by Iheanyi Samuel Nwankwo //
The EU General Data Protection Regulation (GDPR) solidifies the risk-based approach in data protection through several references that tie the obligation of data controllers to the risk exposure associated with their data processing. This reference, for examples, includes the requirement to conduct a data protection impact assessment (DPIA). However, the regulation does not require that a DPIA shall be carried out in all personal data processing scenarios, even though it is commonly acknowledged that the mere processing of personal data has an element of risk associated with it. Article 35 (1) of the GDPR only triggers the requirement of a DPIA when the processing operation is likely to result in “high risk”. Unfortunately, the GDPR does not define the term “risk” or “high risk”, despite that these are key notions that require clarification as to which data processing operation falls within each of them.
That being the case, it is expected then that data controllers should conduct a preliminary assessment of their intended data processing to know if it could result in high risk. Article 35 (3) assists tremendously in carrying out this task by providing non-exhaustive examples of data processing considered to be of high risk, and by default, require a DPIA. These are processing that involves a systematic and extensive evaluation of personal aspects relating to natural persons; processing on a large scale of special categories of data; or systematic monitoring of a publicly accessible area on a large scale. On the other hand, Recital 91 gives an indication of processing that should not require a mandatory DPIA, as they are not presumed to be of a large scale, for example, data from patients or clients processed by an individual physician, other health care professional or a lawyer. However, as these examples are not complete, supervisory authorities (SAs) are tasked with publishing lists of processing operations that require a DPIA (the blacklist) and those that are exempt from such requirement (the whitelist)—(see Article 35 (4) and (5) respectively).
The Article 29 Working Party (WP29) Guidelines on DPIA provide further guidance on how to interpret these provisions, as well as develop criteria to assist the SAs when developing these lists.1 Currently, all SAs seem to have published their blacklists.2 For the whitelist, some have submitted a draft to the European Data Protection Board (EDPB)—France, Czech Republic and Spain. The EDPB has equally issued corresponding opinions on these draft whitelists as part of its function to ensure consistent application of the GDPR, mainly, where “the lists involve processing activities which are related to the offering of goods or services to data subjects or the monitoring of their behaviour in the several Member States, or may substantially affect the free movement of personal data within the Union” (Article 35 (6) GDPR). In these opinions, the EDPB emphasises that the aim is not to make all national whitelists to be identical or to create a single EU list, but to remove inconsistencies between the whitelists and blacklists, the WP29 guidelines on DPIA, and relevant provisions of the GDPR. This approach is essential given that that Board has noted that the whitelists are “inherently non-exhaustive”, as, by their nature, no such whitelist can enumerate all cases in which a DPIA is not required. By implication, it is important to avoid conflicts.
Moreover, the EDPB “notes that the mere fact that processing activity falls within the scope of a 35 (5) GDPR list does not mean that a controller is exempt from the general obligations of the GDPR.” As such, the supervisory authorities were advised to clarify that their lists are without prejudice to any other obligation stipulated by the GDPR. Given this position, how then might the whitelist be valued?
The Importance of the Whitelist
The whitelist is vital when conducting a preliminary assessment as to whether proposed processing is of high risk or not. Such a list, together with the blacklist, provides more clarity to data controllers, therefore, reducing the workload that is required during preliminary assessments. Article 35 (10) is also essential when assessing whether data processing is exempt from DPIA. It suggests that no further DPIA shall be carried, under specific circumstances mentioned therein, unless a Member State deems it necessary. In general, though, where it is not clear whether a specific data processing falls within either the blacklist or the whitelist, a DPIA should as a matter of good practice be conducted.
Another significant importance of the whitelist is that it allows the EDPB to ensure consistent application of the GDPR, especially in areas where the processing has cross border effect. This consistency mechanism could be gleaned from the series of recommendations by the Board in their opinions to several draft whitelists, including requiring the affected SA to limit the scope of application of an item or delete it entirely.
For example, the French whitelist releases controllers with less than 250 employees to conduct a PIA in the employment context.3 Although data processing with special categories or other high risk activities may be concerned, the EDPB deems this exemption of the CNIL (French SA) as admissible. The EDPB acknowledges the key argument of the CNIL that for small business, the processing of employee data is not conducted on large scale.
Also, the French whitelist does not require a PIA for access controls unless biometric data is concerned. However, the EDPB regards this exemption as too broad. The EDPB asked the CNIL to require a PIA similarly for access control insofar sensitive data or data of a highly personal nature is concerned.
This way, the EDPB is able to maintain consistency with the WP29 Guidelines on DPIA, which interpret “sensitive data or data of a highly personal nature” beyond the special categories under Article 9 of the GDPR. As such, where such sensitive data is to be processed, a DPIA is required, as it is likely to pose a high risk, and cannot be exempted in a whitelist. Similar recommendations could be seen in the Czech’s and Spanish whitelists.
It is, however, notable that the SAs have a margin of discretion when establishing their whitelist, as they could consider national laws. This is evident in item 6 of the Spanish whitelist that refers to “processing carried out by owners’ associations and sub-associations in multi occupancy properties” as defined in article 2 (a, b, and d) of Law 49/1960 on Horizontal Property. It is arguable that where such inclusion is only limited to matters of location importance (outside the application of Article 35 (6)), they should not be disturbed by the EDPB.
One other practical importance of these lists is when resolving a conflict between the blacklist and the whitelist. It is fair to suggest here that ordinarily, the whitelist “may not exempt” items that are in a current blacklist. In order words, the best approach to adopt if such a conflict arises is to allow the blacklist to prevail. However, where the data controller decides not to carry out a DPIA, despite this interpretation, justification has to be provided for such a decision.
In conclusion, it is important to re-emphasise that no blacklist or whitelist can be exhaustive, on the premise that making any such list exhaustive will be incompatible with the wording of Article 35 (1). This interpretation is plausible, given that innovative data processing technologies will continue to happen, making it likely for new risks to emerge. Nevertheless, these lists are welcomed, as they provide clear indications of what data controllers should consider when conducting a preliminary assessment, thereby reducing the resources spent in such a process. Furthermore, as we await further guidelines, recommendations and best practices on implementation of the GDPR, it is hoped that other aspects of a DPIA such as the methodology for risk assessment should be tackled. All these are envisaged to present more clarity and consistency in the implementation of the regulation.
Iheanyi Samuel Nwankwo, LL. M. is Researcher at the Institute for Legal Informatics, Leibniz Universität Hannover
3The exemption to this rule is profiling. Insofar profiling is conducted a PIA is mandatory.