Privacy & Information Security Law Blog

On November 18, 2014, the Centre for Information Policy Leadership at Hunton & Williams (the “Centre”) held the second workshop in its ongoing work on the risk-based approach to privacy and a Privacy Risk Framework. Approximately 70 Centre members, privacy regulators and other privacy experts met in Brussels to discuss the benefits and challenges of the risk-based approach, operationalizing risk assessments within organizations, and employing risk analysis in enforcement. In discussing these issues, the speakers emphasized that the risk-based approach does not change the obligation to comply with privacy laws but helps with the effective calibration of privacy compliance programs.

The workshop was kicked off by Bojana Bellamy, the Centre’s President, and Fred Cate, Senior Policy Advisor for the Centre, who had prepared a discussion draft of the Centre’s second white paper on the risk-based approach to privacy, The Role of Risk in Data Protection. The paper is now being finalized with learnings from the workshop for wider distribution in the coming weeks.

Fred Cate also moderated the first panel on the benefits and challenges of the risk-based approach, during which he, Commissioner Julie Brill of the Federal Trade Commission, Peter Hustinx of the European Data Protection Supervisor, Florence Raynal of the French Data Protection Authority (the “CNIL”), JoAnn Stonier of MasterCard, and Danny Weitzner of Massachusetts Institute of Technology discussed questions such as (1) what is driving the recently intensified focus on risk assessments as a privacy compliance tool in the modern information age, and (2) what is the risk-based approach’s potential for more effectively calibrating compliance and implementing existing privacy principles and legal obligations. The panelists also discussed examples of instances where risk assessments are currently required or used under existing legal regimes, including the EU Data Protection Directive and the FTC Act, as well as the types of harms to individuals and society that can or should be considered in the context of privacy risk assessments and whether government (legislatures or regulators) should provide more guidance on risk assessments.

During lunch, Luca DeMatteis, Italian Presidency of the Council of the European Union, Justice Counselor (Cooperation in Criminal Matters and Data Protection), Permanent Representation of Italy to the EU, discussed the progress of the Council’s expert working group on the proposed EU General Data Protection Regulation (“Proposed Regulation”) and how the Council intends to incorporate the risk-based approach in the Proposed Regulation.

The second panel on operationalizing risk assessments within organizations considered different approaches businesses currently take in assessing potential privacy risks and the privacy-related impact of their products and services. The panel comprised of representatives of Acxiom, Apple, Google, Nokia and Accenture. It also included Naomi Lefkovitz, Senior Privacy Policy Advisor of the National Institute of Standards and Technology (“NIST”) at the U.S. Department of Commerce, who discussed NIST’s privacy engineering initiative and Privacy Risk Model. A key message from this panel was that the ongoing work on the risk-based approach to privacy is not about substituting risk assessments for compliance with legal requirements but about developing a methodology for complying with the law more effectively.

During the third panel, Richard Thomas, Global Strategy Advisor for the Centre and former UK Privacy Commissioner, Jacob Kohnstamm of the Dutch Data Protection Authority, Manuela Siano of the Italian Data Protection Authority (the Garante), David Smith of the UK Information Commissioner’s Office, and Wojciech Rafal Wiewiórowski of the Polish Data Protection Authority, discussed the use of risk assessments in privacy enforcement. Particular points of focus included:

• the value of risk assessments in facilitating effective enforcement prioritization,
• whether enforcement authorities should consider societal harms in addition to harms to individuals when making enforcement decisions, and
• the role of enforcement authorities in providing guidance on the relevant factors to consider in organizational risk assessments.

The objectives of the Centre’s Privacy Risk Framework Project are discussed in detail in the Centre’s June 2014 white paper, A Risk-based Approach to Privacy: Improving Effectiveness in Practice. The paper notes how the Privacy Risk Framework project elaborates on the Centre’s earlier work on organizational accountability by seeking to develop analytical tools and a common framework and methodology for risk assessments that are needed to effectively implement key aspects of accountability.

The Centre has tentative plans to hold its Risk Workshop III on March 4, 2015, in the margins of the IAPP Global Privacy Summit in Washington, D.C.