< Terug naar vorige pagina

Publicatie

We Have Always Managed Risks in Data Protection Law: Understanding the Similarities and Differences Between the Rights-Based and the Risk-Based Approaches to Data Protection

Tijdschriftbijdrage - Tijdschriftartikel

Recent years have seen the emergence of a so-called risk-based approach to data protection. It is meant to address the purported shortcomings of the traditional EU data protection principles (such as data minimisation, purpose limitation, etc) with regard to evolving data processing practices (eg, profiling, big data). It does so by replacing these principles with risk analysis tools, the goal of which is to assess the benefits and harms of each processing operation and on this basis to manage the risk, that is, to take a decision whether or not to undertake the processing at stake. Such risk-based approach has been hailed as diametrically opposite to the legal, rights-based nature of data protection. This contribution investigates this opposition and finds that the two approaches (risk-based and rights-based) are actually much more similar than is currently acknowledged. Both aim at managing the risks stemming from data processing operations. This is epitomised by the fact that they have the exact same modus operandi namely, two balancing tests, with risk reduction measures (known as safeguards in the legal context) associated to the second balancing. Yet, if both approaches manage data processing risks, they nonetheless do so differently. Whereas the risk-based approach manages risks in a contextual, tailor-made manner, the rights-based approach manages risks from the outset once and for all. The contribution concludes with a discussion and possible policy recommendations highlighting the benefits and drawbacks of each approach.
Tijdschrift: European Data Protection Law Review
ISSN: 23642831
Issue: 4
Volume: 2
Pagina's: 481-492
Jaar van publicatie:2016