A risk to a right? Beyond data protection risk assessments

The proposal for a new European Data Protection Regulation introduces the novel obligation of performing data protection assessments. Since these assessments will become a mandatory exercise for those in control of data processing systems, they will become an important apparatus for the governance of new and emerging information technologies. This tool, and in particular the notion of “risks to the rights and freedoms of data subjects” which is at its core, epitomises the shift from classical legal practice to more risk-based approaches. Merging risks and rights in the proposed fashion could change their meanings into something hardly predictable. This contribution proposes to explore the nature of the relation between both concepts within the assessment of a “risk to a right”. It will start by mapping out the various relations that exist between risks and rights in different practices. This should serve to identify gaps in the way DPIAs are currently operationalised and might well determine whether the introduction of this methodology in its current form might itself pose a risk to the rights of privacy and data protection. In turn however, it can provide opportunities for improvement and for lessons to be drawn from other practices and expertise that strike different relations between risks and rights, like the ones found in environmental governance and courts.