On February 28, 2018, the Belgian Privacy Commission issued a recommendation on the position it takes with regard to data protection impact assessments (or “DPIAs”) as foreseen in the GDPR. A DPIA under the GDPR is similar in scope and impact to its predecessor, the PIA (or “privacy impact assessment”) and requires businesses to assess processing operations that are likely to present a high risk to individuals’ rights. Such “high risk” is, for instance, likely to present itself in processing operations involving sensitive data, systematic monitoring, or vulnerable individuals such as children. The GDPR requires and allows for Member States to set in place lists of processing operations which, respectively, require a DPIA (“black list”) and which are per definition “good to go” without performing a DPIA (“white list”). The purpose of a DPIA is to address residual risk, in the best case by adopting risk mitigating measures such as additional security measures, and in the worst case by consulting the competent supervisory authority prior to commencing the processing operations. As such, it plays a key role in the GDPR’s accountability approach, which was set to replace the prior regime of mandatory prior notifications with the authorities.
The Belgian recommendation follows the WP29 DPIA Guidelines upon several occasions, for instance in its interpretation of the “high risk” threshold. However, it provides distinctive additional guidance by adopting draft versions of the so-called “black” and “white lists” in implementation of the GDPR. Such lists are clearly to be welcomed by organizations as approved and adopted Member State lists provide for a (relative degree of) certainty that processing activities on the lists either do or do not require a DPIA.
The black list made public by the Belgian Privacy Commission contains ten distinct processing activities, with a clear focus on sensitive data processing and profiling. Activities such as the processing of biometric data with the purpose of uniquely identifying a person in publicly accessible areas (such as CCTV with facial recognition), the re-use for other purposes and disclosure of sensitive data between distinct data controllers, the systematic and automated collection and recording of a person’s behavior, and the large scale processing of data to predict a person’s behavior and/or preferences and the large scale processing of location- and metadata (such as for Wi-Fi-tracking) are all activities requiring a DPIA per definition. The white list on the other hand contains processing activities that a business is able to legitimize on the basis of its legitimate (business) interests or compliance with a legal requirement, and includes activities such as the processing of data necessary for payroll of employees and general accounting purposes, or for the administration of shareholders and partners, and a generic inclusion of all processing activities by private entities necessary to comply with a legal requirement.
Whilst the Belgian DPIA Recommendation, and the lists it includes, is useful guidance in terms of the interpretation and approach supervisory authorities may take with regard to DPIAs after May 2018, it confirms to be a mere recommendation meaning it is not set in stone. Moreover, the lists will not be legally binding until final approval and adoption by the newly established Data Protection Authority, which will replace the Privacy Commission starting May 25, 2018 (for a more complete overview of the new Data Protection Authority, see our blog post here).
* * *
Alston & Bird and its Brussels-based EU Privacy Team is closely following DPA action and privacy litigation in the EU Member States. For more information, contact Jim Harvey or David Keating.