Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Bücher
Zeitschriften
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
MTZ-Fachkongress

Antriebe und Energiesysteme von morgen


Austausch von Automobil- und Energiewirtschaft

Am 14./15. Mai geht es in Chemnitz um die Mobilitätswende durch Elektro- und Wasserstofffahrzeuge.
Erweiterte Suche
Anmelden
nach oben
Erschienen in:
A Causal Bayesian Networks Viewpoint on Fairness Kapitel lesen Erstes Kapitel lesen

2019 | OriginalPaper | Buchkapitel

GDPR and the Concept of Risk:

The Role of Risk, the Scope of Risk and the Technology Involved

verfasst von : Katerina Demetzou

Erschienen in: Privacy and Identity Management. Fairness, Accountability, and Transparency in the Age of Big Data

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

The prominent position of risk in the GDPR has raised questions as to the meaning this concept should be given in the field of data protection. This article acknowledges the value of extracting information from the GDPR and using this information as means of interpretation of risk. The ‘role’ that risk holds in the GDPR as well as the ‘scope’ given to the concept, are both examined and provide the reader with valuable insight as to the legislature’s intentions with regard to the concept of risk. The article also underlines the importance of taking into account new technologies used in personal data processing operations. Technologies such as IoT, AI, algorithms, present characteristics (e.g. complexity, autonomy in behavior, processing and generation of vast amounts of personal data) that influence our understanding of risk in data protection in various ways.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Vorheriges Kapitel Glycos: The Basis for a Peer-to-Peer, Private Online Social Network
Nächstes Kapitel Privacy Patterns for Pseudonymity
Fußnoten
1
See [2].
 
2
See [1].
 
3
This prominent position of the concept of risk has led legal scholars to talk about a ‘riskification’ of the EU data protection legislation. See [49]. Also [43].
 
4
See the general legal obligation in Article 24(1) GDPR.
 
5
See for example the legal obligation in Article 35(1) GDPR to perform DPIAs where there is ‘high risk’.
 
6
See [18], 6, [16], 7: “severity and likelihood of this risk should be assessed”.
 
7
Recital 75 GDPR “The risk to the rights and freedoms of natural persons, of varying likelihood and severity […]”,
Recital 76 GDPR “The likelihood and severity of the risk to the rights and freedoms of the data subject […]”.
 
8
Recital 76 GDPR “Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk”.
 
9
See [41], 14.
 
10
See [14], 8.
 
11
See [14], 9.
 
12
See [13], 4.
 
13
Article 4(1) GDPR: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”.
 
14
See [3], para 68 (Also see, [5], para 37, and [6], para 68).
 
15
See [7], para 28 (Also see, [11], para 39, and [8], para 52).
 
16
See [21], 10.
 
17
See [46].
 
18
See [21], 9.
 
19
Which, as mentioned by Purtova [46], was also followed in the Breyer case [9].
 
20
Check [4], para 72 (“The fact that their character as personal data would remain “unknown” to internet search engine provider, whose search engine works without any human interaction with the data gathered, indexed and displayed for search purposes, does not change this finding”).
 
21
See [16], 10.
 
22
See [13], 13.
 
23
See [10], para 222.
 
24
Article 4(7) GDPR.
 
25
See [14], 2.
 
26
See [28], 22.
 
27
It first appeared as a basic data protection principle in the OECD Guidelines. See [29].
 
28
Alessandro Spina has also talked about a transformation in the GDPR, which is about an “enforced self-regulation model for managing technological innovation in uncertain scenarios”, in Spina [49].
 
29
As has been pointed out by the EDPS [27]. “Article 24 refers to the implementation of all data protection principles and the compliance with the whole of the GDPR”, para 25.
 
30
See [30].
 
31
See [20], pp. 2,6; [30], 27.
 
32
See [38], 3.
 
33
Joined cases Digital Rights Ireland and Seitlinger and Others [8], para 40. See also [42]; EDPS [27], para 30.
 
34
Also Recital 74 GDRP, mentions that measures of controllers should take into account the risk to the rights and freedoms of natural persons.
 
35
See [15], 2.
 
36
See [17].
 
37
See [15].
 
38
This has also been upheld by the EDPS [28], para 104.
 
39
See [23], 3.
 
40
See [30], 19.
 
41
See [35].
 
42
The WP29 itself has also published a Statement on the risk-based approach of the GDPR: See [17].
 
43
See [48]; [43]; [34].
 
44
See [17].
 
45
Subsection on The role of risk.
 
46
See [35].
 
47
This is something acknowledged also by the WP29, which stated that the “risk based approach […] has been introduced recently as a core element of the accountability principle itself”, [17], 2.
 
48
See [35]; [34].
 
49
Article 33 GDPR, also talks about “risk to the rights and freedoms of natural persons” in the case of a data breach.
 
50
See [18], 6. The same position was upheld by the Article 29 WP [17], 4.
 
51
See [18]; [17].
 
52
See [16], 11.
 
53
See [18], 17.
 
54
See [17], 4.
 
55
Recital 4 GDPR “The processing of personal data should be designed to serve mankind”.
 
56
See also Sect. 4 “The technology involved: IoT, AI, algorithms”.
 
57
See [51], 207.
 
58
See [32].
 
59
See [25].
 
60
See [36]. Also see, Ware report, pp. 37–38; [27]. “ […] the birth of this legal concept is linked to the development and popularization of the computers first, and, more recently, of the Internet”, 2.
 
61
See [20], para 43.
 
62
In the Introduction, where I refer to the definition of risk given by the WP29: “A risk is a scenario describing an event and its consequences, estimated in terms of severity and likelihood”.
 
63
Recital 15 GDPR: “In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. […]”.
 
64
See [28], para 38.
 
65
See [20], 12.
 
66
Case Google Spain SL, [3].
 
67
Case Google Spain SL, Opinion of AG JÄÄSKINEN [4], para 10: “the present preliminary reference is affected by the fact that when the Commission proposal for the Directive was made in 1990 the internet in the present sense of the www did not exist and nor where there any search engines. […] nobody could foresee how it would revolutionise the world”.
 
68
See [22] accessed 10 November 2018.
 
69
See also, [53]: “Designing imprecise regulation that treats decision-making algorithms, AI and robotics separately is dangerous. It misinterprets their legal and ethical challenges as unrelated. Concerns about fairness, transparency, interpretability and accountability are equivalent, have the same genesis, and must be addressed together, regardless of the mix of hardware, software, and data involved”.
 
70
See [52].
 
71
See [50].
 
72
See [22].
 
73
See [37].
 
74
See [51].
 
75
See [47].
 
76
Complexity is both on a technical and a contextual level. For a more extensive analysis of “technical and contextual complexity of algorithms” check Vedder and Naudts [51].
 
77
See [24], 9 “[…] (i) the tangible parts/devices (Sensors, actuators, hardware), (ii) the different software components and applications, to (iii) the data itself, (iv) the data services (ie. collection, processing, curating, analysing), and (v) the connectivity features.”.
 
78
See [51].
 
79
See [24].
 
80
See [24]. “AI software can reason, gather knowledge, plan intelligently, learn, communicate. Perceive and manipulate objects”.
 
81
These are characteristics identified and grouped by the Commission [24].
 
82
Purtova [46].
 
83
Rodotà [38].
 
84
For a more extensive overview of how data protection principles are influenced by the advancement of new technologies, check [52]. Also see [40]. And [43], 6.
 
85
See [19], 9.
 
86
See [39], 21.
 
87
See [26], 39.
 
88
idem, 39.
 
89
Section 2 ‘The role of risk in the GDPR: Accountability & Risk-based approach’.
 
90
Recital 78 GDPR: “[…] producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.”.
 
91
Recitals are not legally binding as are the substantial provisions of the legal framework. However, they are supposed to “cast light on the interpretation to be given to a legal rule”, [12], para 31.
 
92
See [18], 8: A DPIA can also be useful for assessing the data protection impact of a technology product, for example a piece of hardware or software, where this is likely to be used by different data controllers to carry out different processing operations. Of course, the data controller deploying the product remains obliged to carry out its own DPIA with regard to the specific implementation, but this can be informed by a DPIA prepared by the product provider, if appropriate.”.
 
93
See [27], para 37.
 
94
See [52].
 
95
See [31].
 
96
See [45]; [44]; [33].
 
97
Wachter [52] “the uncertain value of personal data generated and processed by IoT devices and services necessarily limits the scope of risks that can be foreseen, and thus the protection offered by DPIAs”.
 
Literatur
1.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data OJ L 281, 23 November 1995, pp. 31–50 (1995)
2.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119, 4 May 2016, pp. 1–88 (2016)
3.
Case C-131/12 Google Spain SL, Google Inc. v AEPD, Mario Costeja González ECLI:EU:C:2014:317 (2014)
4.
Case C-131/12 Google Spain SL, Google Inc. v AEPD, Mario Costeja González ECLI:EU:C:2013:424, Opinion of AG JÄÄSKINEN (2013)
5.
Case C-274/99 P Connolly v Commission ECLI:EU:C:2001:127 (2001)
6.
Case C-465/00 Österreichischer Rundfunk and Others ECLI:EU:C:2003:294 (2003)
7.
Case C-212/13 Ryneš ECLI:EU:C:2014:2428 (2014)
8.
Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and Others ECLI:EU:C: 2014:238 (2014)
9.
Case C-582/14 Breyer ECLI:EU:C:2016:779 (2016)
10.
Case T-259/03 Nikolaou v Commission ECLI:EU:T:2007:254 (2007)
11.
Case C-473/12, IPI EU:C:2013:715 (2013)
12.
Case 215/88 Casa Fleischhandels-GmbH v Bundesanstalt für landwirtschaftliche Marktordnung ECLI:EU:C:1989:331 (1989)
13.
Article 29 Data Protection Working Party, ‘Opinion 4/2007 on the Concept of Personal Data’
14.
Article 29 Data Protection Working Party, ‘Opinion 1/2010 on the Concepts of “Controller” and “Processor”’
15.
Article 29 Data Protection Working Party ‘Opinion 3/2010 on the Principle of Accountability’
16.
Article 29 Data Protection Working Party ‘Opinion 05/2014 on Anonymisation Techniques’
17.
Article 29 Data Protection Working Party ‘Statement on the role of a risk-based approach in data protection legal frameworks.’ Technical report WP 218, 30 May 2014
18.
Article 29 Data Protection Working Party ‘Guidelines on Data Protection Impact Assessment (DPIA) and Determining Whether Processing Is “Likely to Result in a High Risk” for the Purposes of Regulation 2016/679’ WP 248 rev 0.1, 4 April 2017. Accessed 4 October
19.
Article 29 Data Protection Working Party ‘Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation 2016/679 (WP251rev.01)’
20.
Article 29 Data Protection Working Party WP 168 The Future of Privacy: Joint Contribution to the Consultation of the European Commission on the Legal Framework for the Fundamental Right to Protection of Personal Data. 28
21.
Commission of the European Communities, ‘Amended Proposal for a COUNCIL DIRECTIVE on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data’
22.
23.
24.
25.
26.
27.
EDPS (European Data Protection Supervisor), ‘Opinion 5/2018, Preliminary Opinion on Privacy by Design’, 31 May 2018
28.
29.
30.
Alhadeff, J., Van Alsenoy, B., Dumortier, J.: The accountability principle in data protection regulation: origin, development and future directions. In: Guagnin, D., Hempel, L., Ilten, C., Kroener, I., Neyland, D., Postigo, H. (eds.) Managing Privacy through Accountability, pp. 49–82. Palgrave Macmillan UK, London (2012). https://​doi.​org/​10.​1057/​9781137032225_​4CrossRef
31.
32.
Cadwalladr, C., Graham-Harrison, E.: Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach. The Guardian, 17 March 2018
33.
34.
Gellert, R.: Why the GDPR risk-based approach is about compliance risk, and why it’s not a bad thing. In: Schweighofer, E., Kummer, F., Sorge, C. (eds.) Trends und Communities der Rechtsinformatik - Trends and Communities of legal informatics: Tagungsband des 20. Internationalen Rechtsinformatik Symposions - IRIS 2017 - Proceedings of the 20th International Legal Informatics Symposium. Austrian Computer Society, pp. 527–532 (2017)
35.
36.
Gellert, R.: Understanding data protection as risk regulation. Internet J. Law 18(11), 3–15 (2015)
37.
38.
39.
40.
Kuner, C., et al.: The Challenge of “Big Data” for Data Protection’ 2 International Data Privacy Law 47 (2012)
41.
42.
Lynskey, O.: The Foundations of EU Data Protection Law. Oxford University Press (2015). ISBN 9780198718239
43.
44.
Mantelero, A.: From group privacy to collective privacy: towards a new dimension of privacy and data protection in the big data era. In: Taylor, L., Floridi, L., van der Sloot, B. (eds.) Group Privacy: New Challenges of Data Technologies. PSS, vol. 126, pp. 139–158. Springer, Cham (2017). https://​doi.​org/​10.​1007/​978-3-319-46608-8_​8CrossRef
45.
46.
47.
Pasquale, F.: The Black Box Society The Secret Algorithms That Control Money and Information. Harvard University Press (2015). ISBN 9780674368279
48.
Quelle, C.: ‘The “risk revolution” in EU data protection law: we can’t have our cake and eat it, too. In: Leenes, R., van Brakel, R., Gutwirth, S., De Hert, P. (eds.) Data Protection and Privacy: The Age of Intelligent Machines, 1st edn, vol. 10. Hart Publishing (2017)
49.
50.
Tene, O., Polonetsky, J.: Big data for all: privacy and user control in the age of analytics. Nw. J. Tech. Intell. Prop. 11, 239 (2013)
51.
Vedder, A., Naudts, L.: Accountability for the use of algorithms in a big data environment. Int. Rev. Law Comput. Technol. - Justice Algorithmic Robes 31(2), 206–224 (2017)CrossRef
52.
53.
Wachter, S., Mittelstadt, B., Floridi, L.: Transparent, explainable, and accountable AI for robotics. Sci. Robot. 2(6), eaan6080 (2017)CrossRef
Metadaten
Titel
GDPR and the Concept of Risk:
verfasst von
Katerina Demetzou
Copyright-Jahr
2019
Buch
Privacy and Identity Management. Fairness, Accountability, and Transparency in the Age of Big Data

Print ISBN: 978-3-030-16743-1

Electronic ISBN: 978-3-030-16744-8

Copyright-Jahr: 2019

DOI
https://doi.org/10.1007/978-3-030-16744-8_10

Premium Partner

    Bildnachweise