ECPR

Install the app

Install this application on your home screen for quick and easy access when you’re on the go.

Just tap Share then “Add to Home Screen”

View the Current Event

The Politics of Data Protection Impact Assessments

Governance
Policy Analysis
Regulation
Knowledge
Qualitative
Big Data
Benjamin Bergemann
WZB Berlin Social Science Center
Benjamin Bergemann
WZB Berlin Social Science Center
Data Activism and Data Governance

Abstract

Despite criticism, data protection remains the primary tool through which "Big Data" is regulated and politicized in the EU (Bellanova 2017). The European data protection regime has undergone contested reform, culminating in the General Data Protection Regulation (GDPR) has been introduced. With the GDPR’s entry into application in May 2018, the politics of data protection are far from over. The GDPR remains a collection of abstract rules and principles that need to be applied to the world of data driven technologies. Yet, the GDPR introduces a particular instrument to address the problem of putting principles into the practice: the Data Protection Impact Assessment (DPIA). According to the GDPR, operators of data processing technologies "likely to result in a high risk to the rights and freedoms of natural persons" need to conduct a DPIA by describing their planned operations, the data protection risks they cause and how to address them (GDPR, article 35). Data controllers are obliged to conduct a DPIA "prior to the processing". Under specific circumstances they need to consult the data protection authorities (article 36) and "seek the views of data subjects or their representatives" (article 35.9). The GDPR lists automated processing (e.g. profiling), large-scale processing and systematic monitoring as likely cases for DPIAs (article 35.3). Infringing the GDPR’s DPIA provisions can be fined with up to 10 000 000 EUR (article 83.4). Not least due to the hefty fines, DPIAs will "constitute an important site for the governance of the innovation of new information technologies" (van Dijk et al. 2016). The design of the DPIA rules has led to political debate both prior and after the adaption of the GDPR. The actors involved frame their engagement in technical terms, asserting that they want to make the most out of this new tool (see Kloza et al. 2017). In contrast, I want to foreground the politics of DPIAs. The aim of my paper is to analyze the introduction of DPIAs as a political conflict in which actors struggle to institutionalize their understanding of a proper DPIA. This necessarily involves struggling over what data protection is about and who should have a say in the data protection regime. I understand the politics of DPIAs as "meta-governance, i.e. the governance of governance" (Jessop, 2003) where actors "enter into a debate about the relevant rules, norms and understandings underpinning their practices" (Hofmann et al., 2016). To analyze the politics of DPIAs, I draw on Hajer’s (1993) discourse coalitions approach, mapping the different actors, their arguments and their respective ideas and story lines that, if successful, institutionalize into concrete policies and organizational practices such as DPIAs. First, I analyze the conflicts during the legislative process of the GDPR. Second, I map the discourse coalitions around DPIAs after the adaption of the GDPR, drawing on key documents such as the Article 29 Working Party guideline on DPIAs. Thereby, I set out to show whose and which understandings of DPIAs become dominant and which voices and ideas remain at the margins.