Let’s Return Risk to the Risk Based Approach

Professor Lokke Moerel is right.  The European data protection commissioners have done their best to use cases, guidance, and opinions to write the risk-based approach out of the General Data Protection Regulation (GDPR).  Professor Moerel’s article, “What happened to the Risk Based Approach to Data Transfers?,” looks at the law, legislation history, guidance and the European Court of Justice opinions to prove that accountability, the basis for the risk-based approach, is about responsible data use, not just about evidence of compliance.  She also documents the pushback during the legislative process from the Article 29 Working Party on responsible use as the key to accountability.

The Galway Project, which began in 2009 (2009 also was the first year of the Global Accountability Dialog), defined the modern data protection accountability principle and gave rise to the essential elements of accountability.  At the Project’s very first meeting, the group, comprised of data protection and privacy regulators, NGOs, and business, defined accountability as being responsible and answerable for the rights secured by data protection.  Almost from the beginning, there was a framing by some agencies that accountability should be used to correct weaknesses in basic privacy protections by forcing controllers to document their work.  But documentation of work is the second part of the equation — being answerable.  The question is answerable for what?  The response is being a responsible steward for data. 

The risk-based approach was the great promise for the GDPR.  It would put new obligations on organizations but would also create the pathway to fulfilling the full range of human rights and interests that come into play in an information age.  Organizations would identify stakeholders and their interests and would assess whether data use was in balance by conducting data protection impact assessments (DPIAs) in a competent and honest fashion.  That documentation then would be available to regulators who would judge whether the organizations were using the data in a person forward fashion.

But this approach only works if regulators recognize that accountability requires organizations to be responsible and then answerable for being responsible.  Regulators in Canada, Hong Kong, Colombia, the Philippines, Australia, and Bermuda recognize this concept.  In a 2013 meeting with the Article 29 Working Party, I was asked what was the one thing European DPAs could do to encourage accountability, and I said duplicate the guidance issued by the Canadian commissioners.  That guidance was never issued in Europe.

In 2021, the IAF conducted a project, “Risk of What,” to identify why consensus on risk was so difficult in the privacy/data protection field.  The “Risk of What?” project led to the learnings that stakeholders have a first take on worst case and that each stakeholder had their own worst case.  These learnings led the IAF to suggest the graphic representations of stakeholders, fundamental rights and interests, and adverse outcomes would begin to resolve the issue.  But that type of resolution only works if the objective for data protection is responsible use.  The overarching GDPR requirement that processing must be fair leaves the impression that organizational responsible use is possible.

However, Professor Moerel reminds us that recognition and application of the risk-based approach, the basis for accountability, requires an understanding of the GDPR’s legislative history, guidance, and court decisions.  The IAF will continue to advance accountability as the responsible information governance system in this complex digital ecosystem , but it would be helpful if regulatory authorities would read Professor Morel’s article with an open mind.