Data Protection Impact Assessment in the European Union: a feminist reflection

Onderzoeksoutput: Unpublished paper


Can the Data Protection Impact Assessment (DPIA) under Article 35 General Data Protection Regulation (GDPR) address the power imbalances between those in control of information and the most vulnerable persons to whom this information refers? Put another way, can DPIA be considered a feminist tool?
Like any other law, the GDPR is an expression of the context in which it was adopted and could be instrumental to trigger or prevent social changes. Specifically, the DPIA, emblem of the ex ante risk-based approach connoting European data protection law, like other forms of impact assessments, emerged to protect (also) collective concerns. Legal scholars and data protection regulators consider it a promising instrument for the protection of the fundamental rights threatened by personal data processing, particularly when performed by automated systems. Yet, a feminist critique of the DPIA, essential to comprehensively evaluate whether the optimism towards this means is justified, is still missing. Thus, this contribution will address this knowledge gap using a combination of doctrinal and non-doctrinal analysis, feminist (legal) methods and intersectionality. Whereas the DPIA under the GDPR represents the starting point of the analysis, the findings remain valid for like-minded jurisdictions.
Building on the state of the art about DPIA, the author will revisit the advantages and drawbacks thereof through feminist lenses. Among the advantages, the combination of ex ante and public participation elements, which make DPIA suitable to prevent damages, and consequently the necessity to access ex post remedies, and to safeguard collective rather than mere individual interests; and the openness of the notion of "high risks", which, in principle, could encompass different situations where the vulnerability of data subjects manifests, either within or as an effect of the processing. Among the drawbacks, the reliance on the goodwill of entities already at the top of the power chain (i.e., data controllers) for the performance of key DPIA steps, such as the evaluation of (residual) high risks, of the measures to address them and of the "appropriateness" for the public (also, which public?) consultation; and the limited accessibility of individual and collective remedies for DPIA-related violations, depending, inter alia, on the lack of transparency, which subordinate its enforcement predominantly to the initiative of data protection authorities (DPAs).
To remedy the structural limitations previously identified, and ensure that the DPIA turns into an empowering tool for data subjects, especially the most marginalised groups, the author will then provide practical recommendations to the actors capable of influencing the DPIA process. On the one hand, data controllers, who maintain the final responsibility of the DPIA process; on the other hand, data protection regulators and judges, who will substantiate the quite generic GDPR requirements through their decisions. Considering that the GDPR grants a lot of flexibility in terms of methodological matters, the author will suggest incorporating feminist (legal) methods and moves and intersectionality principles in the DPIA process. For instance, valuing women's - of diverse ethnicity, background, sexual orientation, ability, etc. - experiences either as experts or laypersons whose rights are affected by the data processing, to support a more comprehensive identification of the risks and the measures to address them; applying feminist legal methods when assessing the necessity and proportionality of the data processing, to enable a more nuanced reasoning and inclusive analysis; using intersectionality and consciousness-raising, to identify categories of data subjects and practical ways of involving them (e.g., creating focus groups, performing interviews). Finally, the author will call for the conceptualisation of a "right to data protection impact assessment" to facilitate individual and collective actions in relation to the enforcement of Article 35 GDPR.
Originele taal-2English
StatusUnpublished - 6 mei 2022
EvenementPrivacy Law Scholars Conference - Northeastern University, Boston , United States
Duur: 2 jun 20223 jun 2022


ConferencePrivacy Law Scholars Conference
Verkorte titelPLSC22
Land/RegioUnited States
Internet adres


Duik in de onderzoeksthema's van 'Data Protection Impact Assessment in the European Union: a feminist reflection'. Samen vormen ze een unieke vingerafdruk.

Citeer dit