22 – yes 22 – lists of when a data protection impact assessment, or ‘DPIA’, is and isn’t required have been reviewed by the European Data Protection Board (the ‘Board’). The opinions are to be welcomed and gave very valuable guidance. We’ve read all 22 opinions for you and summarised your key take-aways below.
The ‘Board’ is, in practice, the new GDPR-name for the Article 29 Working Party, made up of the national European data protection authorities and the European Data Protection Supervisor. On 3 October 2018, the Board published its opinions on the lists presented to it by 22 national data protection authorities, or ‘DPA’s.
But the key point is that 22 of the 28 Member States filed lists, and the 22 lists contained 260 different types of processing.
The GDPR harmonises many of the rules on data protection in the EU (and by extension the EEA and other places in the world where the GDPR applies to organisations for one reason or another). This is also very welcome.
But organisations like certainty in order to plan and process-build to ensure compliance wherever they operate, and the GDPR leaves a certain discretion to Member States and their individual DPAs in a number of areas, even such key areas as data protection impact assessments. No doubt the political difficulties of achieving full harmonisation across all areas are insurmountable. But organisations the world over will benefit from rapid clarity here and in other areas where Member States have more discretion to take different positions, such as the age for parental consent for certain services directed at children and exemptions to the GDPR.
The EDPB Chair, Andrea Jelinek said: “It has been an enormous task for the members of the Board as well as the EDPB Secretariat to examine all of these lists and to establish common criteria on what triggers a DPIA and what not. It was an excellent opportunity for the EDPB to test the possibilities and challenges of consistency in practice. The GDPR does not require full harmonisation or an ‘EU list’, but does require more consistency, which we have achieved in these 22 opinions by agreeing on a common view.”
Even the Board, professional privacy regulators, found it ‘an enormous task’ to examine all the lists and establish common criteria. The national DPAs will now review their lists according to the Board’s opinions.
This national divergence flows down to the DPIA itself. In its [NB: instant download] Guidelines on DPIAs (WP248 rev01), the Art 29 Working Party declined to determine a set form for DPIAs, instead referring to what the GDPR requires it to cover. DPAs, led by the UK ICO and France’s CNIL, are issuing their preferred forms and even free software. However, the GDPR itself does not set out a template and the Art 29 WP stated that organisations can choose their own, provided that it covers the required areas. Similar national differences are appearing in breach reporting.
Without detracting from our comments above, we do want to reiterate our belief that we in the privacy world are lucky to have the regulators we do, and that the DPAs do generally take practical and reasonable positions – and a business-friendly and commercial approach – in a very difficult arena. Also, in its 22 responses to the DPA lists, the Board (following the Art 29 WP’s example) strikes a very practical note. We recognise the immense difficulty in negotiating a law to apply equally across 28 different countries.
However, we also recognise the immense difficulty for organisations trying to be good citizens and comply with personal data laws in the EU at the present time. We say ‘at the present time’ because the fines for non-compliance can run far higher than in pre-GDPR days, which is putting huge pressure on organisations when there can be difficulty in nailing down exactly what they need to do across the EU. In this context, guidance from the DPAs and the Board is very valuable, even if organisations would benefit from less reading material.
So, to the Board’s responses and what they tell us about DPIAs and, in turn, risk under the GDPR. As we know, the GDPR requires a DPIA be carried out when the processing in question ‘is likely to result in a high risk to the rights and freedoms of natural persons’ (Art 35).
The Board has confirmed that the following criteria do not, on their own, automatically mean you have to do a DPIA (and therefore do not automatically mean there is a high risk) and only trigger a DPIA in conjunction with another criterion. These include:
In the realm of employment, the Board confirmed that ‘employee monitoring processing, meeting the  criterion of vulnerable data subjects and of systematic monitoring in the [criteria 3 and 7 in Art 29 WP’s WP248] guidelines, – could require a DPIA‘. And on health, the Board confirmed that ‘processing of non-health data with the aid of an implant does not require a DPIA in every instance‘.
This is welcome guidance on the risk-balancing exercise organisations are coming to grips with, not just for DPIAs, but for breaches and other GDPR topics.
The Board also very helpfully clarified that some activities are not a criterion for DPIAs, alone or in conjunction with other criteria, for example:
The Board also stated its position that the Art 29 WP Guidelines on ‘large scale’ were sufficient and that Greece and Estonia should remove their explicit figures in their list and refer to the Art 29 Guidelines (something Estonia wasn’t too happy about). Those Guidelines can be found in criteria 5, page 10 of WP 248 rev01 on DPIAs above, and para 2.1.3 of [NB: instant download] WP 243 rev01 on DPOs.
The Board is continuing the Art 29 WP’s excellent work, and the DPAs are producing guidance at a commendable rate of knots. These latest publications give practitioners some much-needed clarity on risk and DPIAs under the GDPR. We look forward to much more, in as few documents as possible.
The Schrems II decision came out nearly 2 years ago, on 16 July 2020. Given the enormous data flows from the EEA and UK to the USA, and many unanswered…