Data Protection Impact Assessment: when is it needed?

af Camilla Questa og Birgitte Kofod Olsen

Overview of the EDPB’s Opinions on the submitted supervisory authorities’ Blacklists

Under article 35, the GDPR requires data controllers to conduct a data protection impact assessment (DPIA) on activities likely to pose a high-risk to the individuals, due to their nature, scope, context or purpose.

To facilitate data controllers in the identification of this type of activities, each national supervisory authority (SA) is required to establish a so-called Blacklist: a list of processing activities that automatically trigger the performance of a DPIA within their member state.

National supervisory authorities are free to determine the scope of their lists. However, to ensure consistency across the EU and avoid complications for data controllers operating in more than one member state, the European Data Protection Board (EDPB) is responsible for reviewing the lists through binding Opinions.

WP 29 DPIA criteria

To guide the national authorities in the draft of their lists, in April 2017 the former Working Party 29 issued the Guidelines on Data Protection Impact Assessment (DPIA).

In these guidelines the WP29, elaborating on article 35 of the GDPR, sets out 10 criteria suggesting when an activity is likely to result in a high-risk processing (figure 1). In October 2017, the Guidelines were revised and the criteria data transfers across borders outside the EU was removed from the list of high-risk processing, reducing the list to 9 items.

Besides indicating the risk areas, the WP29 gives some guidance as to when a DPIA is needed by affirming that – in most cases – a processing activity meeting two criteria is likely to pose a high risk for data subjects and therefore, triggers a DPIA (“2 criteria rule of thumb”). Though, the WP29 does not exclude that in other cases the presence of a single criterion is enough to start an impact assessment.

DPIA triggering criteria

At its third plenary meeting on September 25th, the EDPB adopted a series of opinions concerning the draft Blacklists received by 22 member states (Austria, Belgium, Bulgaria, Czech Republic, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Lithuania, Latvia, Malta, Netherlands, Poland, Portugal, Romania, Sweden, Slovakia and the UK).

The lists have not been published yet by all the 22 supervisory authorities and therefore, it is not possible to obtain a full overview of the “risky” processing activities.

This is also due to the fact that the EDPB Opinions cover only processing activities within the scope of article 35.6 of the GDPR (i.e. activities related to the offering of goods or services to data subjects, or the monitoring of their behavior in several Member States, or may substantially affect the free movement of personal data within the Union).

However, the EDPB’s input helps us to shed some light on the processing activities that require a DPIA. Across the 22 lists, the EDPB has identified the following 9 DPIA-triggering criteria:

The EDPB established that the presence of one of the abovementioned criteria triggers a DPIA only when in conjunction with another criterion. In other words, the Board endorses the Working Party 29 Guidelines by recommending the authorities to follow the “2 criteria rule of thumb” suggested by the WP29.

The EDPB further upholds the work done by the WP29 by requiring national authorities to make explicit reference in their final Blacklist to the criterion established in the DPIA Guidelines.

Looking at the WP29 criteria and the ones suggested by the EDPB, it is possible to see many similarities. Though, the choice of the EDPB to consider processing of location data as a criterion on its own suggests that location data per se entails a sort of systematic monitoring that negatively impacts the private lives of data subjects.

National high risk areas

It is important to stress that not all 9 criteria were mentioned in every Blacklist and therefore, will not be considered as high risk areas in every member state.

This is not only because each SA has a margin for discretion in the draft of the lists, but also because the aim of the EDPB is to ensure consistency across the EU, rather than developing a common European Blacklist. The distribution of the DPIA-triggering criteria among the 22 member states’ lists is shown below (Table 1).

There seems to be a general agreement among the national authorities that the processing of genetic data, as well as the processing of biometric data for identification purposes constitute two high risk areas (with respectively 18 and 16 authorities mentioning the criteria in their lists).

Another well acknowledged DPIA-triggering criterion is the processing of data through new or innovative technologies, with 16 out of 22 SAs agreeing upon it.

In addition to these 9 high risk areas, the EDPB has qualified 2 specific processing activities as capable of automatically requiring a DPIA: the monitoring of employees and the processing of health data carried out with the aid of an implant.

This choice seems to follow the logic of the “2 criteria rule of thumb” mentioned above. With regards to employee monitoring, the two criteria are systematic monitoring and vulnerable subjects; with regards to the processing of health data carried out with the aid of an implant, the criteria are sensitive data and use of innovative technologies.

The monitoring of employees represents a widely recognized risky processing activity, with 17 SAs including the element in their lists; the other criterion – processing of health data carried out with the aid of an implant – is not “agreed” upon as strongly: only Belgium, Greece and Portugal mentioned it as DPIA-triggering processing activity.

Besides the 9 high-risk areas discussed so far, half of the authorities have indicated other DPIA-triggering items. Though, their Blacklists have been “reduced” by the EDPB (Table 2 indicated in yellow), as some of the criteria have been deemed unnecessary and not requiring an impact assessment, not even in conjunction with another criterion.

The EDBP choice can be read in the light of overcoming the challenges of consistency in practice (as pointed out by Andrea Jelinek, the Chair of the EDPB).

Among the excluded criteria are: data processing through interfaces of personal electronic devices not protected against unauthorized readout, the reference to a specific legal basis, joint controllership, the use of territorially distributed/cross-border information systems, further processing and processing made in the context of international transfers.

The presence of more risky activities in the SA’s Blacklists, suggests a more cautious approach of the authorities towards high-risk areas and consequently a disposition to ensure a higher level of protection for the data subjects.

Not only has the EDPB suggested the removal of some criteria, but it has also recommended the introduction of additional criteria to ensure consistency across the EU (Table 2 indicated in green). This is the case for the processing of location data, genetic data and biometric data for identification purposes.

The choice of the EDPB to extend these three criteria to every member state is significant and can be read in the light of the increasing diffusion of monitoring and profiling activities that have been performed in the last decade that can entail consequences for the protection of individuals’ personal data.

Croatia, Denmark, Luxembourg and Slovenia

More recently four other member states (Croatia, Denmark, Slovenia and Luxembourg) have submitted their Blacklist to the EDPB, which were reviewed at its last plenary meeting that took place on December 4th.

Now only 2 SAs are left to submit their draft lists: Cyprus and Spain.

In the latest Opinions, besides confirming most of the already mentioned DPIA-triggering criteria, the EDPB acknowledged a new high risk processing activity mentioned exclusively by the Luxembourg supervisory authority: processing consisting or involving the systematic monitoring of publicly accessible areas.

This criterion shall be present in conjunction with another criterion to trigger a DPIA and confirms the high risk processing activity listed in the WP29 Guidelines (systematic monitoring).

The EDPB also advised to exclude from the Croatian list the processing of data generated by sensor devices transmitting data over the Internet or other information transfer technologies, since – for its wording – the item could be applied too broadly.

Given the submission of their lists after the adoption of the first 22 EDPB’s Opinions, it was somehow expected that these four member states incorporated the EDPB advice in their draft versions.

Not only with regards to the high-risk areas, but also with regards to the reference to the WP29 Guidelines and the “2 criteria rule of thumb”.

This seems to be the case only for Denmark for which the EDPB had no recommendations at all, as the list does not contain any dispositions that may lead to an inconsistent application of the requirement for to conduct a DPIA.

In fact, looking to the Danish Datatilsynet Blacklist (Figure 2), this not only endorses the approach suggested by the EDPB (the “2 criteria rule of thumb”), but also incorporates many of the 9 high-risk areas previously suggested by the Board (i.e. processing of biometric data, genetic data, location data, on large scale and the use of new/innovative technology).

Distinctly different from the other lists is the choice of requiring a DPIA with regard to processing where a personal data breach could have a direct effect on the physical health or safety of individuals.

This would typically form part of the assessment of risks to the data subject, as part of the general risk assessment of data processing activities or as part of a DPIA. By not drafting any recommendations in its Opinion to the Danish SA, it seems however that the EDPB supports this approach.

Final comments

The EDPB has the tough task of ensuring consistency across the EU and, by reviewing the DPIA Blacklists it had to dive in concretely and face the benefits and challenges of what consistency means in practice.

In fact, as it emerges from our analysis, members states have different approaches as to when a processing activity is likely to result in a high-risk for data subject and it is not easy to introduce a common view across them. Some countries like Bulgaria, Portugal and Slovakia seems to prefer a more cautious approach, by including 9 criteria in each of their Blacklists.

Others, like Estonia, France and Poland favor a more “relaxed” attitude, by listing only 2 or 3 high risk items. However as mentioned earlier, the criteria discussed hereby are the ones reviewed by the EDPB, which include only the processing activities within the scope of article 35.6 of the GDPR.

We will have to wait and see for the definitive Blacklists of each member state to have a full picture of their approach and understand to which degree a coherent framework will be in practice achieved at the EU level.