Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2018
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
For a Panel at CPDP, Brussels, 27 January 2017
Notes of 19 January 2017
Roger Clarke **
© Xamax Consultancy Pty Ltd, 2017
Available under an AEShareNet licence or a Creative Commons licence.
This document is at http://www.rogerclarke.com/DV/PIAvsDPIA.html
The supporting slide-set is at http://www.rogerclarke.com/DV/PIAvsDPIA.pdf
The purpose of the brief discussion-segment within the Panel is to identify and discuss the distinction between the well-established concept of a Privacy Impact Assessment (PIA) and the newly-defined notion of a Data Protection Impact Assessment (DPIA) under EU GDPR Art.35.
"A PIA is a systematic process, which identifies and evaluates from the perspectives of all stakeholders the potential effects on privacy of a project, initiative or proposed system or scheme and which includes a search for ways to avoid or mitigate negative privacy impacts" (Clarke 2011).
Here's a long definition from Clarke (2009).
What I think are the key issues are highlighted with '**':
"A PIA is properly distinguished from other kinds of activities by the following characteristics:
At CDPD 2014, I distinguished a dozen 'assessment categories' on the basis of their focus (Clarke 2014).
The three that are relevant to this discussion are:
At CDPD 2014, my criticisms of the (then) GDPR Art.33 were (Clarke 2014):
My subsequent criticism of the (now) Art.35 were (Clarke 2016):
My personal conclusions are that the EU notion of a DPIA falls so far short of a PIA as to raise doubts about whether it has any value as a privacy-protective mechanism.
A DPIA is merely an assessment of compliance with existing law(s).
It is not an assessment of privacy impact, nor even of data privacy impact.
Organisations are already subject to the obligation to comply with data protection laws.
So they are also already subject to an obligation to assess their compliance in advance of implementing new initiatives.
In other words, the Art.35 DPIA provisions make almost no improvements to privacy protection. At best, there may be very modest progress as a result of Art.35.7 confirming some of the actions needed ("a systematic description", and assessment of "necessity and proportionality"):
CCTV, body-worn cameras and drone-borne cameras may record data. But they can also stream data to an observer without recording it. And they can also cause people concern just by being there without being switched on - and indeed the mere possibility that they may be around is upsetting to various individuals under various circumstances.
Where visual surveillance doesn't give rise to any recorded data:
(a) can a DPIA consider the impact on the privacy of personal behaviour of:
(i) the operation of cameras?
(ii) the existence of cameras?
(iii) the possibility of the existence of cameras?
(b) *must* a DPIA ... (etc.)?
Substance (ab)use testing and DNA testing are being imposed in a wide variety of circumstances, including in workplaces, on highways, and in the vicinity of crime scenes.
(a) Must a DPIA consider the data-creation and data-handling practices associated with such activities?
(b) Does it make any difference if the material is collected as a result of a 'request' rather than a 'demand' backed by legal authority?
(c) Can a DPIA consider the impact of the data collection process on:
(i) the privacy of the physical person?
(ii) the privacy of personal behaviour?
(d) *Must* a DPIA ... (etc.)?
Clarke R. (1997) 'Introduction to Dataveillance and Information Privacy, and Definitions of Terms' Xamax Consultancy Pty Ltd, August 1997, PrePrint at http://www.rogerclarke.com/DV/Intro.html
Clarke R. (2009) 'Privacy Impact Assessment: Its Origins and Development' Computer Law & Security Review 25, 2 (April 2009) 123-135, PrePrint at http://www.rogerclarke.com/DV/PIAHist-08.html
Clarke (2011) 'An Evaluation of Privacy Impact Assessment Guidance Documents' International Data Privacy Law 1, 2 (March 2011) 111-120, PrePrint at http://www.rogerclarke.com/DV/PIAG-Eval.html
Clarke R. (2014) 'Approaches to Impact Assessment' Notes for a Panel Presentation at CPDP'14, Brussels, 22 January 2014, on the topic of 'Legal and Non-Legal Technology Impact Assessments', PrePrint at http://www.rogerclarke.com/SOS/IA-1401.html
Clarke R. (2016) 'Regulatory Failures in the Security Space: Some Current Cases' Presentation to the Norwegian Research Center for Computers and Law (NRCCL), University of Oslo, 29 August 2016, and to the Crime and Justice Research Centre at QUT in Brisbane, 12 September 2016, at http://www.rogerclarke.com/DV/RFSS.html
EU GDPR (2016) 'EU General Data Protection Regulation', April 2016, at http://www.privacy-regulation.eu/en/index.htm
Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in Cyberspace Law & Policy at the University of N.S.W., and a Visiting Professor in the Computer Science at the Australian National University.
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.
Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
Created: 19 January 2017 - Last Amended: 19 January 2017 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/PIAvsDPIA.html