EDRi’s proposed new recital:
Some forms of processing, such as profiling, the processing of sensitive categories of data, the monitoring of publicly accessible spaces (including video surveillance), as well as the processing of genetic and biometric data or of data on children, present special risks. In order to address these risks, controllers should carry out an assessment of the impact on fundamental rights if they are planning to put sich processing operations in place. These assessment should explain the risks and the measures taken to address them, especially as regards discrimination. Controllers should also seek the view of data subjects or their representatives in this context. This requirement can be waived if an equivalent assessment was already carried out in the process leading to the adoption of the legal basis of the processing operation in question.
Given the often sensitive and invasive processing carried out by law enforcement authorities, there is no justification for not having Data Protection Impact Assessments (DPIA) in the Directive, while they are -under certain circumstances- mandatory in the General Data Protection Regulation. The Commission’s wording would result in a situation where a shopping mall wanting to install video surveillance would need to carry out a DPIA in accordance with Article 33 of the General Data Protection Regulation, while the police would not have to do so when installing an identical system in the public space just outside the mall. Such a situation would be highly illogical. In order to avoid this, EDRi proposes to introduce an equivalent obligation in the Directive with the new Article 29a. Changes to this effect have also been recommended by the EDPS (pts. 398 – 401 of his opinion) and the Article 29 Working Party (p. 29 of its opinion).