The Risk-Based Approach to Data Protection
Latest Publications

The goal of this chapter is twofold. First, it provides a comprehensive overview of two key notions: risk and regulation. In the case of risk this includes the following. An explanation of risk and risk management, including an appraisal and description of the technical notion of risk as it appears in ISO Standards. It also provides for a discussion of some of the key methods for assessing and managing risks, including some of the main drawbacks and criticisms that have been raised against the use of risk management. In the case of regulation, it includes a more in-depth analysis of the notion, and of its constitutive elements; a discussion on the conflation between law and regulation; and a discussion on what exactly the object of regulation is. These discussions of key caveats pertaining to these two notions serve as the backbone of many of the analyses carried out in later chapters (e.g. understanding data protection in the light of the constitutive elements of regulation, discussing various methods for data protection risk management, etc). Second, beyond these caveats, this chapter also shows and contrasts how both risk and regulation can be analysed as a matter of two balancing exercises with associated safeguards, and hence, as variations around the proportionality principle. A grid at the end of the chapter summarises this, with reference to the European Convention on Human Rights proportionality test.

The goal of this chapter is to understand the notion of risk at play in the risk-based approach. As was alluded in Chapter 5 already, the risk-based approach to data protection is only a piecemeal implementation of meta regulation, which focuses primarily on how to better comply with the existing data protection framework. Because meta regulation relies by definition upon risk management (and the risk transformation of regulated organisations), and thus ends-up transforming the whole data protection framework as risk-based, it is not clear what notion of risk underpins the risk-based approach. As demonstrated, the risk-based approach is predicated upon a notion of compliance risk, which is the only one able to reconcile the piecemeal implementation of meta regulation with the risk transformation of the regulatees. The present chapter will therefore explore this notion of compliance risk. It proceeds in three steps. GDPR: risk-based|risk-based approach: partial implementation of meta regulation|First, it uses the technical notion of risk put forth by the ISO as a description tool in order to show the differences between the competing understandings of risk. Second, it will define the notion that should have featured in the risk-based approach had it been a full implementation of meta regulation, namely a so-called “data protection risk”.standard setting: as risk management| Third, and in contrast, it will analyse the compliance risk at the heart of the risk-based approach.

Chapter 3 shows that a number of the issues that data protection has encountered and which have served as the impetus for the GDPR reform process can be understood from the regulatory viewpoint. More in particular, they amount to the traditional criticism addressed against command and control rulemaking. It is possible to argue that the command and control model of regulation is based upon two assumptions. First, enforcement is operated through sanctions or the threat thereof—what is referred to as deterrencedeterrence|, and it is assumed that such deterrence always works. Second, it is assumed that the regulatory goalsregulatory goals| (and the standards and safeguards they lead to) are somewhat unproblematic. This last set of issues is multi-dimensional insofar as it affects the determination of what counts as an adequate standard and safeguard, but it also affects the implementation in practice of these standards. Just as determining what is the behaviour that will lead to the achievement of regulators is less than obvious, so is the concrete implementation and compliance with the various rules that are meant to lead to such behaviour. This is encapsulated for instance in the data controllers’ uncertainty on how exactly to apply certain data protection provisions, or in the inefficiency of a number of mechanisms such as notification obligations. Finally, due notice should be paid to technological evolutions, which can aggravate these issues.

The final chapter provides conclusions containing a summary of the main argument pertaining to the risk-based approach as an implementation of meta regulation in the data protection context. It returns to the debate between rights and risk-based approaches with a focus on the issue of standard setting in data protection, given that the latter has been left out of the equation of the risk-based approach. This renewed focus on the distinction between rights and risk-based approaches allows for a final discussion on the pros and cons of the risk-based approach especially in contrast to a command and control type of data protection. Finally, the chapter also reflects on some of the limitations and contradictions inherent in the notion of regulation and regulation models, and what this means for the future of data protection.

Chapter 5 studies in depth the risk-based approach to data protection, including its rationale and its scope. It shows that it is only a partial implementation of meta regulation. Contrary to meta regulation, it refrains from delegating the regulatory function of standard setting to the regulatees. Instead of addressing all of the issues associated with the “diagnosis-prescription”diagnosis-prescription| flaw associated with command and” control (ie the selection of standards that will lead to satisfactory regulatory outcomes, and the adequate implementation/compliance with the latter), it only focuses on the better implementation of the data protection provisions. In any case, it is also predicated upon the responsibilisation, and hence, the risk transformation of data controllers’ activities. Such responsibilisation is to be found in the modern principle of accountability. Beyond the GDPR, many contemporary statutes have adopted a similar risk-based approach (even though not explicitly named as such). These include Canada’s PIPEDAPIPEDA|, Council of Europe Convention 108+Convention 108+|, etc. These various statutes are discussed and contrasted. Key to the discussion are issues such as the safeguards and type of regulatory collaboration these statutes provide for (eg data protection impact assessment), or how the risk management obligations fare in comparison to the ISO 31000 risk management StandardISO:31000 risk management Standard 2009|, which can be considered the canon in this matter. Finally, this chapter also examines a number of policy proposals that featured a different type of risk-based approach. Namely, one that espouses meta regulation’s delegation of the standard setting function to the regulatees.

The introductory chapter frames the way the topic of the risk-based approach will be addressed throughout the book. Rather than studying the risk-based approach as a given that is often seen as the irreconcilable opposite of the so-called rights-based approach (directly stemming from the status of data protection as a fundamental right of the EU), it sees the risk-based approach instead as the latest avatar of a series of regulation models applied in the data protection context. If the risk-based approach is the implementation of a regulation model to data protection, this means that the rights-based approach, and data protection more generally, has always had something to do with regulation. Furthermore, given the crucial importance that risk management tools play in the regulation model at stake, the issue becomes one of the entanglement of data protection law, risk, and regulation. One of the main points put forth is that the principle of proportionality is common to data protection law, regulation, and risk. From this perspective it frames the shift from the rights-based approach to the risk-based approach as a matter of variations around the proportionality principle. These variations are encapsulated in the different models of regulation at play: from the command and control model of the Data Protection Directive, to the meta regulation model underpinning the risk-based approach in the GDPR and other statutes.

The goal of this chapter is to analyse some of the main caveats associated with the risk-based approach in practice, that is, with the use of meta regulation. The risk-based approach is an attempt to address some of the issues that data protection as command and control regulation has faced. However, in trying to address these issues, and in particular (but not only) through the use of risk management as the main tool of regulation, the risk-based approach creates a number of new problems. More in particular, one can distinguish between three different issues. Methodological issues concerning techniques for assessing and managing risks; regulatory issues in particular as far as the collaboration between regulators and regulatees is concerned; and implementational issues, that is, concerning the way in which risk management is actually implemented in practice, “on the ground”.

Chapter 4 explains the rationale for changing regulatory models from the standpoint of regulation theory. A newer model of regulation known as meta regulation is sought as a solution to the main issues plaguing command and control regulation. Namely, the effectiveness of deterrence strategies has often been deceiving, and linear processes of standard setting and the safeguards associated thereto have not always managed to properly address the harms stemming from data processing practices. Therefore, evolutions in regulation models have sought to address these two issues by resorting to more collaborative models of regulation. Following collaboration between regulators and regulatees, enforcement will cease to be sought through punishment, but rather, through collaboration and dialogue between the regulator and the regulatee; the object of such dialogue being a problematisation of how best to achieve regulatory goals. Simultaneously, in terms of standard setting and safeguards, new regulation models will consist in endowing regulatees with regulatory responsibility (in terms of implementing or even devising standards and safeguards), and enabling regulators to assess their performance. Particular emphasis is put on the responsibilisation of the regulatees. The latter is the necessary condition for any collaborative model of regulation. Meta regulation is the collaborative model of regulation at stake. It does bestow regulatory tasks (ie standard setting, monitoring, and behaviour control) upon regulatees, and it underpins the risk-based approach to data protection. Such responsibility, however, also entails a re-coding of the regulatees activities as a matter of risk management.

Chapter 2 demonstrates that data protection can be understood as command and control regulation by applying the three constitutive elements of regulation (standard setting, monitoring, behaviour control) thereto. If one wants to understand the modus operandi of newer models of regulation as applied to data protection (namely risk-based model of regulation), one must first understand the basis. That is, how data protection can be understood as regulation in the first place. This standpoint has another corollary. Since newer models of regulation are featured in contemporary statutes (with the GDPR as a prime example), an understanding of data protection as command and control regulation entails to study less contemporary statutes. The prime case study will therefore be the EU Data Protection Directive, which, even though not in force anymore is considered a suitable case for analysis as it embodies earlier models of regulation. Because this chapter is retrospective in scope (i.e. looking at previous data protection statutes in order to better understand the current ones), it often refers to historical sources of data protection (e.g. statutes and literature).