EUTOPIA PhD co-tutelle fellow Alessandra Calvi (VUB, LSTS, d.pia.lab & CYU, ETIS) proposes a conceptualisation of a “right to DPIA” and suggests how existing legal remedies could (or could not) be used by data subjects and their representatives to enforce it.
When reflecting on the General Data Protection Regulation (GDPR) provisions aimed at empowering individuals, the most immediate link of such empowerment appears to be in Articles 12 to 22, about data subject rights. Yet, even apparent procedural requirements, such as Article 35 on Data Protection Impact Assessments (DPIAs), aim at substantively protecting all individuals' fundamental rights connected to the processing of personal data and even collective interests (Hakkarainen, 2021; Ivanova, 2020). A recent decision of the Greek data protection authority (DPA), which sanctioned a company due to the poor quality of its DPIA, confirms that they are not to be consideredjust as formalistic exercises.
Nowadays, data subjects and their representatives, and natural and legal persons in general, can report any sort of suspected GDPR violations. However, the predominant view of DPIAs is as mere duties of a data controller. This is why Article 35 infringements are usually addressed only upon the DPAs’ initiative. Yet, this approach overlooks the potential of DPIAs as tools for the protection of fundamental rights and the role that data subjects could play in the detection of DPIA-related violations and for the improvement of the overall data processing. To better protect fundamental rights and further empower data subjects, I suggest extrapolating from Article 35 a right to a DPIA.
Advocating for a right to DPIA
Admittedly, a right to a DPIA would suffer from the same criticism as other ex post remedies in data protection law, for example data subjects' rights and access to justice. Scholars have expressed concerns about the gendered and racialised connotation of the data subject implied in the GDPR (Kadiri, 2021; Malgieri & González Fuster, 2021), the lack of awareness about data subjects' rights among the general public, the high rates of non-compliance of controllers with data subjects requests and even the lack of proper follow-ups to complaints by DPAs (González Fuster et al., 2022; Mahieu & Ausloos, 2020). Then, the overall individual-centred legal paradigm connoting procedural laws in the European Union, that grants locus standi only to pre-defined categories of subjects, collectives, and situations capable of demonstrating a specific connection to the matter complained, has been deemed unsuited to address the challenges of data-driven societies (European Union Agency for Fundamental Rights, 2018; van der Sloot & van Schendel, 2021). Whereas the GDPR opens toward data subjects' representation and collective actions with Article 80, it remains influenced by this structure. Indeed, the general rule under Article 80 establishes that data subjects have the right to mandate representatives (such as not-for-profit bodies, organisations or associations "properly constituted in accordance with the law") to exercise their legal remediesreferred into Articles 77 and 79. Only exceptionally, when established by Member State law, these entities can bring actions against a controller or processor regardless of a specific mandate, but only in so far as they consider that the rights of a data subject have been violated as a result of the processing, even when this subject remains unidentified. Thus, actions advocating for a public interest in data protection would not be possible (González Fuster, 2020). Besides, transparency about DPIAs is a necessary pre-condition to becoming aware of Article 35 infringements and the GDPR still leaves much to be desired in that respect. Indeed, despite publishing DPIAs reports or part thereof is a best practice (Kloza et al., 2017), the Regulation does not require it, nor it obliges data controllers to disclose even minimal information about the process.
Aware of these important limitations, I contend nevertheless that granting data subjects and their representatives a right to DPIA is an option worthy of further investigation. Whereas ex post remedies do not automatically ensure the empowerment of data subjects, especially when belonging to vulnerable or marginalised groups, they nevertheless equip them with extra safeguards. Far from undermining the nature of DPIAs as an ex ante tool, an additional ex post right to a DPIA could mitigate the risk that data controllers engage in arbitrary decisions, such as risk underestimation and overlooking data subjects' involvement.
Conceptualising a right to DPIA
So, how could a right to DPIA be conceptualised? There are at least two possibilities. The first, building upon a teleological interpretation of Article 35, encompasses a right for data subjects (and their representatives) to demand of data controllers the performance of a DPIA. Considering that DPIAs aim at informing the decision-making of controllers, with the ultimate goal to ensure better protection of fundamental rights, and particularly data protection of natural persons, not performing one could more easily result in fundamental rights violation (Kloza et al., 2017). Here lays the interest of data subjects in demanding data controllers to perform them. The second, deriving from Article 35(9), encompasses a right for data subjects to be consulted in the DPIA process. Such right to be consulted would mirror the obligation for controllers, to, when appropriate and “without prejudice to the protection of commercial or public interest or the security of processing operations", “seek the views of data subjects or their representatives on the intended processing”.
How data controllers would react to requests to perform DPIAs and consult data subjects during the process is uncertain and could be the object of a future empirical study. However, considering that even “traditional” data subjects requests often remain unattended, it is reasonable to assume that, if ever recognised, the right to a DPIA will face the same challenges. Articles 77 and 79 could then play a fundamental role for its enforcement. But to what extent?
Enforcing the right to DPIA under Articles 77 and 79 GDPR
Article 77 states that data subjects (or their representatives) have the right to lodge a complaint with a supervisory authority if they consider that the processing of personal data relating to them infringes the Regulation. The two conditions for lodging a complaint are (1) the existence of a processing of personal data related to the data subjects; and (2) that such processing infringes the Regulation. Article 79 GDPR grants data subjects whose rights under the GDPR have been infringed as a result of the processing of their personal data in non-compliance with the Regulation the right to "an effective judicial remedy" against a controller or processor. Whether the scope of Article 79 overlaps entirely with Article 77 is debated. However, following a literal interpretation of Article 79, the conditionsfor lodging a complaint with a court are (1) the existence of a processing of personal data related to the data subjects; (2) the fact that such processing is non-compliant with the Regulation; and that (3) the data subjects consider that this non-compliant processing led to an infringement of their rights under the GDPR. Thus, the requirements for bringing a claim in front of a court appear stricter because the causality between the non-compliant processing and the infringement of the rights needs to be demonstrated.
Under both Articles 77 and 79, a necessary condition to complain is the existence of a processing of personal data related to data subjects. Meanwhile, as a general rule, a DPIA precedes the processing operations. However, this is not an unsolvable inconsistency. The fact that a DPIA has not been performed before the start of the processingdoes not exclude that it will be carried out at a later stage. DPIAs are processes, which can, and shall be, revisited in certain situations (Article 35(11)). A "late" DPIA could still be beneficial for data subjects and provide important insights as to how to (re)shape the processing in such a way to further mitigate risks to their rights and freedoms (Kloza et al., 2020).
To complain to a supervisory authority under Article 77, data subjects have to demonstrate that their data are processed (which could be done by exercising a data access request under Article 15) and the processing "infringes the Regulation". This formulation is broad enough to encompass all GDPR provisions and not just data subjects rights listed in Articles 12 to 22. Starting personal data processing without performing a DPIA when otherwise required by law would represent an infringement of the GDPR. Thus, even under the current legal regime, and even lacking an express acknowledgement of a right to demand a DPIA, it seems possible for data subjects to complain to a supervisory authority about the lack thereof (on the condition that they specify why they deemed a DPIA legally required in that specific case).
Instead, complaining to a court appears much more problematic. To comply with the third requirement set by Article 79, data subjects would have to prove the causality between the non-GDPR compliant processing (i.e., the processing lacking a DPIA when otherwise required) and an infringement of their rights under the GDPR. Unless the right to demand a DPIA is acknowledged, the provision could not be invoked for Article 35 violations. Even when interpreting the scope of the wording “rights under the GDPR” consistently with Article 1(2) in such a way to encompass all rights that could be affected by the processing, data subjects would have to demonstrate that the violation of their rights specifically derived from the lack of DPIA, which is impossible.
Likewise, Articles 77 and 79 do not provide any basis for the enforcement of the right to be consulted in a DPIA process. Indeed, the violation of the right to be consulted does not stem directly from data processing. Instead, it would derive from an infringement of a procedural requirement existing upon data controllers to consult data subjects in certain situations.
In conclusion, the current formulation of Article 35 already provides some grounds for the conceptualisation of a right to a DPIA. Nevertheless, the possibilities for its enforcement remain extremely limited. To turn DPIAs into fully-fledged instruments for the protection of fundamental rights, it would be necessary to engage with significant GDPR revisions like enhancing the transparency requirements about DPIAs, strengthening the public participation element within them and rethinking the overall framework for collective representation of data subjects and legal standing.
23 August 2022
This contribution is based on a section of the draft paper “Data Protection Impact Assessment in the European Union: a feminist reflection” that was presented at the Privacy Legal Scholars Conference held in Boston at the North Eastern University in June 2022.