Privacy and the precautionary principle

inc

lac

m

nte

prin

. Fo

f, the article stresses the role of the precautionary principle in

1. Introduction

w, the

ativel

sensi

rding t

establi

sis of

oiding

devient une methode, dite heuristique de la peur. Cest lanticipation de la menace et la peur du danger qui vont permettre de prevoir les effets a` longterme de laction technique, et de determiner ce qui a besoin detre sauvegarde. Cette methode aboutira a` definir les risques qui ne devront jamais etrecourus. Philippe Kourilsky and Genevie`ve Viney, Le principe de precaution (France, August 15, 1999), 34, http://lesrapports.ladocumentationfrancaise.fr/BRP/004000402/0000.pdf.

2 Paulo Affonso Leme Machado, Direito Ambiental Brasileiro, 12th ed. (Sao Paulo: Malheiros Editores, 2004), 76. In a similar mannerKourilsky and Viney affirms that a` la diction Dans le doute abstiens-toi, le principe de precaution substitue limperatif: Dans le doute,mets tout en oeuvre pour agir au mieux. Kourilsky and Viney, Le principe de precaution, 5.

3 Regarding environmental law see Philippe Kourilsky and Genevie`ve Viney, Le principe de precaution (France, August 15, 1999), 15, http://

Available online at www.sciencedirect.com

www.compseconl ine.com/publ icat ions/prodclaw.htm

c om p u t e r l aw & s e c u r i t y r e v i ew 2 8 ( 2 0 1 2 ) 1 4e2 4lesrapports.ladocumentationfrancaise.fr/BRP/004000402/0000.pdf.1 I acknowledge Yves Poullet for our invaluable talks and his patient revision of this work. I also acknowledge Xavier Thunis for hisimportant remarks about the precautionary principle. Kourilsky and Viney observe that fear could be the foundation of a method: elleTherefore, precaution implies an active role before chal-

lenges, it does not mean prostration in front of fear, and

does not eliminate healthy audacity but is equivalent to

environmental security, necessary to give continuity to

life.2

There are good reasons to look for the objectives in

enhancing political participation and avoiding the dilution of

responsibility in privacy and data protection law. Since rela-

tions between citizenegovernments and citizeneindustry

are obviously asymmetric, legislation protects citizensresponsibility that demands avFrom a philosophical point-of-vie

of precaution can be based altern

prudence. Anticipating danger and

be the basis for human action acco

contrast, its ethical basis can be

Prudence, in this context is the ba0267-3649/$ e see front matter 2012 Luiz Cdoi:10.1016/j.clsr.2011.11.004ethical foundation

y on either fear or

ng fear of it would

o some authors.1 In

shed on prudence.

a preventive moral

future damages.

From a practical point-of-view, precaution can be inter-

preted as an attitude justified by the desire of political

participation as well as a reaction against the dilution of

liability. In return, citizens want to take part in some decision

mechanisms, chiefly those that create risks. In this case, it is

expected that people should be aware of these risks before

giving their consent to decisions.3 Moreover, promoting

precaution as a means to enforce responsibility where

multiple actors and causes harden its clarification.improving privacy protection through liability, prudence and transparency.

2012 Luiz Costa. Published by Elsevier Ltd. All rights reserved.applications. In briethis legislation as well as the privacy impact assessment framework, raised by the Euro-

pean Commission through the Recommendation on Radio-Frequency IdentificationLuiz Costa

University of Namur, Namur, Belgium

Keywords:

PIA

Precautionary principle

Privacy

Privacy impact assessment

a b s t r a c t

The precautionary pr

irreversible damage,

postponing protective

health protection in i

of the precautionary

protection legislationosta. Published by Elseviple e which implies that where there are threats of serious or

k of full scientific certainty shall not be used as a reason for

easures e has been adopted as a standard of environmental and

rnational and European legislation. This article offers an overview

ciple as a legal standard applicable to European privacy and data

r this reason, it takes particularly into account the guidelines ofier Ltd. All rights reserved.

counterbalancing the strength of governments and industry.

One mechanism of doing that is precisely the aim of the

precautionary principle4 in order to avoid risk-taking without

a larger public discussion. The promotion of this principle is

therefore a way to involve citizens in decision-making.

Furthermore, dilution of liability is a problem faced also in

the mentioned domain. Violations of personal data can take

place in a context with multiple actors and causes, which

produce a scenario where causality is complex and, for that

reason, it is hard to assign responsibility.

Precautionary principle and risk assessment are both philoso-

public awareness of privacy and data protection. We believe

that the precautionary principle is a legal standard, applicable

1980s we saw the beginning of the sustainable development

vision, which aims at protecting natural resources and taking

in consideration future generations. In regards to interna-

tional environmental law this vision culminated in the United

Nations Conference on Environment andDevelopment, which

took place in Rio de Janeiro in June 1992 andwas guided by the

values of the global environmental and developmental system

protection. The Rio Declaration on Environment and Devel-

opment is one of the outcomes of this Conference and its

Principle 15 establishes that in order to protect the environ-

ment, the precautionary approach shall be widely applied by

States according to their capabilities. Where there are threats

of serious or irreversible damage, lack of full scientific

certainty shall not be used as a reason for postponing cost-

effective measures to prevent environmental degradation.7

Also, a considerable number of environmental conven-

tions previewed the precautionary principle throughout the

last twenty years. As in the Rio Declaration of 1992, these

international treaties introduced the point that preventive

measures shall be taken to avoid damages even if there is no

conclusive evidence of causality between the inputs and the alleged

c om p u t e r l aw & s e c u r i t y r e v i ew 2 8 ( 2 0 1 2 ) 1 4e2 4 15to European privacy and data protection legislation; this is our

hypothesis and we will examine it through the lens of the

European legislation on precautionary principle and privacy

impact assessment.

2. Part one e the precautionary principle

2.1. A principle on international environmental law

The precautionary principle has been adopted in some inter-

national documents, mainly in the environmental protection

domain.

Its first appearance in an international text was in 1987 at

the Second International Conference on the Protection of the

North Sea (1987), which established that a precautionary

approach is necessary which may require action to control

inputs of such substances even before a causal link has been

established by absolutely clear scientific evidence. In the late

4 We use the expression precautionary principle since weconsider it as a standard with legal implications. For furtherdiscussion on the use of the terms precautionary principle andprecautionary approach see Sonia Elise Rolland, The Precau-tionary Principle: Development of an International Standard,SSRN eLibrary (2010): 434, Jacqueline Peel, Precaution - A Matter ofPrinciple, Approach or Process?, Melbourne Journal of InternationalLaw 5, no. 2 (2004), http://www.austlii.edu.au/au/journals/MelbJlIntLaw/2004/19.html and Nicolas de Sadeleer, Le statutjuridique du principe de precaution en droit communautaire: duslogan a la re`gle (n.d.), http://dialnet.unirioja.es/servlet/articulo?codigo732699.phies of a society that poses itself the question of how to

allocate the costs of risks and damages caused by producers of

goods and services. Both orbit the idea of risk, which may be

defined as a systematic way of dealing with hazards and

insecurities induced and introduced by modernization itself.

Risks, as opposed to previous dangers, are consequences that

relate to the threatening force of modernization and to its

globalization of doubt.5 These two philosophies overlap, as

we will see further on.

The precautionary principle talks about prudence, trans-

parency and strong decision-making. As we will see further

on, European legislation establishes the precautionary prin-

ciple as a means to protect the environment and human

health6; we speculate that it can be also a means to enhance5 Kourilsky and Viney, 21.6 Article 174, 2 of the Treaty of Amsterdam.In Europe, the precautionary principle was first formalized by

Germany during the 1970s as the Vorsorgeprinzip.11 Similarly,

European legislation previewed the precautionary principle as

a way to protect not only the environment but also human health

as in Article 174, 2 in Treaty of Amsterdam: The Contracting

Parties shall apply the precautionary principle, i.e., to take

7 Rio Declaration on Environment and Development, www.un.org/documents/ga/conf151/aconf15126-1annex1.htm, April 82011.

8 The Contracting Parties shall apply the precautionary prin-ciple, i.e., to take preventive measures when there is reason toassume that substances or energy introduced, directly or indi-rectly, into the marine environment may create hazards tohuman health, harm living resources and marine ecosystems,damage amenities or interfere with other legitimate uses of thesea even when there is no conclusive evidence of a causal rela-tionship between inputs and their alleged effects.

9 Which establishes countries obligations related to the adop-tion of impact assessment and the minimization of adverseimpacts.10 As stated by the Convention preventive measures are to betaken when there are reasonable grounds for concern thatsubstances or energy introduced, directly or indirectly, into themarine environment may bring about hazards to human health,harm living resources and marine ecosystems, damage amenitiesor interfere with other legitimate uses of the sea, even whenthere is no conclusive evidence of a causal relationship betweenthe inputs and the effects.11 Olivier Godard, Introduction generale, in Le principe de precautiondans la conduite des affaires humaines (Paris: Editions de la Maisoneffects. We can refer to the examples in Article 3, 2 of the

Convention on the Protection of the Marine Environment of

the Baltic Sea Area (1992),8 Article 14 of the Convention on

Biological Diversity (1992)9 and Article 2 of the Convention for

the Protection of the Marine Environment of the North-East

Atlantic (1992)10.

2.2. A European legal principledes sciences de lhomme Institut National de Recherche Agron-omique, 1994), 25.

preventive measures when there is reason to assume that

substances or energy introduced, directly or indirectly, into

the marine environment may create hazards to human

health, harm living resources and marine ecosystems,

damage amenities or interfere with other legitimate uses of

the sea even when there is no conclusive evidence of a causal

relationship between inputs and their alleged effects. Like-

wise, some policy orientations have presented the principle,

as in the Communication of 30 April 1997 on consumer health

and food safety, the Green Paper on the General Principles of

Food Law in the European Union of 30 April 1997 and the

Communication of the European Commission on the precau-

tionary principle of 2 February 2000.

Furthermore, the precautionary principle has been applied

by the Court of Justice of the European Union in several

environmental cases as in validating the EC Regulation on

controlled substances that deplete the ozone layer12 and on

interpreting the EC Directive on the deliberate release into the

environment of geneticallymodified organisms.13 Besides, the

Similarly, in a case involving the exposure of citizens to

sodium cyanide, the European Court of Human Rights stated

that the precautionary principle should be observed on all

European Union activities in order to protect a high level of

health, consumers security and environment.16

From a legal perspective, the precautionary principle

implies that in the face of situations in which there is uncer-

tainty with regards to the existence or extent of risks,

protective measures shall be taken without waiting that these

risks become fully apparent.17 In the next paragraph the paper

considers two aspects of the precautionary principle from

a philosophical perspective.

2.3. The irreparable and the uncertainty of scientificknowledge

We are going to stress two assets of the precautionary principle;

the first one is related to its position regarding irreparable

damages and the second one concerns its point-of-view con-

cerning scientific knowledge.

The first asset refers to distinguishing prevention and

precaution. Prevention and precaution are similar, but not

equivalent. They are similar since they are both liability

principles and are related to a kind of anticipation of harm,

risks. We can mention the example of the European Court ofJustice in the case Leendert van Bennekom. Mr. van Bennekom

c om p u t e r l aw & s e c u r i t y r e v i ew 2 8 ( 2 0 1 2 ) 1 4e2 416jurisprudence of the Court affirmed that the precautionary

principle is also applicable to avoid risks to public health.14 As

stated by the Court of Justice in a case related to marketing

authorizations of medicinal products:

[...] although the precautionary principle is mentioned in the

Treaty only in connection with environmental policy, it is broader

in scope. It is intended to be applied in order to ensure a high level

of protection of health, consumer safety and the environment in

all the Communitys spheres of activity. [.] It follows that the

precautionary principle can be defined as a general principle of

Community law requiring the competent authorities to take

appropriate measures to prevent specific potential risks to public

health, safety and the environment, by giving precedence to the

requirements related to the protection of those interests over

economic interests. Since the Community institutions are

responsible, in all their spheres of activity, for the protection of

public health, safety and the environment, the precautionary

principle can be regarded as an autonomous principle stemming

from the above mentioned Treaty provisions [emphasis added].15

12 Case C-284/95, Safety Hi-Tech v. S. & T. Srl [1998] ECR I-4301.13 Case C-6/99, Association Greenpeace France and Others v. Ministe`rede lAgriculture et de la Peche and Others [2000] ECR I-1651.14 According to the Court of Justice the precautionary principlealso applies where the Community institutions take, in theframework of the common agricultural policy, measures toprotect human health (see, to that effect, Case C-180/96 UnitedKingdom v Commission [1998] ECR I-2265, paragraph 100, the BSEjudgment; and Case C-157/96 National Farmers Union and Others[1998] ECR I-2211, paragraph 64, the NFU judgment). It isapparent from Article 130r(1) and (2) of the Treaty that Commu-nity policy on the environment is to pursue the objective interalia of protecting human health, that the policy, which aims ata high level of protection, is based in particular on the precau-tionary principle and that the requirements of the policy must beintegrated into the definition and implementation of otherCommunity policies. Case T-13/99 [2002] ECR II-3305. PfizerAnimal Health SA v. Council of the European Union.15 Artegodan GmbH and others v European Commission (Joined Cases

T-74/00, T-76/00, T-83/00 to T-85/00, T-132/00, T-137/00 and T-141/00) e [2002] All ER (D) 391 (Nov).was prosecuted in the Netherlands for possessing, for thepurpose of resale, a large quantity of vitamin and multi-vitaminpreparations in violation of Netherlands Law. In the appealproceedings, one of the questions posed by the District Court ofAmsterdam to the European Court of Justice was if it would bepermissible for Netherlands law to prohibit the sale or stock forthe purpose of supply of vitamins and vitamin preparationsthrough the use of a definition of medicinal product. Theresponse was positive, though the European Court observed thatit is for the national authorities to demonstrate in each case thattheir rules are necessary to give effective protection [...], inparticular to show that the marketing of the product in questioncreates a serious risk to public health [emphasis added].Consequently, prevention is a response to a known (and, in thewhich stands for physical or psychological injury or

damage.18 However, while prevention is the remedy against

the exposure with regard to a known harm,19 precaution is

meant to avoid the mere possibility of suffering harm or loss.

Prevention is attached to the concepts of identifiable risks

and solidarity. As Ewald observes, liability will exist even if

there is no link between the cause of the damage and the fault

of someone. It does not matter to find out who is guilty but

16 La Cour rappelle limportance du principe de precaution(consacre pour la premie`re fois par la Declaration de Rio), quia vocation a` sappliquer en vue dassurer un niveau de protectionelevee de la sante, de la securite des consommateurs et delenvironnement, dans lensemble des activites de la Commu-naute Zupancic et al., Tatar v. Romania.17 In this sense, regarding human health protection, see G. C.Rodrguez Iglesias et al., National Farmers Union (Court of Justice ofthe European Union 1998).18 Farlex, Harm, The Free Dictionary, n.d., www.thefreedictionary.com/risk.19 Preventive measures take place when there are identifiablecase, serious) risk. See Fifth Chamber, Leendert van Bennekom(Court of Justice of the European Union 1983).

who is going to undergo the burden of the damage. One

example is workers compensation for employees injured in

the context of their job. Risks at work are known and

controllable. Besides this, legislation considers that workers

who suffer an accident in the context of their job deserve

protection. This protection is expressed through a liability

regime that establishes that employeesmust be compensated,

disregarding discussion of fault. The burden of this compen-

sation is then carried by private or public insurance systems.

In that sense, liability finds itself on a social report of soli-

darity.20 Also, prevention is associated with the economic

concept of cost internalization, which is the incorporation of

negative external effects, notably environmental depletion

precaution implies an ex ante relativity of this knowledge since

the lack of full scientific certainty does not justify the lack of

measure being taken to prevent damages. This skeptic

approach is not exempt from harsh critics; in 1992, at the

same time that Rio Declaration became public, a considerable

number of Nobel Prize winners stated that they:

subscribe to the objectives of a scientific ecology for a universe

whose resources must be taken stock of, monitored and

preserved. But we herewith demand that this stocktaking,

monitoring and preservation be founded on scientific criteria and

not on irrational pre-conceptions. We stress that many essential

human activities are carried out either by manipulating

hazardous substances or in their proximity, and that progress

and development have always involved increasing control over

hostile forces, to the benefit of mankind.26

The argument is founded on the opposition between

To put it differently, the precautionary principle fixes

responsibility with regards to harm caused to the environment,

c om p u t e r l aw & s e c u r i t y r e v i ew 2 8 ( 2 0 1 2 ) 1 4e2 4 17and degradation, into the budgets of households and enter-

prises by means of economic instruments, including fiscal

measures and other (dis) incentives.21

At this point, precautionbringsup a different point-of-view.

It considers that some damages cannot be repaired or

compensated with money because not everything can be con-

verted intomoney.22 Considerable oil leaks can cause damages

to theenvironment that are irreparable; lives lost inanaccident

are irreversible. Instead of compensating damage, precaution

urges the need to avoid some damages. By and large, precau-

tion establishes a new approach with regard to risk-taking.

Also,precaution impliesacertainrelativist attitude regarding

scientificknowledge.23 Inotherwords, scientificuncertainty isat

the core of decisions based on precautionary principle. As the

European Commission states: a decision to take measures

without waiting until all the necessary scientific knowledge is

available is clearly a precaution-based approach.24

Scientific knowledge is imperfect. A legal illustration of this

assumption is Article 7, e, of Directive 85/374/EEC,25 which

provides that: the producer shall not be liable as a result of

this Directive if he proves [.] that the state of scientific and

technical knowledge at the time when he put the product into

circulation was not such as to enable the existence of the

defect to be discovered. European legislation assumes that

actual scientific and technical knowledge are not absolute;

they evolve, and they transform themselves. For the producer,

the legal consequence of the recognition of the mentioned

uncertainty is the exemption of their liability. This is a kind of

ex post facto relativity of scientific knowledge, since the law

assumes that the damage has already occurred.

In a similar manner, precaution considers that scientific

knowledge is not absolute. The difference here is that

20 Francois Ewald, Le retour du malin genie. Esquisse dunephilosophie de la precaution, in Le principe de precaution dans laconduite des affaires humaines (Paris: Editions de la Maison dessciences de lhomme Institut National de Recherche Agrono-mique, 1994), 104e105.21 OECD, Cost internalization, Glossary of Statistical Terms, 2001,http://stats.oecd.org/glossary/detail.asp?ID458.22 Ewald, Le retour du malin genie. Esquisse dune philosophiede la precaution, 111e112.23 Ewald, Le retour du malin genie. Esquisse dune philosophiede la precaution, 116.24 Communication from the Commission on the precautionaryprinciple, February 2, 2000, 8.25 Council Directive of 25 July 1985 on the approximation of the

laws, regulations and administrative provisions of the MemberStates concerning liability for defective products.human health and food safety. The principle implies there are

somedamages that cannot be compensatedwithmoney; it also

implies that protective measuresmust be taken even if there is

scientific uncertainty about the threats of damage of an action.

2.4. Privacy calling?

We saw that precautionary principle was expressed in Euro-

pean Legislation as a means to protect not only the environ-

ment but also human health in accordance with Article 174, 2 of

Treaty of Amsterdam. Moreover, policy orientations mention

consumer health and food law as values to be protected by the

26 Michel Salomon, Heidelberg Appeal to Heads of States andGovernments, 1992, http://legacy.library.ucsf.edu/tid/jmc24e00/pdf;jsessionidA257858421ACB6BB8BD09474714D9359.tobacco01.27 In this sense see Nicolas de Sadeleer, The PrecautionaryPrinciple in EU Law, AV&S (2010): 177. Here we can mention theexample of the European Court of Justice decision on caseNational Farmers Union and Others [1998] already referred. TheNational Farmers Union and others contested the emergencymeasures against bovine spongiform encephalopathy (the Madcow disease), taken by the Ministry of Agriculture following theCommission Decision 96/239/EC. The Commission had bannedthe export from the UK to other Member States and to thirdcountries of bovine animals, meat of bovine animals and derivedproducts. At the time when the contested decision was adopted,there was great uncertainty as to the risks posed by live animals,bovine meat and derived products. However, the uncertainty ofrisks was not considered an obstacle to carry out protectivemeasures and the Court ruled that where there is uncertainty asto the existence or extent of risks to human health, the institu-tions may take protective measures without having to wait untilrational scientific knowledge and irrational precautionary atti-

tude. Nevertheless, as we will see further, the precautionary

principle works together with risk assessment in a rational

approach of threats. Precaution is related with rational

choices with regard to risk-taking. While prevention relates to

identifiable risks, precaution concerns hypotheses that have

not been scientifically confirmed.27the reality and seriousness of those risks become fully apparent.Accordingly, precaution is a response to uncertain risks.

precautionary principle. In addition, the Court of Justice of the

European Union has defined it as a general principle of

Community law having the mission to prevent specific

potential risks to public health, safety and the environment.

In this part the paper examines whether there is a legal basis

to sustain the application of the precautionary principle with

regard to privacy and data protection.

Could the precautionary principle be considered as a legal

standard not confined to environmental and health protec-

tion, but instead having a broader scope, especially concern-

ing privacy and data protection legislation? Before continuing

this line of questioning we must take a look at the privacy

impact assessment framework.

government agencies; recommendations by privacy and data

protection commissioners [...] Organisations have recognised that

PIAs can expose and mitigate privacy risks, avoid adverse

publicity, save money, develop an organisational culture sensi-

tive to privacy, build trust and assist with legal compliance[.] to

be valuable, PIAs need to offer a prospective identification of

privacy risks before systems and programmes are put in place

[...] PIAs are only valuable if they have, and are perceived to have,

the potential to alter proposed initiatives in order to mitigate

privacy risks [...] PIA processes vary across a number of dimen-

sions: the levels of prescription, the application, the circum-

28

c om p u t e r l aw & s e c u r i t y r e v i ew 2 8 ( 2 0 1 2 ) 1 4e2 418As Ulrich Beck observes, Modernization is becoming reflexive;it is becoming its own theme. Questions of the development andemployment of technologies (in the realms of nature, society andthe personality) are being eclipsed by questions of the politicaland economic management of the risks of actually or potentiallyutilized technologiesddiscovering, administering, acknowl-edging, avoiding or concealing such hazards with respect tospecially defined horizons of relevance. The promise of securitygrows with the risks and destruction and must be reaffirmed overand over again to an alert and critical public through cosmetic orreal interventions in the techno-economic development. RiskSociety: Towards a New Modernity, 1st ed. (Sage Publications Ltd,1992), 20.29 Adam Warren et al., Privacy Impact Assessments: Interna-tional experience as a basis for UK Guidance, Computer Law &Security Review, 2008, 235.3. Part two e privacy impact assessment(PIA)

3.1. Risk assessment and privacy

As we mentioned before, the precautionary principle and risk

assessment are two imbricated philosophies of our risk

society.28 In this partwewill study risk assessment through the

example of PIA on radio-frequency identification (RFID)

applications.

Risk assessment is a procedure by which one distinguishes

non-plausible fromplausible risks and graduates thepossibility

of the last ones to occur. PIA is a sort of risk assessment since it

aims to evaluate the potential consequences of an activity on

privacy and data protection. Beyond the verification of legal

compliance, PIAs have to consider privacy risks in a wider

framework that takes into account the broader set of community

values and expectations about privacy.29 Consequently, PIAs are

related to a kind of political legitimacy of decisions concerning

privacy and data protection. In other words, while Privacy

protection is a legal issue, PIAs e in considering social values e

aim to address legal and moral matters.

On the whole, English-speaking countries have seen the

spread of PIAs in the last few years. Warren et al. indicate

some findings concerning PIAs in an international study30:

PIAs have been spreading around the advanced industrial world

as a result of: legislative requirements; policy guidance by central30 The study reviewed PIA models in Canada, Australia, UnitedStates, New Zealand and Hong Kong.stances that might trigger PIAs, the breadth of the PIA exercise,

the agents who conduct PIAs, the timing, the process or review

and approval and the level of public accountability and trans-

parency [.] the scope and depth of the PIA needs to be sensitive

to a number of crucial variables: the size of the organisation; the

sensitivity of the personal data; the forms of risk; the intrusive-

ness of the technology [...] A PIA screening process is commonly

used to determine whether a PIA is required, and if so, the form it

should take [emphasis added].31

PIA walks at a different pace in Europe. The European legis-

lation does not establish an obligation to carry on PIAs. Instead,

Article 20 of Directive 95/46/EC32 imposes the obligation of

conducting previous control of operations that can pose risks to

privacy and data protection: (i) Member States shall determine

the processing operations likely to present specific risks to the

rights and freedoms of data subjects and shall check that these

processingoperationsareexaminedprior to thestart thereof; (ii)

Such prior checks shall be carried out by the supervisory

authority following receipt of a notification from the controller

or by the data protection official who, in cases of doubt, must

consult the supervisory authority (iii) Member States may also

carry out such checks in the context of preparation either of

a measure of the national parliament or of a measure based on

such a legislative measure, which define the nature of the pro-

cessing and lay down appropriate safeguards.

Furthermore, Article 20 of the Directive 95/46/EC estab-

lishes that Member States must set up prior checks in the

administrative and legislative contexts. However, there is no

specific prevision in relation to the realization of risk assess-

ments. At this point environmental law is precise, as we can

see in Article 2 of Directive 85/337/EC,33 which provides that

Member States shall adopt all measures necessary to ensure

that, before consent is given, projects likely to have significant

effects on the environment by virtue inter alia, of their nature,

size or location aremade subject to an assessmentwith regard

31 Adam Warren et al., Privacy Impact Assessments: Interna-tional experience as a basis for UK Guidance, [2008] 24 ComputerLaw & Security Review 235.32 Clarke observes that The process was institutionalized in 1995 inArticle 20 of the European Directive, which mandated what is referred toas prior checking against applicable standards, particularly of sensitiveinformation systems(...) Roger Clarke, Privacy Impact Assessment:Its origins and development, [2009] 25 Computer Law & SecurityReview 125. Certainly, Directive 95/46/EC imposes prior checks butit does not conceptualize PIA.33 Council Directive 85/337/EEC of 27 June 1985 on the assess-

ment of the effects of certain public and private projects on theenvironment.

to their effects. Concerning privacy, despite the fact that

some form of prior checking rules has been adopted, few EU

countries have developed a comprehensive model of risk

assessment.34 In addition, it is worth mentioning that,

according to Directive 95/46/EC, the supervisory authority

must do these prior checks; PIAs, however, should be carried

out by operators, in accordance with the Recommendation of

12 May 2009, as we will see below.

3.2. PIA in Europe: the RFID case

In 2009 a novel development took place at the Community level

as the European Commission published a Recommendation on

the implementation of privacy and data protection principles

in applications supported by radio-frequency identification.35

RFID marks a new development in the Information Society

where objects equipped with this technology are becoming

scale; the objective of this evaluation is to determine if a PIA is

necessaryand itsmodality (levels1,2and3)or lackthereof (level

0). The risk assessment phase aims to characterize the RFID

application; identify risks to personal data, their likelihood and

their impact with regard to European legislation; identify and

recommend controls in response to identified risks; document

the PIA process, establish the conditions of the implementation

of the application and inform about residual risks.38

According to the Industry proposal, PIA benefits are

numerous, notably helping the application operator to establish

and maintain compliance with privacy and data protection

laws and regulations, manage risks to its organization and

to users of the RFID Application and provide public benefits

of RFID Applications while evaluating the success of privacy

by design39 efforts at the early stages of the specification or

development process.

Briefly, PIA on RFID is a step that Europe took towards the

employment of a risk assessment approach towards privacy

protection. PIAs main objectives are to identify the threats to

privacy and data protection, and apply control measures.40

4. Part three e precautionary principle to

liability as well as on precaution and the precautionary prin-

Consulting Inc., October 2007), 10, http://www.ico.gov.uk/upload/documents/library/corporate/research_and_reports/lbrouni_

Recommendation of 12 May 2009, which specifies obligations to

c om p u t e r l aw & s e c u r i t y r e v i ew 2 8 ( 2 0 1 2 ) 1 4e2 4 19piastudy_apph_eur_2910071.pdf.35 Commission Recommendation C (2009) 3200 final of May 12,2009. According to the Commission, RFID means the use ofelectromagnetic radiating waves or reactive field coupling in theradio frequency portion of the spectrum to communicate to orfrom a tag through a variety of modulation and encodingschemes to uniquely read the identity of a radio-frequency tag orother data stored on it.36 http://ec.europa.eu/information_society/policy/rfid/documents/d31031industrypia.pdf, 6 May 2011.more andmore present in our lives: toll roads, public transport,

passports and credit cards are just a few examples. The

Recommendation advises particular attention be paid to

privacy and data protection issues in the deployment of RFID.

Effectively, RFID and combined technologies create new risks

to individual liberties. RFID amplifies the possibilities of

profiling, individual tracking and surveillance; furthermore,

technical standards are in a developing work phase and do not

give satisfying solutions to these recent dangers.

This context sets up the basis of the promotion of a risk

assessment concerning privacy & RFID in EU countries. The

Recommendation affirms that the operator, prior to the imple-

mentationofanRFIDapplication,must carryout anassessment

of the privacy and data protection. Its Article 4 states that

member States should ensure that industry, in collaboration

with relevant civil society stakeholders, develop a framework

for privacy and data protection impact assessments.

The Industry proposal for a PIA frameworkwaspresentedon

January 201136 and endorsed by the Article 29 Data Protection

Working Party in February 2011.37 The PIA process is composed

of a pre-assessment phase and a risk assessment one. The first

one serves to classify a RFID application according to a level 4

34 As Charlesworth observes, European Union countries havenot given too much attention to PIAs; While some form of priorchecking is provided [...] in legislation, and sometimes activelyused, in at least 16 of the Member States, the use of PIAs [...]appears rare. Two Member States that have begun to explore thisavenue are Finland and Ireland. Both are at a very early stage intheir development work. Andrew Charlesworth, Broad Jurisdic-tional Report for the European Union (United Kingdom: Linden37 http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp180_en.pdf, 6 May 2011.be imposed on operators of Member States: (a) conduct anassessment of the implications of the application implementa-tion for the protection of personal data and privacy, includingwhether the application could be used to monitor an individual.The level of detail of the assessment should be appropriate to theprivacy risks possibly associated with the application; (b) takeappropriate technical and organizational measures to ensure theprotection of personal data and privacy; (c) designate a person orgroup of persons responsible for reviewing the assessments andthe continued appropriateness of the technical and organisa-tional measures to ensure the protection of personal data andprivacy; (d) make available the assessment to the competentauthority at least six weeks before the deployment of the appli-cation; (e) once the framework for privacy and data protectionimpact assessments as set out in point 4 is available, implementthe above provisions in accordance with it.39 PIAs are then related to the identification of risks before puttingtechnologies in place. This is an idea that is at the core of Privacy byDesign (PbD) Cavoukians concept. PbD is a philosophy of embed-ding privacy into technology, business practices and physicaldesign. Ann Cavoukian, Privacy by design... Take the Challenge (Can-ada: Information and Privacy Commissioner of Ontario, 2009), 3,http://privacybydesign.ca/publications/pbd-the-book/.40 RFID application governing practices, individual access andciple as a tool to enhance privacy and data protection.

4.1. PIA e a procedure of privacy protection

As we noted before, PIAs intent is to be more than a legal

compliance check. It intends to promote a comprehensive

38 The PIA Framework phases and objectives observe theregulate privacy?

In the last part the paper will integrate the precautionary

principle and PIA. It will reflect on how both of them deal withcontrol, system protection measures, tag protection andaccountability measures are some examples.

analysis of risks posed by new technologies to a society as

a whole; here PIAs should address also moral and ethical

issues,41 but why?

PIA comes to light in the context of RFID, one of the most

significant technologies to mark the transition towards the

generalized use of information technology in our environ-

ments. This generalization will be donewithin a technological

framework of which two of the major characteristics are

invisibility and complexity. We can mention the example of

the nanotechnology, which allows the construction of termi-

nals invisible to the human eye and wireless technologies

such as WiFi or RFID. We can also mention the concept of the

Internet of Things, where connecting physical things, from

banknotes to bicycles, through a networkwill let them take an

active part in the Internet, exchanging information about

themselves and their surroundings.42 These technologies

have exceedingly remarkable characteristics, but if they can

bring benefits such as the automation of tasks, they increase

at the same time the risks for individual liberties e such as

government agencies, whichmust conduct them, ensure their

review by the Chief Information Officer andmake them public

if practicable.45 Publicity is an important instrument in

promoting accountability and must observe the Freedom of

Information Act. Nevertheless, the effectiveness of PIAs

varies depending on whether there is in-house privacy

expertise. More often than not, they are compliance checks

completed without a broader analysis of privacy risks.46,47

Furthermore, at the present time there is no statutory law

obliging the private sector to conduct PIAs.48

As a risk assessment, PIAs are an instrument of anticipating

threats to privacy. However, this is an intent limited by the

legal regimes of PIA on RFID applications and of liability in

European data protection law.

As seen before, PIA is an instrument that aims to identify

threats and to propose control measures. The Industry PIA

framework provides the following missions to the RFID oper-

ator: to describe the RFID Application; to identify and list how

the RFID Application under review could threaten privacy; to

c om p u t e r l aw & s e c u r i t y r e v i ew 2 8 ( 2 0 1 2 ) 1 4e2 420surveillance, profiling and ubiquitous tracking. Empowering

citizens to master the ambient they live in is a path to reduce

such risks and this empowerment depends on how Law and

Codewill regulate technologies. Here, a discussion as towhich

values should inspire regulation is inevitable.43

In other words, PIA aims to consider privacy as a societal

issue, not only as a legal one. As Clarke remarks:

There are many public needs, expectations and concerns that are

felt by individuals, categories of individuals, and communities

that may not be (or may not yet be) reflected in law. A PIA process

that overlooks these aspects will result in a design that earns

opprobrium from advocacy organizations and the affected public.

Hence, despite being legally compliant, schemes that are devel-

oped without an appreciation of broader concerns are likely to

encounter resistance and to be the subject of complaints and

negative media coverage.44

US experience tells us about the effectiveness of PIAs. For

example, E-government Act of 2002 mandates PIAs to

41 Roger Clarke et al., Privacy Impact Assessments: InternationalStudy of their Application and Effects (United Kingdom: LindenConsulting Inc., October 2007), 10, http://www.ico.gov.uk/upload/documents/library/corporate/research_and_reports/privacy_impact_assessment_international_study.011007.pdf.42 Future networks and the internet. Early Challenges regardingthe Internet of Things http://ec.europa.eu/information_society/eeurope/i2010/docs/future_internet/swp_internet_things.pdf,January 4, 2009.43 Here Poullet emphasizes the importance of informationethics: Comment concevoir des lors cette reappropriation de linvisible: cest-a`-dire a` la fois retrouver une matrise parlHumain de linterface technologique omnipresent dans sesrelations tant sociales quavec son environnement et a` la foisgarantir un developpement de cet interface au profit delhumaniste? La reponse consiste en un appel aux valeurs ethi-ques. Developper une infoethique comme on parle de bio-ethique a` propos dune autre technologie, celle de la matrise dela vie, nous apparat un devoir. Poullet, Internet et SciencesHumaines ou Comment comprendre linvisible ?.

44 Clarke, An Evaluation of Privacy Impact Assessment Guid-ance Documents.estimate the magnitude and likelihood of those risks; to

document current and proposed technical and organizational

controls; to mitigate identified risks and to document the

resolution (results of the analysis) regarding the Application.

In essence, PIA is a process to diagnose risks and propose

safeguards. According to the Recommendation of 12May 2009,

Member states shall ensure that operators conduct PIAs.

Meanwhile, European data protection legislation estab-

lishes a liability regime based on compensating harm and

fault presumption. Article 23 of the Directive 95/46/EC49 states

that (i) Member States shall provide that any person who has

suffered damage as a result of an unlawful processing oper-

ation or of any act incompatible with the national provisions

adopted pursuant to this Directive is entitled to receive

compensation from the controller for the damage suffered. (ii)

The controller may be exempted from this liability, in whole

or in part, if he proves that he is not responsible for the event

giving rise to the damage.

PIAs are a parameter of a general duty of care and this

means that the culpability of action should be evaluated

45 107th Congress, E-government Act of 2002, sec. 208.46 Clarke et al., Privacy Impact Assessments: International Studyof their Application and Effects.47 At this point there is scarcity of information concerningprivate sector as Bennett observes: It is impossible to gauge theextent of the use of PIAs within the American private sector,although it is probable that assessments of privacy implicationshave been an integral part of new product and service review formany companies for a long time. They tend to be internal, andoften proprietary, analyses whose final products are rarely madepublic. Bennett, Privacy Impact Assessments: JurisdictionalReport for the United States of America.48 Federal Trade Commissions proposal on a framework forprivacy protection recommends that, where appropriate compa-nies should assess the privacy impact of specific practices,products, and services to evaluate risks and ensure that thecompany follows appropriate procedures to mitigate those risks.Federal Trade Commission, Protecting Consumer Privacy in an Era ofRapid Change, 49.49 Directive 95/46/EC of the European Parliament and of theCouncil of 24 October 1995 on the protection of individuals with

regard to the processing of personal data and on the free move-ment of such data.

according to this standard. In this circumstance, if the oper-

ator does not achieve a PIA, despite being obliged to do it e in

other words if there was a breach of statutory provision e he

must be considered at fault. In contrast, if the operator did the

The responsibility in this case will follow the Directives

regime.

Furthermore, the very core of liability regimes based on

fault can be modified while implementing the precautionary

principle. The culpability fundament is the general duty of

care, which implies that one should avoid exposing others to

risks. Compliance with this duty determines if there is fault

and, consequently, liability. The precautionary principle

affects liability rules through two mechanisms: either as to

establishing the inversion of the burden of proof or as to fixing

strict liability based on the risk of the activity. The inversion of

proof is admittedas ameans to redistribute the onus probandi to

the benefit of persons exposed to risks; it implies that if harm

takes place, for example, by a technology, it is up to the

developer of this technology to prove its harmless in order to

avoid responsibility.52However, the discussionabout theproof

c om p u t e r l aw & s e c u r i t y r e v i ew 2 8 ( 2 0 1 2 ) 1 4e2 4 214.2. When precautionary principle and risk assessmentgo together

As just stated, in the frame of privacy legislation, risk

assessment is a protecting procedure that is related to

a liability regime based on harm and culpability. In this

section the paper will focus on the relations between the

precautionary principle, liability and risk assessment.

The effectiveness of legislation grounds itself on the obli-

gation to respond to an act and repair damage. Moreover,

liability is twofold: it aims at repairing past damages on the

one hand and preventing future damages on the other. Its

finality is compensation in the first case and, in the second,

deterrence51. The precautionary principle supports the second

objective of liability since it tends to prevent it. Here we

mention the consequences of the adaption of the precau-

tionary principle with regards to civil liability.

At first, a different notion of harm has to be developed. In

principle, harm supposes a loss to a person or their property;

then, how does one reconcile this notion with precaution,

which aims to avoid loss? A particular regime of responsibility

must respond to this question since we deal with the potential

of harm and not actual harm.

50 Concerning the security of processing personal data and thestate of art of technology see Yves Poullet in Buellesbach andGijrath, Concise European IT Law, 188.51 Though we do not disregard that a certain kind of repairingPIA and obtained the validation by the supervisory authority

there will be no fault on the basis of the accomplishment of

the PIA. Differently, if the operator achieves a PIA without the

validation of the supervisory authority, the analysis of fault

must consider whether the PIA is or is not adequate to protect

privacy and data in a concrete situation. In any case, since

Article 23 of the Directive 95/46/EC establishes a culpability

regime, if there is no fault committed by the operator he is

exempt from responsibility. In addition, the duty of care must

be time adequate; this means that the risks must be assessed

periodically, as established in Item 19 of the Recommendation

of May 2009. This periodicity is somehow related to Article 17

of Directive 95/46/EC, which establishes that the security of

data processing must observe the state of art.50

After all, PIA is solely a procedural mechanism of privacy

protection. Procedures e like PIAs or prior checks e point to

forms to be observed: they are protocols. As protocols, they

standardize behaviors assumed to be privacy-friendly and this

is good. Nevertheless, risks of harm exist independently of the

accomplishment of procedures and, at this point, the question

is to define who will shoulder the burden of harm. With

regards to the operator, no liability will exist if threats are not

anticipated by the PIA that took place, except if there is fault.can also have a preventive function e in the case of punitivedamages.of culpability implies some discussion of fault. Differently, the

strict liability based on the risk of the activity tends to dismiss

the discussion of fault since it proposes that even if a person

took all the measures to avoid risk, if harm takes place, they

will respond to it. This last approachwas adopted by European

environmental legislation when it establishes that the envi-

ronmental damage caused by the transport of hazardous

substances, for example, implies strict liability disregarding an

evaluation of fault.53 In this frame, the discussion about the

inversion of the burden of proof seems a nonsense.

Also, an obligation to identify and follow-up risks is

needed.54 Identifying and following-up risks are both actions

coherent to the precautionary principle. Scientific knowledge

and the perception of threats evolve side by side. As a conse-

quence, a rational approach of threats must take into account

the state of knowledge in order to revaluate ancient threats

and assess new ones. As Thunis observes, having a dynamic

character, the precautionary principle imposes the production

of knowledge.55

Risk assessment confronts two types of risks. The first type

refers to known risks. They seem to be considered by the PIA

framework for radio-frequency applications, which provides

that the RFID operator should consider the significance of

a risk, the likelihood of its occurrence and the magnitude of

the possible impact. After this evaluation the resulting risk

level can be classified as low, medium, or high. For example,

while implementing a RFID application, an operator can

identify a security risk that can bemitigated by the adoption of

a specific standard of cryptography. Therefore, this approach

supposes that the RFID operator will always face identifiable

52 At the present time there is no liability on the shoulders ofdesigners and producers of technologies vis-a`-vis Directive 95/46/EC. Notwithstanding, binding these actors to privacy rules seemsa logical consequence of an approach based on Privacy by Design.For a comprehensive analysis on this subject see Terwangneet al., Rapport sur les lacunes de la Convention n108 pou r la protec-tion des personnes a legard du traitement automatise des donnees acaractere personnel face aux developpements technologiques, 37e40.53 See Article 3, 1, a and Annex III of the Directive on environ-mental liability. European Parliament and Council of the Euro-pean Union, Directive 2004/35/CE of the European Parliament and ofthe Council of 21 April 2004 on environmental liability with regard tothe prevention and remedying of environmental damage.54 Viney, Principe de precaution et responsabilite civile despersonnes privees, 1545.

55 Thunis, Fonctions et fondements de la responsabilite enmatie`re environnementale, 64.

risks that must be classified and, as we saw before, known

risks defy preventive measures.56 Nevertheless, in some cases

the degree of uncertainty in evaluating the risks may be too

high and prevent a complete assessment; the second type

refers then to uncertain risks. It may be the case, for example,

of a new application that involves the use of different types of

wireless technologies combined with Internet access. Hence,

risk assessment and preventive measures may not be enough

to face risks that are not fully apprehended by scientific

knowledge; where uncertain risks exist there will be room for

precautionary measures.

If scientific knowledge is not satisfactory to face these risks,

what guidelines shall orient the set up of precautionary

measures?Here, the riskmanagement approachgivesus some

clues such as the European Commission Communication of

February 2000, on the use of the precautionary principle. The

Communication establishes a plan to be followed by the

Risk assessment and the precautionary principle go

together. They are instruments that jointly determine the

allocation of the evaluation of risks and the cost of damages

caused by producers of goods and services rather than on citi-

zens themselves. Risk assessment values transparency and

readiness with regard to identifiable threats: a complete anal-

ysisof risksand theadoptionofmeasures to avoid themshall be

done. The precautionary principle establishes that, despite the

readiness, if something goeswrong, those responsible shall not

invoke scientific uncertainty to exempt their liability.

4.3. Which common ground?

With this in mind, how could the precautionary principle and

privacy work together? Some remarks can be offered.

The first remark concerns the dilution of liability. As it

happens, in the environmental domain, privacy and data

protection laws undergo violations with many victims.60

These are typically mass exposure torts.61 Similar to envi-

ronmental torts, harm can be caused within a scenario of

61 Poullet and Rouvroy point risks posed by the actual outline of

c om p u t e r l aw & s e c u r i t y r e v i ew 2 8 ( 2 0 1 2 ) 1 4e2 422Commissionwhen implementing the precautionary principle.

It states that an approach based on this principle shall be

started with a scientific evaluation, as complete as possible,

and where possible, identifying at each stage the degree of

scientific uncertainty. Moreover, before acting, decision-

makers shall consider the possibility and the consequences

of not acting at all; they alsomust consider the uncertainties of

the scientific evaluation. Risk assessment should be trans-

parent and involve all the interested parties. In addition, some

general principles are to be observed: (i) proportionality, which

implies that measures should be proportional to the desired

level of protection57; (ii) non-discrimination, which means

that comparable situations should not be treated differently

and that different situations should not be treated in the same

way, unless there are objective grounds for doing so; (iii)

consistency, according to which measures should be consis-

tent with the measures already adopted in similar circum-

stances or using similar approaches; (iv) the cost-benefit

analysis of action and lack of action shall be considered58; (v)

the provisional nature of the measures, based on the precau-

tionary principle; these measures shall be reexamined and if

necessary modified depending on the results of the scientific

research and the follow up of their impact; and (vi) respon-

sibility for producing scientific evidence shall be established.59

56 See n 14.57 ALARA (As Low As Reasonably Achievable) and BATNEEC(Best Available Technology Not Entailing Excessive Cost) are twowell-known acronyms in environmental contexts. According tothese ideas, precautionary measures should take into accounta cost-benefit analysis.58 Its worth noting that in the Communication the cost-benefitanalysis is primarily an economic examination; non-economicconsiderations such as the protection of health are collateral.59 As stated by the Commission Community rules and those ofmany third countries enshrine the principle of prior approval(positive list) before the placing on the market of certain prod-ucts, such as drugs, pesticides or food additives. This is one wayof applying the precautionary principle, by shifting responsibilityfor producing scientific evidence [.]. In cases where such a priorapproval does not exist, a clause reversing the burden of proofand placing it on the producer, manufacturer or importer mustbe included; the mentioned reversion should be examined on

a case-by-case basis Communication from the Commission onthe precautionary principle, 21.information and communication technologies: the imbalance ofpowers between data processors and citizens, the de-contextualization of data, the obscure functioning of someterminals and infrastructures, the reductionism of human beingsto profiles and the blotting out of the boundary between privateand public sphere. Poullet and Rouvroy, General IntroductoryReport, 10.62 Precaution, The Free Dictionary (Farlex), http://www.thefreedictionary.com/precaution.63 As cited before, Article 20 of the Directive states that MemberStates shall determine the processing operations likely to presentspecific risks to the rights and freedoms of data subjects and shallmultiple actors in which it is difficult to identify the one at

fault (technology creators, service providers, etc.) and the

plurality of causes (data breaches, deficient design, etc.) adds

an extra obstacle to determine liability. As a result, legislation

faces a setting where causality is complex and establishing

liability is challenging. It seems that this element was not

disregarded in the opinion of Article 29 Data Protection

Working Party on the PIA framework for radio-frequency

applications, where a special concern with regards to indi-

vidual tracking was considered.

The second one concerns precaution as a normative value in

privacy and data protection legislation. Precaution is an

action taken to avoid a dangerous or undesirable event or

a caution practised beforehand; circumspection.62 Precau-

tion found its legal basis on the neminem laedere principle in

a wider sense and on the prior checking rules of the Directive 95/

46/EC63 in a strict one. Theprinciple embraces privacy anddata

60 For instance, the American Online (AOL) 2006 data leakageincident released data that included 20 million web queries from650,000 AOL users. Likewise, when Facebook decided to changeits terms of service to claim ownership over any user content ontheir site, it had 175 million active users (today it has more than500 million). Sources: http://techcrunch.com/2006/08/06/aol-proudly-releases-massive-amounts-of-user-search-data, April6th 2011, http://edition.cnn.com/2009/TECH/02/17/facebook.terms.service/index.html, April 6th 2011 and www.facebook.com/press/info.php?timeline, April 6th 2011.check that these processing operations are examined prior to thestart thereof.

protection legislation as awholewith the intention of avoiding

risks by anticipating them; an illustration of the application of

the principle is the activity of data protection authorities.64

The last remark relates to the liability regime. European

legislation has imported PIA from environmental law. It has

also brought the inversion of the burden of proof. This would

some clues. The environmental legislation regime is twofold;

it is based on fault with regard to harm against protected

species and natural habitats and it establishes a strict liability

regime for dangerous activities. Similarly, privacy legislation

inspired on this model could keep culpability as the general

rule of liability and establish a special regime of strict liability,

for example, to activities that pose risks to sensible data or

even social network services in general. Here, as in the

Directive 2004/35, the law could create a list of activities

whose accentuated risk is established ex ante. At this point,

the model of the defective products liability Directive67 could

the European Commission, define what risk level is accept-

able to the society on which the risk is imposed.69 In the

c om p u t e r l aw & s e c u r i t y r e v i ew 2 8 ( 2 0 1 2 ) 1 4e2 4 23imply that, given the harm done caused by new technology to

privacy, the burden of proving that this technology is harm-

less shall be on the shoulders of the creator or operator of this

technology. As Clarke and others observe:

the evolution of PIAs certainly needs to be understood in the

context of larger trends in advanced industrial societies to

manage risk and the assumption that the burden of proof for

the harmlessness of a new technology, process, service or product

should be placed upon the promoters, rather than society as

a whole. Extrapolated to the area of privacy, this means that

personal information systems should be regarded as (relatively)

dangerous until shown to be (relatively) safe, rather than the

other way around .65

However, the precautionary principle can ground a liability

regime that dismisses the discussion on the proof of culpa-

bility. Though, in this sense, the principle could bring

a substantive change in privacy protection.

Is there room for the application of strict liability rules in

data protection? Cases of serious societal harm instigate some

thoughts in this direction. The US Health and Human Service

web page gives us an example. Also known as the Wall of

Shame, this page lists hospitals, doctors and insurance

companies that have reported breaches of medical privacy. In

the last couple of years medical records related to approxi-

mately 7.8 million people were improperly exposed.66 Health

records are high sensitive data and deserve particular atten-

tion since they reveal intimate information of human beings.

Leaks of medical data are an unlicensed disclosure of data by

third parties; they are violations of the autonomy and human

dignity since every person has the right to manage informa-

tion regarding their minds and bodies. Another example

concerns social network services that manage great amounts

of sensitive information such as age, friendship, sexuality and

religion. The unauthorized exposure of this data creates risks

to these values; exposing children to harmful content and

grooming are two serious examples. Some extreme situations

question the legitimacy of a data protection liability regime

based on culpability. Evaluating the accomplishment of the

general duty of care to define liability seams meaningless in

a scenario in which harm sensibly affects fundamental values

such as autonomy and human dignity.

With this inmind, what would be the parameters of a strict

liability regime on privacy protection? Here, a glimpse of

environmental and defective product legislation gives us

64 As Kourislky and Viney observe in relation to the Frenchcontext, the CNILs e Commission Nationale Informatique etLibertes - activity is mostly oriented to precaution. Kourilsky andViney, Le principe de precaution, 20.65 Clarke et al., Privacy Impact Assessments: International Study oftheir Application and Effects, 13.

66 Freudenheim, Breaches Lead to Renewed Effort to ProtectMedical Data.name of citizens, Industry and Governments evaluate risks in

order to justify their decisions. Here, the precautionary

principle-risk assessment can work as an instrument to

promote democratic debate since it promotes transparency

with regard to the decision-making processes.

67 Council of the European Union, Council Directive 85/374/EEC of25 July 1985 on the approximation of the laws, regulations andadministrative provisions of the Member States concerning liability fordefective products.68 As the European Commission affirms, the decision to act ornot to act presupposes the identification of potentially negativeeffects resulting from a phenomenon, product or process as wellas a scientific evaluation of the risk which because of theinsufficiency of the data, their inconclusive or imprecise nature,makes it impossible to determine with sufficient certainty therisk in question Communication from the Commission on theprecautionary principle, 15.also be useful. The Directive creates a strict liability regime

based on defining defective products and listing the excep-

tions to liability (regardless of a discussion of fault). In

a similar manner, data protection legislation could list the

hypothesis where strict liability would have a place.

5. Conclusions

This work has the intent to glimpse at privacy and data

protection under the point-of-view of the precautionary

principle. All things considered, the paper can now convey the

reasons of why this could work.

The first outcome is that the precautionary principle

benefits privacy protection insofar as it emphasizes the

normative values of prudence and transparency. In effect,

precaution stands for a general duty of care in the frame of

liability, which is a corollary of prudence. Prudence and

precaution imply that one should behave in such a way as to

avoid doing harm to other people; this is not a sign of fear, but

a step towards development with security. This is an inter-

esting approach to consider with regard to personal data in

order to avoid creating risks rather than take counter-

measures. In this frame of thinking, PIA works simulta-

neously with the precautionary principle, since it is a mecha-

nism to evaluate risks rationally in order to sustain decisions68

and this brings us to transparency. Evaluating risks is a motto

constantly repeated in our societies; one shall, according to69 Commission of the European Communities, Communicationfrom the Commission on the precautionary principle, 16.

could justify the application of the principle; about the

manner to arrange the principle (a judgment standard or

c om p u t e r l aw & s e c u r i t y r e v i ew 2 8 ( 2 0 1 2 ) 1 4e2 424Luiz Costa (luiz.costa@fundp.ac.be) M.D. in Law (Pantheon-Sor-

bonne University) Ph.D. Candidate, University of Namur, Namur,

Belgium.

r e f e r e n c e s

Beck Ulrich. Risk society: towards a new modernity. 1st ed. SagePublications Ltd; 1992.

Bennett Colin. Privacy impact assessments: jurisdictional reportfor the United States of America. Linden Consulting, Inc.;October 2007.

BuellesbachAlfred,GijrathSerge, PoulletYves, PrinsCorien.ConciseEuropean IT law. 2nd ed. Kluwer Law International; 2010.

Cavoukian Ann. Privacy by design. Take the challenge.Information and Privacy Commissioner of Ontario, http://privacybydesign.ca/publications/pbd-the-book/; 2009.

Charlesworth Andrew. Broad jurisdictional report for theEuropean union. United Kingdom: Linden Consulting Inc.,http://www.ico.gov.uk/upload/documents/library/corporate/research_and_reports/lbrouni_piastudy_apph_eur_2910071.pdf; October 2007. June 15th 2011.

Clarke Roger. An evaluation of privacy impact assessmentguidance documents, http://idpl.oxfordjournals.org/content/early/2011/02/15/idpl.ipr002.full; June 15th 2011.

Clarke Roger, Bayley Robin, Bennett Colin, Charlesworth Andrew.Privacy impact assessments: international study of theirapplication and effects. Linden Consulting, Inc., http://www.ico.gov.uk/upload/documents/library/corporate/research_and_reports/privacy_impact_assessment_international_a legislative one?); about its effects as well as about the

measures to be taken in order to implement the precautionary

principle. These are some paths that could be considered.The second outcome is the precautionary principle func-

tion of improving responsibility in order to protect privacy,

since it identifies a new approach in dealing with risks. Here

the precautionary principle brings to light the irreparable,

uncertainty of scientific knowledge and the possibility of

enforcing liability without fault. Bringing the latter into

discussion will enrich the privacy and data protection

debates. In effect, the precautionary principle assumes that

not all harm can be converted into money. As within the

protection of health or environment, some goods of privacy

may be considered inalienable; paying for the damage shall

not be the sole response of law regarding liability. Further-

more, despite the fact that a decision based on the precau-

tionary principle is nourishedwith a rational PIA, the principle

does not disregard the fact that scientific knowledge is

uncertain and should not be invoked as a reason to exempt

responsibility. This asset takes us to the third remark which is

the possibility to adopt a liability regimewithout fault in order

to enhance privacy protection.

These conclusions pose the outlook for some possible

developments. They raise questions about the consequences

of adapting the principle with respect to obligations and

procedural rules; about the risks (and their graduation) thatstudy.011007.pdf; October 2007. June 15th 2011.European Commission. Future networks and the Internet. Earlychallenges regarding the Internet of things, http://ec.europa.eu/information_society/eeurope/i2010/docs/future_internet/swp_internet_things.pdf; January 4, 2009.

Ewald Francois. Le retour du malin genie. Esquisse dunephilosophie de la precaution. In: Le principe de precautiondans la conduite des affaires humaines. Editions de la Maisondes sciences de lhomme Institut National de RechercheAgronomique; 1994.

Farlex. The free dictionary, www.thefreedictionary.com; n.d.Federal Trade Commission. Protecting consumer privacy in an

era of rapid change, http://www.ftc.gov/os/2010/12/101201privacyreport.pdf; December 2010.

Freudenheim Milt. Breaches lead to renewed effort to protectmedical data. The New York Times. sec. Business Day, http://www.nytimes.com/2011/05/31/business/31privacy.html&sqdata%20breaches&stcse&scp1; May 30, 2011.

Godard Olivier. Introduction generale. In: Le principe deprecaution dans la conduite des affaires humaines. Editionsde la Maison des sciences de lhomme Institut National deRecherche Agronomique; 1994.

Kourilsky Philippe, Viney Genevie`ve. Le principe de precaution,http://lesrapports.ladocumentationfrancaise.fr/BRP/004000402/0000.pdf; August 15, 1999. June 15th 2011.

Machado Leme, Affonso Paulo. Direito Ambiental Brasileiro. 12thed. Malheiros Editores; 2004.

Peel Jacqueline. Precaution e a matter of principle, approach orprocess? Melbourne Journal of International Law 2004;5(2),http://www.austlii.edu.au/au/journals/MelbJlIntLaw/2004/19.html.

Poullet Yves. Internet et Sciences Humaines ou Commentcomprendre linvisible?. In: Presented at the Societe delInformation: De la Recherche a` la Democratie, ParlementWallon; March 15, 2011.

Poullet Yves, Rouvroy Antoinette. General introductoryreport. Conference report. Strasbourg: Council ofEurope and UNESCO, http://portal.unesco.org/ci/en/files/27268/12145631033Intro_gen_rapporteur_Y-Poullet_en.pdf/Intro_gen_rapporteur_Y-Poullet_en.pdf; November15, 2007.

Rolland Sonia Elise. The precautionary principle: development ofan international standard. SSRN eLibrary; 2010.

Sadeleer Nicolas de. Le statut juridique du principe de precautionen droit communautaire: du slogan a la re`gle, http://dialnet.unirioja.es/servlet/articulo?codigo732699; (n.d.).

Sadeleer Nicolas de. The precautionary principle in EU law. AV&S;2010.

Salomon Michel. Heidelberg appeal to heads of states andgovernments, http://legacy.library.ucsf.edu/tid/jmc24e00/pdf;jsessionidA257858421ACB6BB8BD09474714D9359.tobacco01;1992. June 15th 2011.

Terwangne Cecile, Moiny Jean-Philippe, Poullet Yves,Gyzeghem Jean-Marc. Rapport sur les lacunes de la Conventionn108 pou r la protection des personnes a legard du traitementautomatise des donnees a caractere personnel face auxdeveloppements technologiques. Strasbourg: Council of Europe,http://www.crid.be/pdf/public/6559.pdf; November 3, 2010.

Thunis Xavier. Fonctions et fondements de la responsabilite enmatie`re environnementale. In: Les responsabilitesenvironnementales dans lespace europeen: Point de vuefranco-belge, by Genevie`ve Viney, Bernard Dubuisson, andPhilippe Brun, 25e68. Emile Bruylant; 2006.

Viney Genevie`ve. Principe de precaution et responsabilite civiledes personnes privees. Recueil Dalloz 2007;(22):1542e5.

WarrenAdam,Bayley Robin, Bennett Colin, CharlesworthAndrew,ClarkeRoger,OppenheimCharles. Privacy impact assessments:international experiences as abasis forUKGuidance.Computer

Law & Security Review; 2008.

Privacy and the precautionary principle1. Introduction2. Part one the precautionary principle2.1. A principle on international environmental law2.2. A European legal principle2.3. The irreparable and the uncertainty of scientific knowledge2.4. Privacy calling?

3. Part two privacy impact assessment (PIA)3.1. Risk assessment and privacy3.2. PIA in Europe: the RFID case

4. Part three precautionary principle to regulate privacy?4.1. PIA a procedure of privacy protection4.2. When precautionary principle and risk assessment go together4.3. Which common ground?

5. ConclusionsReferences