In response to increasing interest in a “risk-based” approach among privacy experts, including policymakers working on the proposed EU General Data Protection Regulation, the Article 29 Working Party (the “Working Party”) published a statement on the role of a risk-based approach in data protection legal frameworks (the “Statement”).
The Statement confirms the Working Party’s general support for including a risk-based approach in the EU data protection framework. It also lists numerous examples for the application of a risk-based approach from the current EU Directive 95/46/EC (e.g., Article 7(f) on “legitimate interest,” Article 17 on data security, and Article 8 on processing sensitive data), and from the Proposed Regulation (e.g., as a core element of the accountability principle in Article 22, in connection with privacy impact assessments in Article 33, and in connection with the use of privacy certifications and codes of conduct in Articles 38 and 39).
The Statement sets forth the Working Party’s view that the role of the risk-based approach, properly understood, is to effect “scalable and proportionate” compliance rather than to provide an “alternative to well-established data protection rights.” According to the Working Party, fundamental principles applicable to controllers (e.g., legitimacy, data minimization, purpose limitation, transparency, etc.) should continue to apply under a risk-based approach, though their implementation may be varied according to the risk at hand through the application of accountability tools such as impact assessments, privacy by design, breach notification requirements and security mechanisms.
The Statement also rejects the notion that the risk-based approach might shift the focus of privacy protections from collection to use, arguing that the protection of data as a fundamental right applies to any processing operation from collection to use and disclosure. According to the Working Party, “even with the adoption of a risk-based approach – there is no question of the rights of individuals being weakened in respect of their personal data. Those rights must be just as strong even if the processing in question is relatively ‘low risk’.”