear how the SA lists would apply, and which list would take precedence over the other. For instance, if a controller is based in Belgium, but conducting processing operations in several locations, does the Belgium SA list apply, read with the EU Triggers, even though the affected data subjects may be in other MSs, or the processing operation is conducted in other MSs? Similarly, if a multinational corporation proposes to conduct the same processing operations in more than one MS, and each of these establishments makes its own decision with respect to the purpose and means of processing, is it still possible for the corporation to conduct one DPIA for the entire set of processing operations? If so, whether or not the DPIA is conducted depends on the SA list of which MS, or does it depend on the SA list which has the most stringent criteria? One could of course determine logical answers to these questions upon conducting a detailed analysis of the EU Triggers. However, this exemplifies the lack of practical certainty for economic operators in the EU.
- Specificity of SA lists The lists provided by the SAs are not of the same nature as the EU Triggers. The EU Triggers are broader, and each Trigger could apply to several specific processing activities contained in each SA list. For instance, it is observed that often the SA lists are more specific with respect to the technology used (such as fitness wearables, medical implant, etc.), which may be considered incompatible with the guiding principle of technological neutrality under recital 15 of the GDPR. Barring a few, the lists contain examples rather than specific features of processing.
- Inconsistencies between SA lists There still exist certain inconsistencies between SA lists. Of course, the intention is not to create one identical list for all MSs, and the consistency mechanism only applies to the factors listed above (relating to the internal market or monitoring of data subjects). However, what factors could affect the internal market or the free flow of personal data, is case specific and it is difficult to ascertain that a certain criterion will not affect the free flow of data.
- Implication of white lists SAs are also empowered to publish White Lists. Belgium is one of the MSs that has published such a list. However, it is not clear how the White Lists align with the Black Lists and the EU Triggers. For instance, do they act as vetoes, and any processing operation that involves the characteristics provided in the White List would be exempted from conducting a DPIA?
Alternatively, it is likely that even though a processing operation fits a factor listed in the White List, it could still require a DPIA if other factors provided in the Black List or the EU Triggers apply to it. For example, the Belgian White List clarifies that the processing for the purposes of the administration of salaries of people who work for or on behalf of the controller would not require a DPIA. However, it is unclear whether this would be the case even if the processing involves new technological means or if it allows the controller to evaluate eligibility for future bonus pay.
While many of the inconsistencies addressed above may be resolved through detailed legal analysis on a case by case basis, the fact remains that the SA lists fall short of facilitating legal/practical certainty and smooth business decision making.
One of the ways forward could be for the EDPB to issue fresh guidance supplementing the existing Guidelines with specific situational examples involving different jurisdictions and several controllers (both based in EU and outside). This would go a long way in restoring certainty to the DPIA process. The current Guidelines do not mention the SA lists at all, and in our opinion, this could prove to be a significant roadblock for economic operators seeking legal and practical certainty around doing business in the EU.