Impact assessment in the EU new data protection law

Activity: Talk or presentationTalk or presentation at a conference


The reform process of the European Union’s legal framework for personal data protection was culminated on 27 April 2016 with the enactment of General Data Protection Regulation and – less popular – Police and Criminal Justice Data Protection Directive. Both instruments bring to the fore multiple uncharted novelties and one of them is a ‘data protection impact assessment’ (‘DPIA’). Upon the entry into force of the new legal framework (28 May 2018), an obligation will be imposed on data controllers to conduct such an assessment for personal data handlings that are “likely to result in a high risk to the rights and freedoms of natural persons” (cf. Art 35 of the Regulation and Art 27 of the Directive). All these novelties have sparked continuous debates on their effectiveness, efficiency and practical application, further urged by the imminently upcoming applicability of the new laws.
Therefore we could not help but to take part in this debate and reflect on the way the well-established concept of impact assessment was adapted to the needs and reality of European data protection law. Having briefly overviewed the history of impact assessments in the areas of environment, technology and privacy, we critically assess the two legal requirements for a ‘DPIA’ set forth by the new Regulation and the Directive. We point out their positive, acceptable and negative elements. We conclude that these ‘DPIA’ requirements – predominantly due to their limited scope – have rather failed to live up to the expectations vested therein. Yet this failure could be remedied by a complimentary policy on impact assessment that would genuinely safeguard both individual and collective interests related to privacy. We therefore conclude with a few modest suggestions as to the contents of such a policy.
Period26 Nov 2016
Event titleCyberspace 2016, 14th International Conference, Masaryk University, Brno
Event typeConference
LocationBrno, Czech Republic
Degree of RecognitionInternational