The Risk Revolution In Eu Data Protection Law

The risk-based approach has been introduced to the GDPR to make the rules and principles of data protection law 'work better'. Since controllers are formally responsible and accountable for the way in which they implement the GDPR, the notion of risk is used to enable them to determine the technical and organisational measures which they should take. This chapter will argue, however, that it is impossible to require controllers to calibrate compliance measures in terms of risk, whilst maintaining that this does not affect the legal obligations to which they are subject. We cannot have our cake and eat it, too. Section II first defines the risk-based approach and distinguishes it from a harm-based approach, as well as from risk regulation, risk-based regulation and risk management. The risk-based approach introduces the notion of risk as a mandatory reference point for the calibration of legal requirements by controllers. Section III explicates the relationship between 'risk' and the obligations of controllers, as addressed, in particular, by articles 24 (responsibility), 25(1) (data protection by design) and 35 (data protection impact assessment). It argues that controllers have to take into account the risks when they take measures to implement the GDPR. In combination with the data protection impact assessment, this development can buttress a substantive turn in data protection law. The other side of the coin is, however, that controllers are entrusted with the responsibility not only to improve upon the data protection obligations specified by the legislature, but also to second-guess their use in the case at hand. Section IV argues that none of the obligations of the controller were fully risk-based to start with. In fact, the risk-based approach is in direct conflict with the non-scalability of the provisions in Chapter III (rights of the data subject).