Adjudicating personal data protection in the European Union: what to expect from impact assessments?

Activity: Participating in or organising an eventParticipation in conference


The European Union (EU)’s General Data Protection Regulation (GDPR) brings to the fore a plethora of novel solutions aiming at, inter alia, better safeguarding interests of individuals whenever their personal data are being handled. Amongst these novelties is an obligation, imposed on data controllers, to carry out – before these data are handled – a data protection impact assessment (DPIA). This process is required to be conducted for data handlings capable of presenting “high risk” to the “rights and freedoms of natural persons” in order to “ensure the protection of personal data and to demonstrate compliance” with the law (Article 35 GDPR). In parallel, a similar obligation is present – so far – in two other EU legal instruments, namely Directive 2016/680 on the protection of personal data in criminal matters (Article 27) and Regulation 2018/1725 on their protection while handled by EU institutions and bodies (Article 39).
Much ink has been already spilled over DPIA, but not much attention has been paid thus far to its relationship with the law. Drawing on the experience of impact assessments in other domains, it is expected that DPIA could become a powerful tool of compliance with, and the enforcement of, personal data protection law in the EU. However, DPIA as such – as mandated by the GDPR – has never been yet an object of any judicial or extra-judicial proceedings. Once DPIA enters a courtroom – due to, inter alia, the minimalistic contents of the main provisions mandating it, occasional vagueness of the terminology used therein, and rather high fines for non-compliance and malpractice – it is equally expected that the obligation to conduct a DPIA would provoke a number of legal questions, further magnified by the relative novelty of this requirement.
Hence, the aim of this workshop is to map and subsequently analyse possible legal questions concerning DPIA that might emerge in a set-up of legal proceedings, at both national- and EU-level. For example, how exactly the “necessity and proportionality of processing operations” are to be assessed, what approach and scope are used for assessing “high risk” to the “rights and freedoms of natural persons”, when it is “appropriate” to “seek the views of data subjects or their representatives” or how, if ever, DPIA affects liability of controllers or processors for data protection wrongdoings. Furthermore, can a DPIA process constitute a piece of evidence in legal proceedings, can data subjects seek justice should they have not been consulted (sufficiently) during such a process, etc. These and alike legal questions can be posed equally before a national data protection authority (DPA) or national courts (civil, criminal or administrative), but also before the Court of Justice of the European Union (e.g. a reference for a preliminary ruling). Some of these questions might not necessarily seem any new, yet they have never been posed in the context of DPIA. However, some of them might be answered by looking at the experience of impact assessment in other areas and jurisdictions, such as environmental protection or technology development.
The workshop will gather the representatives of eight sectors – independent regulatory authorities, policy-makers, legal practice, courts, industry, consultancy, non-governmental organisations and academia – in order to seek their views as to what can be expected from DPIA in a set-up of judicial or extra-judicial proceedings.
The debate will be held under the Chatham House Rule. Each panellist is expected to identify and briefly justify the DPIA-related legal question(s) she or he expects to surface in judicial or extra-judicial proceedings while litigating personal data protection. A debate will follow.
Period20 May 2019
Event typeConference
LocationBrussels, Belgium
Degree of RecognitionInternational