Upload
luiz-costa
View
217
Download
0
Embed Size (px)
Citation preview
Privacy and the precautionary principle
inc
lac
m
nte
prin
. Fo
f, the article stresses the role of the precautionary principle in
1. Introduction
w, the
ativel
sensi
rding t
establi
sis of
oiding
devient une methode, dite heuristique de la peur. Cest lanticipation de la menace et la peur du danger qui vont permettre de prevoir les effets a` longterme de laction technique, et de determiner ce qui a besoin detre sauvegarde. Cette methode aboutira a` definir les risques qui ne devront jamais etrecourus. Philippe Kourilsky and Genevie`ve Viney, Le principe de precaution (France, August 15, 1999), 34, http://lesrapports.ladocumentationfrancaise.fr/BRP/004000402/0000.pdf.
2 Paulo Affonso Leme Machado, Direito Ambiental Brasileiro, 12th ed. (Sao Paulo: Malheiros Editores, 2004), 76. In a similar mannerKourilsky and Viney affirms that a` la diction Dans le doute abstiens-toi, le principe de precaution substitue limperatif: Dans le doute,mets tout en oeuvre pour agir au mieux. Kourilsky and Viney, Le principe de precaution, 5.
3 Regarding environmental law see Philippe Kourilsky and Genevie`ve Viney, Le principe de precaution (France, August 15, 1999), 15, http://
Available online at www.sciencedirect.com
www.compseconl ine.com/publ icat ions/prodclaw.htm
c om p u t e r l aw & s e c u r i t y r e v i ew 2 8 ( 2 0 1 2 ) 1 4e2 4lesrapports.ladocumentationfrancaise.fr/BRP/004000402/0000.pdf.1 I acknowledge Yves Poullet for our invaluable talks and his patient revision of this work. I also acknowledge Xavier Thunis for hisimportant remarks about the precautionary principle. Kourilsky and Viney observe that fear could be the foundation of a method: elleTherefore, precaution implies an active role before chal-
lenges, it does not mean prostration in front of fear, and
does not eliminate healthy audacity but is equivalent to
environmental security, necessary to give continuity to
life.2
There are good reasons to look for the objectives in
enhancing political participation and avoiding the dilution of
responsibility in privacy and data protection law. Since rela-
tions between citizenegovernments and citizeneindustry
are obviously asymmetric, legislation protects citizensresponsibility that demands avFrom a philosophical point-of-vie
of precaution can be based altern
prudence. Anticipating danger and
be the basis for human action acco
contrast, its ethical basis can be
Prudence, in this context is the ba0267-3649/$ e see front matter 2012 Luiz Cdoi:10.1016/j.clsr.2011.11.004ethical foundation
y on either fear or
ng fear of it would
o some authors.1 In
shed on prudence.
a preventive moral
future damages.
From a practical point-of-view, precaution can be inter-
preted as an attitude justified by the desire of political
participation as well as a reaction against the dilution of
liability. In return, citizens want to take part in some decision
mechanisms, chiefly those that create risks. In this case, it is
expected that people should be aware of these risks before
giving their consent to decisions.3 Moreover, promoting
precaution as a means to enforce responsibility where
multiple actors and causes harden its clarification.improving privacy protection through liability, prudence and transparency.
2012 Luiz Costa. Published by Elsevier Ltd. All rights reserved.applications. In briethis legislation as well as the privacy impact assessment framework, raised by the Euro-
pean Commission through the Recommendation on Radio-Frequency IdentificationLuiz Costa
University of Namur, Namur, Belgium
Keywords:
PIA
Precautionary principle
Privacy
Privacy impact assessment
a b s t r a c t
The precautionary pr
irreversible damage,
postponing protective
health protection in i
of the precautionary
protection legislationosta. Published by Elseviple e which implies that where there are threats of serious or
k of full scientific certainty shall not be used as a reason for
easures e has been adopted as a standard of environmental and
rnational and European legislation. This article offers an overview
ciple as a legal standard applicable to European privacy and data
r this reason, it takes particularly into account the guidelines ofier Ltd. All rights reserved.
counterbalancing the strength of governments and industry.
One mechanism of doing that is precisely the aim of the
precautionary principle4 in order to avoid risk-taking without
a larger public discussion. The promotion of this principle is
therefore a way to involve citizens in decision-making.
Furthermore, dilution of liability is a problem faced also in
the mentioned domain. Violations of personal data can take
place in a context with multiple actors and causes, which
produce a scenario where causality is complex and, for that
reason, it is hard to assign responsibility.
Precautionary principle and risk assessment are both philoso-
public awareness of privacy and data protection. We believe
that the precautionary principle is a legal standard, applicable
1980s we saw the beginning of the sustainable development
vision, which aims at protecting natural resources and taking
in consideration future generations. In regards to interna-
tional environmental law this vision culminated in the United
Nations Conference on Environment andDevelopment, which
took place in Rio de Janeiro in June 1992 andwas guided by the
values of the global environmental and developmental system
protection. The Rio Declaration on Environment and Devel-
opment is one of the outcomes of this Conference and its
Principle 15 establishes that in order to protect the environ-
ment, the precautionary approach shall be widely applied by
States according to their capabilities. Where there are threats
of serious or irreversible damage, lack of full scientific
certainty shall not be used as a reason for postponing cost-
effective measures to prevent environmental degradation.7
Also, a considerable number of environmental conven-
tions previewed the precautionary principle throughout the
last twenty years. As in the Rio Declaration of 1992, these
international treaties introduced the point that preventive
measures shall be taken to avoid damages even if there is no
conclusive evidence of causality between the inputs and the alleged
c om p u t e r l aw & s e c u r i t y r e v i ew 2 8 ( 2 0 1 2 ) 1 4e2 4 15to European privacy and data protection legislation; this is our
hypothesis and we will examine it through the lens of the
European legislation on precautionary principle and privacy
impact assessment.
2. Part one e the precautionary principle
2.1. A principle on international environmental law
The precautionary principle has been adopted in some inter-
national documents, mainly in the environmental protection
domain.
Its first appearance in an international text was in 1987 at
the Second International Conference on the Protection of the
North Sea (1987), which established that a precautionary
approach is necessary which may require action to control
inputs of such substances even before a causal link has been
established by absolutely clear scientific evidence. In the late
4 We use the expression precautionary principle since weconsider it as a standard with legal implications. For furtherdiscussion on the use of the terms precautionary principle andprecautionary approach see Sonia Elise Rolland, The Precau-tionary Principle: Development of an International Standard,SSRN eLibrary (2010): 434, Jacqueline Peel, Precaution - A Matter ofPrinciple, Approach or Process?, Melbourne Journal of InternationalLaw 5, no. 2 (2004), http://www.austlii.edu.au/au/journals/MelbJlIntLaw/2004/19.html and Nicolas de Sadeleer, Le statutjuridique du principe de precaution en droit communautaire: duslogan a la re`gle (n.d.), http://dialnet.unirioja.es/servlet/articulo?codigo732699.phies of a society that poses itself the question of how to
allocate the costs of risks and damages caused by producers of
goods and services. Both orbit the idea of risk, which may be
defined as a systematic way of dealing with hazards and
insecurities induced and introduced by modernization itself.
Risks, as opposed to previous dangers, are consequences that
relate to the threatening force of modernization and to its
globalization of doubt.5 These two philosophies overlap, as
we will see further on.
The precautionary principle talks about prudence, trans-
parency and strong decision-making. As we will see further
on, European legislation establishes the precautionary prin-
ciple as a means to protect the environment and human
health6; we speculate that it can be also a means to enhance5 Kourilsky and Viney, 21.6 Article 174, 2 of the Treaty of Amsterdam.In Europe, the precautionary principle was first formalized by
Germany during the 1970s as the Vorsorgeprinzip.11 Similarly,
European legislation previewed the precautionary principle as
a way to protect not only the environment but also human health
as in Article 174, 2 in Treaty of Amsterdam: The Contracting
Parties shall apply the precautionary principle, i.e., to take
7 Rio Declaration on Environment and Development, www.un.org/documents/ga/conf151/aconf15126-1annex1.htm, April 82011.
8 The Contracting Parties shall apply the precautionary prin-ciple, i.e., to take preventive measures when there is reason toassume that substances or energy introduced, directly or indi-rectly, into the marine environment may create hazards tohuman health, harm living resources and marine ecosystems,damage amenities or interfere with other legitimate uses of thesea even when there is no conclusive evidence of a causal rela-tionship between inputs and their alleged effects.
9 Which establishes countries obligations related to the adop-tion of impact assessment and the minimization of adverseimpacts.10 As stated by the Convention preventive measures are to betaken when there are reasonable grounds for concern thatsubstances or energy introduced, directly or indirectly, into themarine environment may bring about hazards to human health,harm living resources and marine ecosystems, damage amenitiesor interfere with other legitimate uses of the sea, even whenthere is no conclusive evidence of a causal relationship betweenthe inputs and the effects.11 Olivier Godard, Introduction generale, in Le principe de precautiondans la conduite des affaires humaines (Paris: Editions de la Maisoneffects. We can refer to the examples in Article 3, 2 of the
Convention on the Protection of the Marine Environment of
the Baltic Sea Area (1992),8 Article 14 of the Convention on
Biological Diversity (1992)9 and Article 2 of the Convention for
the Protection of the Marine Environment of the North-East
Atlantic (1992)10.
2.2. A European legal principledes sciences de lhomme Institut National de Recherche Agron-omique, 1994), 25.
preventive measures when there is reason to assume that
substances or energy introduced, directly or indirectly, into
the marine environment may create hazards to human
health, harm living resources and marine ecosystems,
damage amenities or interfere with other legitimate uses of
the sea even when there is no conclusive evidence of a causal
relationship between inputs and their alleged effects. Like-
wise, some policy orientations have presented the principle,
as in the Communication of 30 April 1997 on consumer health
and food safety, the Green Paper on the General Principles of
Food Law in the European Union of 30 April 1997 and the
Communication of the European Commission on the precau-
tionary principle of 2 February 2000.
Furthermore, the precautionary principle has been applied
by the Court of Justice of the European Union in several
environmental cases as in validating the EC Regulation on
controlled substances that deplete the ozone layer12 and on
interpreting the EC Directive on the deliberate release into the
environment of geneticallymodified organisms.13 Besides, the
Similarly, in a case involving the exposure of citizens to
sodium cyanide, the European Court of Human Rights stated
that the precautionary principle should be observed on all
European Union activities in order to protect a high level of
health, consumers security and environment.16
From a legal perspective, the precautionary principle
implies that in the face of situations in which there is uncer-
tainty with regards to the existence or extent of risks,
protective measures shall be taken without waiting that these
risks become fully apparent.17 In the next paragraph the paper
considers two aspects of the precautionary principle from
a philosophical perspective.
2.3. The irreparable and the uncertainty of scientificknowledge
We are going to stress two assets of the precautionary principle;
the first one is related to its position regarding irreparable
damages and the second one concerns its point-of-view con-
cerning scientific knowledge.
The first asset refers to distinguishing prevention and
precaution. Prevention and precaution are similar, but not
equivalent. They are similar since they are both liability
principles and are related to a kind of anticipation of harm,
risks. We can mention the example of the European Court ofJustice in the case Leendert van Bennekom. Mr. van Bennekom
c om p u t e r l aw & s e c u r i t y r e v i ew 2 8 ( 2 0 1 2 ) 1 4e2 416jurisprudence of the Court affirmed that the precautionary
principle is also applicable to avoid risks to public health.14 As
stated by the Court of Justice in a case related to marketing
authorizations of medicinal products:
[...] although the precautionary principle is mentioned in the
Treaty only in connection with environmental policy, it is broader
in scope. It is intended to be applied in order to ensure a high level
of protection of health, consumer safety and the environment in
all the Communitys spheres of activity. [.] It follows that the
precautionary principle can be defined as a general principle of
Community law requiring the competent authorities to take
appropriate measures to prevent specific potential risks to public
health, safety and the environment, by giving precedence to the
requirements related to the protection of those interests over
economic interests. Since the Community institutions are
responsible, in all their spheres of activity, for the protection of
public health, safety and the environment, the precautionary
principle can be regarded as an autonomous principle stemming
from the above mentioned Treaty provisions [emphasis added].15
12 Case C-284/95, Safety Hi-Tech v. S. & T. Srl [1998] ECR I-4301.13 Case C-6/99, Association Greenpeace France and Others v. Ministe`rede lAgriculture et de la Peche and Others [2000] ECR I-1651.14 According to the Court of Justice the precautionary principlealso applies where the Community institutions take, in theframework of the common agricultural policy, measures toprotect human health (see, to that effect, Case C-180/96 UnitedKingdom v Commission [1998] ECR I-2265, paragraph 100, the BSEjudgment; and Case C-157/96 National Farmers Union and Others[1998] ECR I-2211, paragraph 64, the NFU judgment). It isapparent from Article 130r(1) and (2) of the Treaty that Commu-nity policy on the environment is to pursue the objective interalia of protecting human health, that the policy, which aims ata high level of protection, is based in particular on the precau-tionary principle and that the requirements of the policy must beintegrated into the definition and implementation of otherCommunity policies. Case T-13/99 [2002] ECR II-3305. PfizerAnimal Health SA v. Council of the European Union.15 Artegodan GmbH and others v European Commission (Joined Cases
T-74/00, T-76/00, T-83/00 to T-85/00, T-132/00, T-137/00 and T-141/00) e [2002] All ER (D) 391 (Nov).was prosecuted in the Netherlands for possessing, for thepurpose of resale, a large quantity of vitamin and multi-vitaminpreparations in violation of Netherlands Law. In the appealproceedings, one of the questions posed by the District Court ofAmsterdam to the European Court of Justice was if it would bepermissible for Netherlands law to prohibit the sale or stock forthe purpose of supply of vitamins and vitamin preparationsthrough the use of a definition of medicinal product. Theresponse was positive, though the European Court observed thatit is for the national authorities to demonstrate in each case thattheir rules are necessary to give effective protection [...], inparticular to show that the marketing of the product in questioncreates a serious risk to public health [emphasis added].Consequently, prevention is a response to a known (and, in thewhich stands for physical or psychological injury or
damage.18 However, while prevention is the remedy against
the exposure with regard to a known harm,19 precaution is
meant to avoid the mere possibility of suffering harm or loss.
Prevention is attached to the concepts of identifiable risks
and solidarity. As Ewald observes, liability will exist even if
there is no link between the cause of the damage and the fault
of someone. It does not matter to find out who is guilty but
16 La Cour rappelle limportance du principe de precaution(consacre pour la premie`re fois par la Declaration de Rio), quia vocation a` sappliquer en vue dassurer un niveau de protectionelevee de la sante, de la securite des consommateurs et delenvironnement, dans lensemble des activites de la Commu-naute Zupancic et al., Tatar v. Romania.17 In this sense, regarding human health protection, see G. C.Rodrguez Iglesias et al., National Farmers Union (Court of Justice ofthe European Union 1998).18 Farlex, Harm, The Free Dictionary, n.d., www.thefreedictionary.com/risk.19 Preventive measures take place when there are identifiablecase, serious) risk. See Fifth Chamber, Leendert van Bennekom(Court of Justice of the European Union 1983).
who is going to undergo the burden of the damage. One
example is workers compensation for employees injured in
the context of their job. Risks at work are known and
controllable. Besides this, legislation considers that workers
who suffer an accident in the context of their job deserve
protection. This protection is expressed through a liability
regime that establishes that employeesmust be compensated,
disregarding discussion of fault. The burden of this compen-
sation is then carried by private or public insurance systems.
In that sense, liability finds itself on a social report of soli-
darity.20 Also, prevention is associated with the economic
concept of cost internalization, which is the incorporation of
negative external effects, notably environmental depletion
precaution implies an ex ante relativity of this knowledge since
the lack of full scientific certainty does not justify the lack of
measure being taken to prevent damages. This skeptic
approach is not exempt from harsh critics; in 1992, at the
same time that Rio Declaration became public, a considerable
number of Nobel Prize winners stated that they:
subscribe to the objectives of a scientific ecology for a universe
whose resources must be taken stock of, monitored and
preserved. But we herewith demand that this stocktaking,
monitoring and preservation be founded on scientific criteria and
not on irrational pre-conceptions. We stress that many essential
human activities are carried out either by manipulating
hazardous substances or in their proximity, and that progress
and development have always involved increasing control over
hostile forces, to the benefit of mankind.26
The argument is founded on the opposition between
To put it differently, the precautionary principle fixes
responsibility with regards to harm caused to the environment,
c om p u t e r l aw & s e c u r i t y r e v i ew 2 8 ( 2 0 1 2 ) 1 4e2 4 17and degradation, into the budgets of households and enter-
prises by means of economic instruments, including fiscal
measures and other (dis) incentives.21
At this point, precautionbringsup a different point-of-view.
It considers that some damages cannot be repaired or
compensated with money because not everything can be con-
verted intomoney.22 Considerable oil leaks can cause damages
to theenvironment that are irreparable; lives lost inanaccident
are irreversible. Instead of compensating damage, precaution
urges the need to avoid some damages. By and large, precau-
tion establishes a new approach with regard to risk-taking.
Also,precaution impliesacertainrelativist attitude regarding
scientificknowledge.23 Inotherwords, scientificuncertainty isat
the core of decisions based on precautionary principle. As the
European Commission states: a decision to take measures
without waiting until all the necessary scientific knowledge is
available is clearly a precaution-based approach.24
Scientific knowledge is imperfect. A legal illustration of this
assumption is Article 7, e, of Directive 85/374/EEC,25 which
provides that: the producer shall not be liable as a result of
this Directive if he proves [.] that the state of scientific and
technical knowledge at the time when he put the product into
circulation was not such as to enable the existence of the
defect to be discovered. European legislation assumes that
actual scientific and technical knowledge are not absolute;
they evolve, and they transform themselves. For the producer,
the legal consequence of the recognition of the mentioned
uncertainty is the exemption of their liability. This is a kind of
ex post facto relativity of scientific knowledge, since the law
assumes that the damage has already occurred.
In a similar manner, precaution considers that scientific
knowledge is not absolute. The difference here is that
20 Francois Ewald, Le retour du malin genie. Esquisse dunephilosophie de la precaution, in Le principe de precaution dans laconduite des affaires humaines (Paris: Editions de la Maison dessciences de lhomme Institut National de Recherche Agrono-mique, 1994), 104e105.21 OECD, Cost internalization, Glossary of Statistical Terms, 2001,http://stats.oecd.org/glossary/detail.asp?ID458.22 Ewald, Le retour du malin genie. Esquisse dune philosophiede la precaution, 111e112.23 Ewald, Le retour du malin genie. Esquisse dune philosophiede la precaution, 116.24 Communication from the Commission on the precautionaryprinciple, February 2, 2000, 8.25 Council Directive of 25 July 1985 on the approximation of the
laws, regulations and administrative provisions of the MemberStates concerning liability for defective products.human health and food safety. The principle implies there are
somedamages that cannot be compensatedwithmoney; it also
implies that protective measuresmust be taken even if there is
scientific uncertainty about the threats of damage of an action.
2.4. Privacy calling?
We saw that precautionary principle was expressed in Euro-
pean Legislation as a means to protect not only the environ-
ment but also human health in accordance with Article 174, 2 of
Treaty of Amsterdam. Moreover, policy orientations mention
consumer health and food law as values to be protected by the
26 Michel Salomon, Heidelberg Appeal to Heads of States andGovernments, 1992, http://legacy.library.ucsf.edu/tid/jmc24e00/pdf;jsessionidA257858421ACB6BB8BD09474714D9359.tobacco01.27 In this sense see Nicolas de Sadeleer, The PrecautionaryPrinciple in EU Law, AV&S (2010): 177. Here we can mention theexample of the European Court of Justice decision on caseNational Farmers Union and Others [1998] already referred. TheNational Farmers Union and others contested the emergencymeasures against bovine spongiform encephalopathy (the Madcow disease), taken by the Ministry of Agriculture following theCommission Decision 96/239/EC. The Commission had bannedthe export from the UK to other Member States and to thirdcountries of bovine animals, meat of bovine animals and derivedproducts. At the time when the contested decision was adopted,there was great uncertainty as to the risks posed by live animals,bovine meat and derived products. However, the uncertainty ofrisks was not considered an obstacle to carry out protectivemeasures and the Court ruled that where there is uncertainty asto the existence or extent of risks to human health, the institu-tions may take protective measures without having to wait untilrational scientific knowledge and irrational precautionary atti-
tude. Nevertheless, as we will see further, the precautionary
principle works together with risk assessment in a rational
approach of threats. Precaution is related with rational
choices with regard to risk-taking. While prevention relates to
identifiable risks, precaution concerns hypotheses that have
not been scientifically confirmed.27the reality and seriousness of those risks become fully apparent.Accordingly, precaution is a response to uncertain risks.
precautionary principle. In addition, the Court of Justice of the
European Union has defined it as a general principle of
Community law having the mission to prevent specific
potential risks to public health, safety and the environment.
In this part the paper examines whether there is a legal basis
to sustain the application of the precautionary principle with
regard to privacy and data protection.
Could the precautionary principle be considered as a legal
standard not confined to environmental and health protec-
tion, but instead having a broader scope, especially concern-
ing privacy and data protection legislation? Before continuing
this line of questioning we must take a look at the privacy
impact assessment framework.
government agencies; recommendations by privacy and data
protection commissioners [...] Organisations have recognised that
PIAs can expose and mitigate privacy risks, avoid adverse
publicity, save money, develop an organisational culture sensi-
tive to privacy, build trust and assist with legal compliance[.] to
be valuable, PIAs need to offer a prospective identification of
privacy risks before systems and programmes are put in place
[...] PIAs are only valuable if they have, and are perceived to have,
the potential to alter proposed initiatives in order to mitigate
privacy risks [...] PIA processes vary across a number of dimen-
sions: the levels of prescription, the application, the circum-
28
c om p u t e r l aw & s e c u r i t y r e v i ew 2 8 ( 2 0 1 2 ) 1 4e2 418As Ulrich Beck observes, Modernization is becoming reflexive;it is becoming its own theme. Questions of the development andemployment of technologies (in the realms of nature, society andthe personality) are being eclipsed by questions of the politicaland economic management of the risks of actually or potentiallyutilized technologiesddiscovering, administering, acknowl-edging, avoiding or concealing such hazards with respect tospecially defined horizons of relevance. The promise of securitygrows with the risks and destruction and must be reaffirmed overand over again to an alert and critical public through cosmetic orreal interventions in the techno-economic development. RiskSociety: Towards a New Modernity, 1st ed. (Sage Publications Ltd,1992), 20.29 Adam Warren et al., Privacy Impact Assessments: Interna-tional experience as a basis for UK Guidance, Computer Law &Security Review, 2008, 235.3. Part two e privacy impact assessment(PIA)
3.1. Risk assessment and privacy
As we mentioned before, the precautionary principle and risk
assessment are two imbricated philosophies of our risk
society.28 In this partwewill study risk assessment through the
example of PIA on radio-frequency identification (RFID)
applications.
Risk assessment is a procedure by which one distinguishes
non-plausible fromplausible risks and graduates thepossibility
of the last ones to occur. PIA is a sort of risk assessment since it
aims to evaluate the potential consequences of an activity on
privacy and data protection. Beyond the verification of legal
compliance, PIAs have to consider privacy risks in a wider
framework that takes into account the broader set of community
values and expectations about privacy.29 Consequently, PIAs are
related to a kind of political legitimacy of decisions concerning
privacy and data protection. In other words, while Privacy
protection is a legal issue, PIAs e in considering social values e
aim to address legal and moral matters.
On the whole, English-speaking countries have seen the
spread of PIAs in the last few years. Warren et al. indicate
some findings concerning PIAs in an international study30:
PIAs have been spreading around the advanced industrial world
as a result of: legislative requirements; policy guidance by central30 The study reviewed PIA models in Canada, Australia, UnitedStates, New Zealand and Hong Kong.stances that might trigger PIAs, the breadth of the PIA exercise,
the agents who conduct PIAs, the timing, the process or review
and approval and the level of public accountability and trans-
parency [.] the scope and depth of the PIA needs to be sensitive
to a number of crucial variables: the size of the organisation; the
sensitivity of the personal data; the forms of risk; the intrusive-
ness of the technology [...] A PIA screening process is commonly
used to determine whether a PIA is required, and if so, the form it
should take [emphasis added].31
PIA walks at a different pace in Europe. The European legis-
lation does not establish an obligation to carry on PIAs. Instead,
Article 20 of Directive 95/46/EC32 imposes the obligation of
conducting previous control of operations that can pose risks to
privacy and data protection: (i) Member States shall determine
the processing operations likely to present specific risks to the
rights and freedoms of data subjects and shall check that these
processingoperationsareexaminedprior to thestart thereof; (ii)
Such prior checks shall be carried out by the supervisory
authority following receipt of a notification from the controller
or by the data protection official who, in cases of doubt, must
consult the supervisory authority (iii) Member States may also
carry out such checks in the context of preparation either of
a measure of the national parliament or of a measure based on
such a legislative measure, which define the nature of the pro-
cessing and lay down appropriate safeguards.
Furthermore, Article 20 of the Directive 95/46/EC estab-
lishes that Member States must set up prior checks in the
administrative and legislative contexts. However, there is no
specific prevision in relation to the realization of risk assess-
ments. At this point environmental law is precise, as we can
see in Article 2 of Directive 85/337/EC,33 which provides that
Member States shall adopt all measures necessary to ensure
that, before consent is given, projects likely to have significant
effects on the environment by virtue inter alia, of their nature,
size or location aremade subject to an assessmentwith regard
31 Adam Warren et al., Privacy Impact Assessments: Interna-tional experience as a basis for UK Guidance, [2008] 24 ComputerLaw & Security Review 235.32 Clarke observes that The process was institutionalized in 1995 inArticle 20 of the European Directive, which mandated what is referred toas prior checking against applicable standards, particularly of sensitiveinformation systems(...) Roger Clarke, Privacy Impact Assessment:Its origins and development, [2009] 25 Computer Law & SecurityReview 125. Certainly, Directive 95/46/EC imposes prior checks butit does not conceptualize PIA.33 Council Directive 85/337/EEC of 27 June 1985 on the assess-
ment of the effects of certain public and private projects on theenvironment.
to their effects. Concerning privacy, despite the fact that
some form of prior checking rules has been adopted, few EU
countries have developed a comprehensive model of risk
assessment.34 In addition, it is worth mentioning that,
according to Directive 95/46/EC, the supervisory authority
must do these prior checks; PIAs, however, should be carried
out by operators, in accordance with the Recommendation of
12 May 2009, as we will see below.
3.2. PIA in Europe: the RFID case
In 2009 a novel development took place at the Community level
as the European Commission published a Recommendation on
the implementation of privacy and data protection principles
in applications supported by radio-frequency identification.35
RFID marks a new development in the Information Society
where objects equipped with this technology are becoming
scale; the objective of this evaluation is to determine if a PIA is
necessaryand itsmodality (levels1,2and3)or lackthereof (level
0). The risk assessment phase aims to characterize the RFID
application; identify risks to personal data, their likelihood and
their impact with regard to European legislation; identify and
recommend controls in response to identified risks; document
the PIA process, establish the conditions of the implementation
of the application and inform about residual risks.38
According to the Industry proposal, PIA benefits are
numerous, notably helping the application operator to establish
and maintain compliance with privacy and data protection
laws and regulations, manage risks to its organization and
to users of the RFID Application and provide public benefits
of RFID Applications while evaluating the success of privacy
by design39 efforts at the early stages of the specification or
development process.
Briefly, PIA on RFID is a step that Europe took towards the
employment of a risk assessment approach towards privacy
protection. PIAs main objectives are to identify the threats to
privacy and data protection, and apply control measures.40
4. Part three e precautionary principle to
liability as well as on precaution and the precautionary prin-
Consulting Inc., October 2007), 10, http://www.ico.gov.uk/upload/documents/library/corporate/research_and_reports/lbrouni_
Recommendation of 12 May 2009, which specifies obligations to
c om p u t e r l aw & s e c u r i t y r e v i ew 2 8 ( 2 0 1 2 ) 1 4e2 4 19piastudy_apph_eur_2910071.pdf.35 Commission Recommendation C (2009) 3200 final of May 12,2009. According to the Commission, RFID means the use ofelectromagnetic radiating waves or reactive field coupling in theradio frequency portion of the spectrum to communicate to orfrom a tag through a variety of modulation and encodingschemes to uniquely read the identity of a radio-frequency tag orother data stored on it.36 http://ec.europa.eu/information_society/policy/rfid/documents/d31031industrypia.pdf, 6 May 2011.more andmore present in our lives: toll roads, public transport,
passports and credit cards are just a few examples. The
Recommendation advises particular attention be paid to
privacy and data protection issues in the deployment of RFID.
Effectively, RFID and combined technologies create new risks
to individual liberties. RFID amplifies the possibilities of
profiling, individual tracking and surveillance; furthermore,
technical standards are in a developing work phase and do not
give satisfying solutions to these recent dangers.
This context sets up the basis of the promotion of a risk
assessment concerning privacy & RFID in EU countries. The
Recommendation affirms that the operator, prior to the imple-
mentationofanRFIDapplication,must carryout anassessment
of the privacy and data protection. Its Article 4 states that
member States should ensure that industry, in collaboration
with relevant civil society stakeholders, develop a framework
for privacy and data protection impact assessments.
The Industry proposal for a PIA frameworkwaspresentedon
January 201136 and endorsed by the Article 29 Data Protection
Working Party in February 2011.37 The PIA process is composed
of a pre-assessment phase and a risk assessment one. The first
one serves to classify a RFID application according to a level 4
34 As Charlesworth observes, European Union countries havenot given too much attention to PIAs; While some form of priorchecking is provided [...] in legislation, and sometimes activelyused, in at least 16 of the Member States, the use of PIAs [...]appears rare. Two Member States that have begun to explore thisavenue are Finland and Ireland. Both are at a very early stage intheir development work. Andrew Charlesworth, Broad Jurisdic-tional Report for the European Union (United Kingdom: Linden37 http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp180_en.pdf, 6 May 2011.be imposed on operators of Member States: (a) conduct anassessment of the implications of the application implementa-tion for the protection of personal data and privacy, includingwhether the application could be used to monitor an individual.The level of detail of the assessment should be appropriate to theprivacy risks possibly associated with the application; (b) takeappropriate technical and organizational measures to ensure theprotection of personal data and privacy; (c) designate a person orgroup of persons responsible for reviewing the assessments andthe continued appropriateness of the technical and organisa-tional measures to ensure the protection of personal data andprivacy; (d) make available the assessment to the competentauthority at least six weeks before the deployment of the appli-cation; (e) once the framework for privacy and data protectionimpact assessments as set out in point 4 is available, implementthe above provisions in accordance with it.39 PIAs are then related to the identification of risks before puttingtechnologies in place. This is an idea that is at the core of Privacy byDesign (PbD) Cavoukians concept. PbD is a philosophy of embed-ding privacy into technology, business practices and physicaldesign. Ann Cavoukian, Privacy by design... Take the Challenge (Can-ada: Information and Privacy Commissioner of Ontario, 2009), 3,http://privacybydesign.ca/publications/pbd-the-book/.40 RFID application governing practices, individual access andciple as a tool to enhance privacy and data protection.
4.1. PIA e a procedure of privacy protection
As we noted before, PIAs intent is to be more than a legal
compliance check. It intends to promote a comprehensive
38 The PIA Framework phases and objectives observe theregulate privacy?
In the last part the paper will integrate the precautionary
principle and PIA. It will reflect on how both of them deal withcontrol, system protection measures, tag protection andaccountability measures are some examples.
analysis of risks posed by new technologies to a society as
a whole; here PIAs should address also moral and ethical
issues,41 but why?
PIA comes to light in the context of RFID, one of the most
significant technologies to mark the transition towards the
generalized use of information technology in our environ-
ments. This generalization will be donewithin a technological
framework of which two of the major characteristics are
invisibility and complexity. We can mention the example of
the nanotechnology, which allows the construction of termi-
nals invisible to the human eye and wireless technologies
such as WiFi or RFID. We can also mention the concept of the
Internet of Things, where connecting physical things, from
banknotes to bicycles, through a networkwill let them take an
active part in the Internet, exchanging information about
themselves and their surroundings.42 These technologies
have exceedingly remarkable characteristics, but if they can
bring benefits such as the automation of tasks, they increase
at the same time the risks for individual liberties e such as
government agencies, whichmust conduct them, ensure their
review by the Chief Information Officer andmake them public
if practicable.45 Publicity is an important instrument in
promoting accountability and must observe the Freedom of
Information Act. Nevertheless, the effectiveness of PIAs
varies depending on whether there is in-house privacy
expertise. More often than not, they are compliance checks
completed without a broader analysis of privacy risks.46,47
Furthermore, at the present time there is no statutory law
obliging the private sector to conduct PIAs.48
As a risk assessment, PIAs are an instrument of anticipating
threats to privacy. However, this is an intent limited by the
legal regimes of PIA on RFID applications and of liability in
European data protection law.
As seen before, PIA is an instrument that aims to identify
threats and to propose control measures. The Industry PIA
framework provides the following missions to the RFID oper-
ator: to describe the RFID Application; to identify and list how
the RFID Application under review could threaten privacy; to
c om p u t e r l aw & s e c u r i t y r e v i ew 2 8 ( 2 0 1 2 ) 1 4e2 420surveillance, profiling and ubiquitous tracking. Empowering
citizens to master the ambient they live in is a path to reduce
such risks and this empowerment depends on how Law and
Codewill regulate technologies. Here, a discussion as towhich
values should inspire regulation is inevitable.43
In other words, PIA aims to consider privacy as a societal
issue, not only as a legal one. As Clarke remarks:
There are many public needs, expectations and concerns that are
felt by individuals, categories of individuals, and communities
that may not be (or may not yet be) reflected in law. A PIA process
that overlooks these aspects will result in a design that earns
opprobrium from advocacy organizations and the affected public.
Hence, despite being legally compliant, schemes that are devel-
oped without an appreciation of broader concerns are likely to
encounter resistance and to be the subject of complaints and
negative media coverage.44
US experience tells us about the effectiveness of PIAs. For
example, E-government Act of 2002 mandates PIAs to
41 Roger Clarke et al., Privacy Impact Assessments: InternationalStudy of their Application and Effects (United Kingdom: LindenConsulting Inc., October 2007), 10, http://www.ico.gov.uk/upload/documents/library/corporate/research_and_reports/privacy_impact_assessment_international_study.011007.pdf.42 Future networks and the internet. Early Challenges regardingthe Internet of Things http://ec.europa.eu/information_society/eeurope/i2010/docs/future_internet/swp_internet_things.pdf,January 4, 2009.43 Here Poullet emphasizes the importance of informationethics: Comment concevoir des lors cette reappropriation de linvisible: cest-a`-dire a` la fois retrouver une matrise parlHumain de linterface technologique omnipresent dans sesrelations tant sociales quavec son environnement et a` la foisgarantir un developpement de cet interface au profit delhumaniste? La reponse consiste en un appel aux valeurs ethi-ques. Developper une infoethique comme on parle de bio-ethique a` propos dune autre technologie, celle de la matrise dela vie, nous apparat un devoir. Poullet, Internet et SciencesHumaines ou Comment comprendre linvisible ?.
44 Clarke, An Evaluation of Privacy Impact Assessment Guid-ance Documents.estimate the magnitude and likelihood of those risks; to
document current and proposed technical and organizational
controls; to mitigate identified risks and to document the
resolution (results of the analysis) regarding the Application.
In essence, PIA is a process to diagnose risks and propose
safeguards. According to the Recommendation of 12May 2009,
Member states shall ensure that operators conduct PIAs.
Meanwhile, European data protection legislation estab-
lishes a liability regime based on compensating harm and
fault presumption. Article 23 of the Directive 95/46/EC49 states
that (i) Member States shall provide that any person who has
suffered damage as a result of an unlawful processing oper-
ation or of any act incompatible with the national provisions
adopted pursuant to this Directive is entitled to receive
compensation from the controller for the damage suffered. (ii)
The controller may be exempted from this liability, in whole
or in part, if he proves that he is not responsible for the event
giving rise to the damage.
PIAs are a parameter of a general duty of care and this
means that the culpability of action should be evaluated
45 107th Congress, E-government Act of 2002, sec. 208.46 Clarke et al., Privacy Impact Assessments: International Studyof their Application and Effects.47 At this point there is scarcity of information concerningprivate sector as Bennett observes: It is impossible to gauge theextent of the use of PIAs within the American private sector,although it is probable that assessments of privacy implicationshave been an integral part of new product and service review formany companies for a long time. They tend to be internal, andoften proprietary, analyses whose final products are rarely madepublic. Bennett, Privacy Impact Assessments: JurisdictionalReport for the United States of America.48 Federal Trade Commissions proposal on a framework forprivacy protection recommends that, where appropriate compa-nies should assess the privacy impact of specific practices,products, and services to evaluate risks and ensure that thecompany follows appropriate procedures to mitigate those risks.Federal Trade Commission, Protecting Consumer Privacy in an Era ofRapid Change, 49.49 Directive 95/46/EC of the European Parliament and of theCouncil of 24 October 1995 on the protection of individuals with
regard to the processing of personal data and on the free move-ment of such data.
according to this standard. In this circumstance, if the oper-
ator does not achieve a PIA, despite being obliged to do it e in
other words if there was a breach of statutory provision e he
must be considered at fault. In contrast, if the operator did the
The responsibility in this case will follow the Directives
regime.
Furthermore, the very core of liability regimes based on
fault can be modified while implementing the precautionary
principle. The culpability fundament is the general duty of
care, which implies that one should avoid exposing others to
risks. Compliance with this duty determines if there is fault
and, consequently, liability. The precautionary principle
affects liability rules through two mechanisms: either as to
establishing the inversion of the burden of proof or as to fixing
strict liability based on the risk of the activity. The inversion of
proof is admittedas ameans to redistribute the onus probandi to
the benefit of persons exposed to risks; it implies that if harm
takes place, for example, by a technology, it is up to the
developer of this technology to prove its harmless in order to
avoid responsibility.52However, the discussionabout theproof
c om p u t e r l aw & s e c u r i t y r e v i ew 2 8 ( 2 0 1 2 ) 1 4e2 4 214.2. When precautionary principle and risk assessmentgo together
As just stated, in the frame of privacy legislation, risk
assessment is a protecting procedure that is related to
a liability regime based on harm and culpability. In this
section the paper will focus on the relations between the
precautionary principle, liability and risk assessment.
The effectiveness of legislation grounds itself on the obli-
gation to respond to an act and repair damage. Moreover,
liability is twofold: it aims at repairing past damages on the
one hand and preventing future damages on the other. Its
finality is compensation in the first case and, in the second,
deterrence51. The precautionary principle supports the second
objective of liability since it tends to prevent it. Here we
mention the consequences of the adaption of the precau-
tionary principle with regards to civil liability.
At first, a different notion of harm has to be developed. In
principle, harm supposes a loss to a person or their property;
then, how does one reconcile this notion with precaution,
which aims to avoid loss? A particular regime of responsibility
must respond to this question since we deal with the potential
of harm and not actual harm.
50 Concerning the security of processing personal data and thestate of art of technology see Yves Poullet in Buellesbach andGijrath, Concise European IT Law, 188.51 Though we do not disregard that a certain kind of repairingPIA and obtained the validation by the supervisory authority
there will be no fault on the basis of the accomplishment of
the PIA. Differently, if the operator achieves a PIA without the
validation of the supervisory authority, the analysis of fault
must consider whether the PIA is or is not adequate to protect
privacy and data in a concrete situation. In any case, since
Article 23 of the Directive 95/46/EC establishes a culpability
regime, if there is no fault committed by the operator he is
exempt from responsibility. In addition, the duty of care must
be time adequate; this means that the risks must be assessed
periodically, as established in Item 19 of the Recommendation
of May 2009. This periodicity is somehow related to Article 17
of Directive 95/46/EC, which establishes that the security of
data processing must observe the state of art.50
After all, PIA is solely a procedural mechanism of privacy
protection. Procedures e like PIAs or prior checks e point to
forms to be observed: they are protocols. As protocols, they
standardize behaviors assumed to be privacy-friendly and this
is good. Nevertheless, risks of harm exist independently of the
accomplishment of procedures and, at this point, the question
is to define who will shoulder the burden of harm. With
regards to the operator, no liability will exist if threats are not
anticipated by the PIA that took place, except if there is fault.can also have a preventive function e in the case of punitivedamages.of culpability implies some discussion of fault. Differently, the
strict liability based on the risk of the activity tends to dismiss
the discussion of fault since it proposes that even if a person
took all the measures to avoid risk, if harm takes place, they
will respond to it. This last approachwas adopted by European
environmental legislation when it establishes that the envi-
ronmental damage caused by the transport of hazardous
substances, for example, implies strict liability disregarding an
evaluation of fault.53 In this frame, the discussion about the
inversion of the burden of proof seems a nonsense.
Also, an obligation to identify and follow-up risks is
needed.54 Identifying and following-up risks are both actions
coherent to the precautionary principle. Scientific knowledge
and the perception of threats evolve side by side. As a conse-
quence, a rational approach of threats must take into account
the state of knowledge in order to revaluate ancient threats
and assess new ones. As Thunis observes, having a dynamic
character, the precautionary principle imposes the production
of knowledge.55
Risk assessment confronts two types of risks. The first type
refers to known risks. They seem to be considered by the PIA
framework for radio-frequency applications, which provides
that the RFID operator should consider the significance of
a risk, the likelihood of its occurrence and the magnitude of
the possible impact. After this evaluation the resulting risk
level can be classified as low, medium, or high. For example,
while implementing a RFID application, an operator can
identify a security risk that can bemitigated by the adoption of
a specific standard of cryptography. Therefore, this approach
supposes that the RFID operator will always face identifiable
52 At the present time there is no liability on the shoulders ofdesigners and producers of technologies vis-a`-vis Directive 95/46/EC. Notwithstanding, binding these actors to privacy rules seemsa logical consequence of an approach based on Privacy by Design.For a comprehensive analysis on this subject see Terwangneet al., Rapport sur les lacunes de la Convention n108 pou r la protec-tion des personnes a legard du traitement automatise des donnees acaractere personnel face aux developpements technologiques, 37e40.53 See Article 3, 1, a and Annex III of the Directive on environ-mental liability. European Parliament and Council of the Euro-pean Union, Directive 2004/35/CE of the European Parliament and ofthe Council of 21 April 2004 on environmental liability with regard tothe prevention and remedying of environmental damage.54 Viney, Principe de precaution et responsabilite civile despersonnes privees, 1545.
55 Thunis, Fonctions et fondements de la responsabilite enmatie`re environnementale, 64.
risks that must be classified and, as we saw before, known
risks defy preventive measures.56 Nevertheless, in some cases
the degree of uncertainty in evaluating the risks may be too
high and prevent a complete assessment; the second type
refers then to uncertain risks. It may be the case, for example,
of a new application that involves the use of different types of
wireless technologies combined with Internet access. Hence,
risk assessment and preventive measures may not be enough
to face risks that are not fully apprehended by scientific
knowledge; where uncertain risks exist there will be room for
precautionary measures.
If scientific knowledge is not satisfactory to face these risks,
what guidelines shall orient the set up of precautionary
measures?Here, the riskmanagement approachgivesus some
clues such as the European Commission Communication of
February 2000, on the use of the precautionary principle. The
Communication establishes a plan to be followed by the
Risk assessment and the precautionary principle go
together. They are instruments that jointly determine the
allocation of the evaluation of risks and the cost of damages
caused by producers of goods and services rather than on citi-
zens themselves. Risk assessment values transparency and
readiness with regard to identifiable threats: a complete anal-
ysisof risksand theadoptionofmeasures to avoid themshall be
done. The precautionary principle establishes that, despite the
readiness, if something goeswrong, those responsible shall not
invoke scientific uncertainty to exempt their liability.
4.3. Which common ground?
With this in mind, how could the precautionary principle and
privacy work together? Some remarks can be offered.
The first remark concerns the dilution of liability. As it
happens, in the environmental domain, privacy and data
protection laws undergo violations with many victims.60
These are typically mass exposure torts.61 Similar to envi-
ronmental torts, harm can be caused within a scenario of
61 Poullet and Rouvroy point risks posed by the actual outline of
c om p u t e r l aw & s e c u r i t y r e v i ew 2 8 ( 2 0 1 2 ) 1 4e2 422Commissionwhen implementing the precautionary principle.
It states that an approach based on this principle shall be
started with a scientific evaluation, as complete as possible,
and where possible, identifying at each stage the degree of
scientific uncertainty. Moreover, before acting, decision-
makers shall consider the possibility and the consequences
of not acting at all; they alsomust consider the uncertainties of
the scientific evaluation. Risk assessment should be trans-
parent and involve all the interested parties. In addition, some
general principles are to be observed: (i) proportionality, which
implies that measures should be proportional to the desired
level of protection57; (ii) non-discrimination, which means
that comparable situations should not be treated differently
and that different situations should not be treated in the same
way, unless there are objective grounds for doing so; (iii)
consistency, according to which measures should be consis-
tent with the measures already adopted in similar circum-
stances or using similar approaches; (iv) the cost-benefit
analysis of action and lack of action shall be considered58; (v)
the provisional nature of the measures, based on the precau-
tionary principle; these measures shall be reexamined and if
necessary modified depending on the results of the scientific
research and the follow up of their impact; and (vi) respon-
sibility for producing scientific evidence shall be established.59
56 See n 14.57 ALARA (As Low As Reasonably Achievable) and BATNEEC(Best Available Technology Not Entailing Excessive Cost) are twowell-known acronyms in environmental contexts. According tothese ideas, precautionary measures should take into accounta cost-benefit analysis.58 Its worth noting that in the Communication the cost-benefitanalysis is primarily an economic examination; non-economicconsiderations such as the protection of health are collateral.59 As stated by the Commission Community rules and those ofmany third countries enshrine the principle of prior approval(positive list) before the placing on the market of certain prod-ucts, such as drugs, pesticides or food additives. This is one wayof applying the precautionary principle, by shifting responsibilityfor producing scientific evidence [.]. In cases where such a priorapproval does not exist, a clause reversing the burden of proofand placing it on the producer, manufacturer or importer mustbe included; the mentioned reversion should be examined on
a case-by-case basis Communication from the Commission onthe precautionary principle, 21.information and communication technologies: the imbalance ofpowers between data processors and citizens, the de-contextualization of data, the obscure functioning of someterminals and infrastructures, the reductionism of human beingsto profiles and the blotting out of the boundary between privateand public sphere. Poullet and Rouvroy, General IntroductoryReport, 10.62 Precaution, The Free Dictionary (Farlex), http://www.thefreedictionary.com/precaution.63 As cited before, Article 20 of the Directive states that MemberStates shall determine the processing operations likely to presentspecific risks to the rights and freedoms of data subjects and shallmultiple actors in which it is difficult to identify the one at
fault (technology creators, service providers, etc.) and the
plurality of causes (data breaches, deficient design, etc.) adds
an extra obstacle to determine liability. As a result, legislation
faces a setting where causality is complex and establishing
liability is challenging. It seems that this element was not
disregarded in the opinion of Article 29 Data Protection
Working Party on the PIA framework for radio-frequency
applications, where a special concern with regards to indi-
vidual tracking was considered.
The second one concerns precaution as a normative value in
privacy and data protection legislation. Precaution is an
action taken to avoid a dangerous or undesirable event or
a caution practised beforehand; circumspection.62 Precau-
tion found its legal basis on the neminem laedere principle in
a wider sense and on the prior checking rules of the Directive 95/
46/EC63 in a strict one. Theprinciple embraces privacy anddata
60 For instance, the American Online (AOL) 2006 data leakageincident released data that included 20 million web queries from650,000 AOL users. Likewise, when Facebook decided to changeits terms of service to claim ownership over any user content ontheir site, it had 175 million active users (today it has more than500 million). Sources: http://techcrunch.com/2006/08/06/aol-proudly-releases-massive-amounts-of-user-search-data, April6th 2011, http://edition.cnn.com/2009/TECH/02/17/facebook.terms.service/index.html, April 6th 2011 and www.facebook.com/press/info.php?timeline, April 6th 2011.check that these processing operations are examined prior to thestart thereof.
protection legislation as awholewith the intention of avoiding
risks by anticipating them; an illustration of the application of
the principle is the activity of data protection authorities.64
The last remark relates to the liability regime. European
legislation has imported PIA from environmental law. It has
also brought the inversion of the burden of proof. This would
some clues. The environmental legislation regime is twofold;
it is based on fault with regard to harm against protected
species and natural habitats and it establishes a strict liability
regime for dangerous activities. Similarly, privacy legislation
inspired on this model could keep culpability as the general
rule of liability and establish a special regime of strict liability,
for example, to activities that pose risks to sensible data or
even social network services in general. Here, as in the
Directive 2004/35, the law could create a list of activities
whose accentuated risk is established ex ante. At this point,
the model of the defective products liability Directive67 could
the European Commission, define what risk level is accept-
able to the society on which the risk is imposed.69 In the
c om p u t e r l aw & s e c u r i t y r e v i ew 2 8 ( 2 0 1 2 ) 1 4e2 4 23imply that, given the harm done caused by new technology to
privacy, the burden of proving that this technology is harm-
less shall be on the shoulders of the creator or operator of this
technology. As Clarke and others observe:
the evolution of PIAs certainly needs to be understood in the
context of larger trends in advanced industrial societies to
manage risk and the assumption that the burden of proof for
the harmlessness of a new technology, process, service or product
should be placed upon the promoters, rather than society as
a whole. Extrapolated to the area of privacy, this means that
personal information systems should be regarded as (relatively)
dangerous until shown to be (relatively) safe, rather than the
other way around .65
However, the precautionary principle can ground a liability
regime that dismisses the discussion on the proof of culpa-
bility. Though, in this sense, the principle could bring
a substantive change in privacy protection.
Is there room for the application of strict liability rules in
data protection? Cases of serious societal harm instigate some
thoughts in this direction. The US Health and Human Service
web page gives us an example. Also known as the Wall of
Shame, this page lists hospitals, doctors and insurance
companies that have reported breaches of medical privacy. In
the last couple of years medical records related to approxi-
mately 7.8 million people were improperly exposed.66 Health
records are high sensitive data and deserve particular atten-
tion since they reveal intimate information of human beings.
Leaks of medical data are an unlicensed disclosure of data by
third parties; they are violations of the autonomy and human
dignity since every person has the right to manage informa-
tion regarding their minds and bodies. Another example
concerns social network services that manage great amounts
of sensitive information such as age, friendship, sexuality and
religion. The unauthorized exposure of this data creates risks
to these values; exposing children to harmful content and
grooming are two serious examples. Some extreme situations
question the legitimacy of a data protection liability regime
based on culpability. Evaluating the accomplishment of the
general duty of care to define liability seams meaningless in
a scenario in which harm sensibly affects fundamental values
such as autonomy and human dignity.
With this inmind, what would be the parameters of a strict
liability regime on privacy protection? Here, a glimpse of
environmental and defective product legislation gives us
64 As Kourislky and Viney observe in relation to the Frenchcontext, the CNILs e Commission Nationale Informatique etLibertes - activity is mostly oriented to precaution. Kourilsky andViney, Le principe de precaution, 20.65 Clarke et al., Privacy Impact Assessments: International Study oftheir Application and Effects, 13.
66 Freudenheim, Breaches Lead to Renewed Effort to ProtectMedical Data.name of citizens, Industry and Governments evaluate risks in
order to justify their decisions. Here, the precautionary
principle-risk assessment can work as an instrument to
promote democratic debate since it promotes transparency
with regard to the decision-making processes.
67 Council of the European Union, Council Directive 85/374/EEC of25 July 1985 on the approximation of the laws, regulations andadministrative provisions of the Member States concerning liability fordefective products.68 As the European Commission affirms, the decision to act ornot to act presupposes the identification of potentially negativeeffects resulting from a phenomenon, product or process as wellas a scientific evaluation of the risk which because of theinsufficiency of the data, their inconclusive or imprecise nature,makes it impossible to determine with sufficient certainty therisk in question Communication from the Commission on theprecautionary principle, 15.also be useful. The Directive creates a strict liability regime
based on defining defective products and listing the excep-
tions to liability (regardless of a discussion of fault). In
a similar manner, data protection legislation could list the
hypothesis where strict liability would have a place.
5. Conclusions
This work has the intent to glimpse at privacy and data
protection under the point-of-view of the precautionary
principle. All things considered, the paper can now convey the
reasons of why this could work.
The first outcome is that the precautionary principle
benefits privacy protection insofar as it emphasizes the
normative values of prudence and transparency. In effect,
precaution stands for a general duty of care in the frame of
liability, which is a corollary of prudence. Prudence and
precaution imply that one should behave in such a way as to
avoid doing harm to other people; this is not a sign of fear, but
a step towards development with security. This is an inter-
esting approach to consider with regard to personal data in
order to avoid creating risks rather than take counter-
measures. In this frame of thinking, PIA works simulta-
neously with the precautionary principle, since it is a mecha-
nism to evaluate risks rationally in order to sustain decisions68
and this brings us to transparency. Evaluating risks is a motto
constantly repeated in our societies; one shall, according to69 Commission of the European Communities, Communicationfrom the Commission on the precautionary principle, 16.
could justify the application of the principle; about the
manner to arrange the principle (a judgment standard or
c om p u t e r l aw & s e c u r i t y r e v i ew 2 8 ( 2 0 1 2 ) 1 4e2 424Luiz Costa ([email protected]) M.D. in Law (Pantheon-Sor-
bonne University) Ph.D. Candidate, University of Namur, Namur,
Belgium.
r e f e r e n c e s
Beck Ulrich. Risk society: towards a new modernity. 1st ed. SagePublications Ltd; 1992.
Bennett Colin. Privacy impact assessments: jurisdictional reportfor the United States of America. Linden Consulting, Inc.;October 2007.
BuellesbachAlfred,GijrathSerge, PoulletYves, PrinsCorien.ConciseEuropean IT law. 2nd ed. Kluwer Law International; 2010.
Cavoukian Ann. Privacy by design. Take the challenge.Information and Privacy Commissioner of Ontario, http://privacybydesign.ca/publications/pbd-the-book/; 2009.
Charlesworth Andrew. Broad jurisdictional report for theEuropean union. United Kingdom: Linden Consulting Inc.,http://www.ico.gov.uk/upload/documents/library/corporate/research_and_reports/lbrouni_piastudy_apph_eur_2910071.pdf; October 2007. June 15th 2011.
Clarke Roger. An evaluation of privacy impact assessmentguidance documents, http://idpl.oxfordjournals.org/content/early/2011/02/15/idpl.ipr002.full; June 15th 2011.
Clarke Roger, Bayley Robin, Bennett Colin, Charlesworth Andrew.Privacy impact assessments: international study of theirapplication and effects. Linden Consulting, Inc., http://www.ico.gov.uk/upload/documents/library/corporate/research_and_reports/privacy_impact_assessment_international_a legislative one?); about its effects as well as about the
measures to be taken in order to implement the precautionary
principle. These are some paths that could be considered.The second outcome is the precautionary principle func-
tion of improving responsibility in order to protect privacy,
since it identifies a new approach in dealing with risks. Here
the precautionary principle brings to light the irreparable,
uncertainty of scientific knowledge and the possibility of
enforcing liability without fault. Bringing the latter into
discussion will enrich the privacy and data protection
debates. In effect, the precautionary principle assumes that
not all harm can be converted into money. As within the
protection of health or environment, some goods of privacy
may be considered inalienable; paying for the damage shall
not be the sole response of law regarding liability. Further-
more, despite the fact that a decision based on the precau-
tionary principle is nourishedwith a rational PIA, the principle
does not disregard the fact that scientific knowledge is
uncertain and should not be invoked as a reason to exempt
responsibility. This asset takes us to the third remark which is
the possibility to adopt a liability regimewithout fault in order
to enhance privacy protection.
These conclusions pose the outlook for some possible
developments. They raise questions about the consequences
of adapting the principle with respect to obligations and
procedural rules; about the risks (and their graduation) thatstudy.011007.pdf; October 2007. June 15th 2011.European Commission. Future networks and the Internet. Earlychallenges regarding the Internet of things, http://ec.europa.eu/information_society/eeurope/i2010/docs/future_internet/swp_internet_things.pdf; January 4, 2009.
Ewald Francois. Le retour du malin genie. Esquisse dunephilosophie de la precaution. In: Le principe de precautiondans la conduite des affaires humaines. Editions de la Maisondes sciences de lhomme Institut National de RechercheAgronomique; 1994.
Farlex. The free dictionary, www.thefreedictionary.com; n.d.Federal Trade Commission. Protecting consumer privacy in an
era of rapid change, http://www.ftc.gov/os/2010/12/101201privacyreport.pdf; December 2010.
Freudenheim Milt. Breaches lead to renewed effort to protectmedical data. The New York Times. sec. Business Day, http://www.nytimes.com/2011/05/31/business/31privacy.html&sqdata%20breaches&stcse&scp1; May 30, 2011.
Godard Olivier. Introduction generale. In: Le principe deprecaution dans la conduite des affaires humaines. Editionsde la Maison des sciences de lhomme Institut National deRecherche Agronomique; 1994.
Kourilsky Philippe, Viney Genevie`ve. Le principe de precaution,http://lesrapports.ladocumentationfrancaise.fr/BRP/004000402/0000.pdf; August 15, 1999. June 15th 2011.
Machado Leme, Affonso Paulo. Direito Ambiental Brasileiro. 12thed. Malheiros Editores; 2004.
Peel Jacqueline. Precaution e a matter of principle, approach orprocess? Melbourne Journal of International Law 2004;5(2),http://www.austlii.edu.au/au/journals/MelbJlIntLaw/2004/19.html.
Poullet Yves. Internet et Sciences Humaines ou Commentcomprendre linvisible?. In: Presented at the Societe delInformation: De la Recherche a` la Democratie, ParlementWallon; March 15, 2011.
Poullet Yves, Rouvroy Antoinette. General introductoryreport. Conference report. Strasbourg: Council ofEurope and UNESCO, http://portal.unesco.org/ci/en/files/27268/12145631033Intro_gen_rapporteur_Y-Poullet_en.pdf/Intro_gen_rapporteur_Y-Poullet_en.pdf; November15, 2007.
Rolland Sonia Elise. The precautionary principle: development ofan international standard. SSRN eLibrary; 2010.
Sadeleer Nicolas de. Le statut juridique du principe de precautionen droit communautaire: du slogan a la re`gle, http://dialnet.unirioja.es/servlet/articulo?codigo732699; (n.d.).
Sadeleer Nicolas de. The precautionary principle in EU law. AV&S;2010.
Salomon Michel. Heidelberg appeal to heads of states andgovernments, http://legacy.library.ucsf.edu/tid/jmc24e00/pdf;jsessionidA257858421ACB6BB8BD09474714D9359.tobacco01;1992. June 15th 2011.
Terwangne Cecile, Moiny Jean-Philippe, Poullet Yves,Gyzeghem Jean-Marc. Rapport sur les lacunes de la Conventionn108 pou r la protection des personnes a legard du traitementautomatise des donnees a caractere personnel face auxdeveloppements technologiques. Strasbourg: Council of Europe,http://www.crid.be/pdf/public/6559.pdf; November 3, 2010.
Thunis Xavier. Fonctions et fondements de la responsabilite enmatie`re environnementale. In: Les responsabilitesenvironnementales dans lespace europeen: Point de vuefranco-belge, by Genevie`ve Viney, Bernard Dubuisson, andPhilippe Brun, 25e68. Emile Bruylant; 2006.
Viney Genevie`ve. Principe de precaution et responsabilite civiledes personnes privees. Recueil Dalloz 2007;(22):1542e5.
WarrenAdam,Bayley Robin, Bennett Colin, CharlesworthAndrew,ClarkeRoger,OppenheimCharles. Privacy impact assessments:international experiences as abasis forUKGuidance.Computer
Law & Security Review; 2008.
Privacy and the precautionary principle1. Introduction2. Part one the precautionary principle2.1. A principle on international environmental law2.2. A European legal principle2.3. The irreparable and the uncertainty of scientific knowledge2.4. Privacy calling?
3. Part two privacy impact assessment (PIA)3.1. Risk assessment and privacy3.2. PIA in Europe: the RFID case
4. Part three precautionary principle to regulate privacy?4.1. PIA a procedure of privacy protection4.2. When precautionary principle and risk assessment go together4.3. Which common ground?
5. ConclusionsReferences