EDRi’s proposed new Article:
Article 29a – Data Protection Impact Assessment
1. Member States shall provide that where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller’s behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
2. The following processing operations in particular present specific risks referred to in paragraph 1:
(a) any processing operation of the kind referred to in Article 9(1) of this Regulation;
3. The assessment shall contain at least a general description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of data subjects, including in particular the risk of discrimination being embedded in or reinforced by the operation, the measures envisaged to address the risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the measures adopted pursuant to this Directive, taking into account the rights and legitimate interests of data subjects and other persons concerned.
4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations.
5. Paragraphs 1 to 4 shall not apply if an equivalent assessment has already been carried during the legislative process leading to the adoption of the legal basis of the processing in question.
Given the often sensitive and invasive processing carried out by law enforcement authorities, there is no justification for not having Data Protection Impact Assessments (DPIA) in the Directive, while they are -under certain circumstances- mandatory in the General Data Protection Regulation. The Commission’s wording would result in a situation where a shopping mall wanting to install video surveillance would need to carry out a DPIA in accordance with Article 33 of the General Data Protection Regulation, while the police would not have to do so when installing an identical system in the public space just outside the mall. Such a situation would be highly illogical. In order to avoid this, this proposed new Articles adapts wording from Article 33 of the General Data Protection Regulation and EDRi’s proposed amendments to it to introduce an equivalent obligation in the Directive. Changes to this effect have also been recommended by the EDPS (pts. 398 – 401 of his opinion) and the Article 29 Working Party (p. 29 of its opinion).