EDPB: ICO too strict on data protection impact assessments

Out-Law News | 09 Oct 2018 | 9:42 am | 2 min. read

Businesses planning to process biometric, genetic or location data do not automatically have to carry out a data protection impact assessment (DPIA) first to comply with the General Data Protection Regulation (GDPR), an EU privacy watchdog has said.

The opinion, issued by the European Data Protection Board (EDPB), differs from guidance the UK's Information Commissioner's Office (ICO) has issued on DPIAs.

The ICO is not bound to update its guidance in light of the EDPB's opinion, but must justify its reasons for not doing so if "it does not intend to follow this opinion, in whole or in part", the EDPB said.

In a statement sent to Out-Law.com, a spokesperson for the ICO said the watchdog is "considering the European Data Protection Board’s recommendations and will provide a response in the coming weeks".

Data protection law expert Rif Kapadi of Pinsent Masons, the law firm behind Out-Law.com, said: "Now that these papers are being discussed at Board level and the feedback is appearing so publicly, it will be fascinating to see the extent of any changes made by the supervisory authorities. This will be an early indicator of whether harmonisation under the GDPR is achievable. The issue is especially interesting for the ICO with the added complexity of Brexit and the clear desire for the information commissioner to retain a central role on the EDPB."

The EDPB is made up of representatives of national data protection authorities across the EU and the European data protection supervisor. The body has replaced the Article 29 Working Party, which previously provided opinions and guidance on matters relating to EU data protection, under the GDPR.

Data protection, or privacy, impact assessments are used by organisations to identify, understand and address any privacy issues that might arise when developing new products and services or undertaking any other new activities that involve the processing of personal data.

The GDPR, which took effect from 25 May, mandates organisations to conduct DPIAs in specified circumstances.

Organisations are be obliged to carry out DPIAs if their planned processing involves: "a systematic and extensive evaluation" of personal aspects based on automated processing, including profiling, resulting in decisions that significantly affect individuals; large scale processing of sensitive data or data on criminal convictions/offences; or systematic large scale monitoring of a publicly accessible area, such as through the use of CCTV.

The GDPR also requires DPIAs to be undertaken if planned data processing activities are otherwise "likely to result in a high risk to the rights and freedoms of natural persons". 

The ICO, like a number of other data protection authorities across the EU, has issued a list outlining its expectations on when businesses should carry out DPIAs. It said, among other things, that where organisations plan to process biometric, genetic or location data that it would automatically trigger a requirement to carry out a DPIA. The EDPB has now said, however, that that is not the case.

The EDPB said that the processing of biometric, genetic or location data on its own is "not necessarily likely to represent a high risk".

It has called on the ICO to update its list to clarify that the duty to carry out a DPIA is only definitely triggered if "at least one other criterion", highlighted as a 'high risk' factor in guidance on DPIAs that the EDPB has endorsed, applies to the intended processing activities. That guidance was developed by the Article 29 Working Party and adopted by the EDPB in May.

The EDPB also called on the ICO to update its guidance to clarify that two 'high risk' criteria need to be present before organisations planning to engage in employee monitoring will be required to conduct a DPIA.

It further said that the ICO should revise its guidance to make clear that the use of innovative, rather than new, technology will trigger the need for a DPIA "only when it is done in conjunction of at least one other criterion".

The opinion of the EDPB on the ICO's list was one of 22 separate opinions the EU watchdog has published. It said it hopes its opinions will result in a more consistent approach to DPIAs across the EU.