Enhancing Compliance under the General Data Protection Regulation: The Risky Upshot of the Accountability- and Risk-based Approach

  title={Enhancing Compliance under the General Data Protection Regulation: The Risky Upshot of the Accountability- and Risk-based Approach},
  author={Claudia Quelle},
  journal={European Journal of Risk Regulation},
  pages={502 - 526}
  • C. Quelle
  • Published 1 September 2018
  • Law
  • European Journal of Risk Regulation
The risk-based approach has been introduced to the General Data Protection Regulation (GDPR) to make the rules and principles of data protection law “work better”. Organisations are required to calibrate the legal norms in the GDPR with an eye to the risks posed to the rights and freedoms of individuals. This article is devoted to an analysis of the way in which this new approach relates to “tick-box” compliance. How can the law enhance itself? If handled properly by controllers and supervisory… 
Erosion by Standardisation
This chapter examines the interplay between the GDPR and parallel private regulation in the form of privacy-related standards adopted by the International Organisation for Standardisation, critically reflecting on whether the parallel form of ISO regulation, in the context of DPIAs, could support or rather blurs GDPR's objective to protect fundamental rights by embracing a risks-based approach.
Smart City Privacy: Enhancing Collaborative Transparency in the Regulatory Ecosystem
The SPECTRE project will argue for greater responsibilisation in the smart city environment, by increasing participation of different stakeholders through the development of a collaborative, cost-efficient Data Protection Impact Assessment (DPIA) methodology.
Evolutionary Dynamics of Transnational Private Regulation
  • E. Partiti
  • Political Science
    SSRN Electronic Journal
  • 2021
This contribution puts forward an approach to account for evolution of transnational private rule-makers. Morphing of organisations, procedures, and rules is suggested as a key strength of various
Analysis Principles of Personal Data Protection on COVID-19 Digital Contact Tracing Application: PeduliLindungi Case Study
The PeduliLindungi application, which was initially used to track the spread of the virus during the COVID-19 pandemic, seems that the public will increasingly use its use in the future, especially now that it has begun to be planned as an e-wallet and started integrating with several other applications.
AI, big data, and the future of consent
It is proposed that the use of personal data for commercial and administrative objectives could be subject to a ‘soft governance’ ethical regulation, akin to the way that all projects involving human participants are regulated in Australia through the Human Research Ethics Committees (HRECs).
Tackling Algorithmic Disability Discrimination in the Hiring Process: An Ethical, Legal and Technical Analysis
Concerns and opportunities raised by AI-driven hiring in relation to disability discrimination are discussed and some starting points are established and a roadmap for ethicists, lawmakers, advocates as well as AI practitioners alike are designed.
A LGPD E A Risk-Based Approach Da Governança Corporativa: A Primeira Medida Para O Controlador Aplicar Os Princípios
A Lei nº 13.709/2018 (Lei Geral de Proteção de Dados) instituiu diretrizes para o tratamento de dados de pessoas naturais brasileiras, que devem ser adotadas pelo controlador e equilibradas com os
Risikoregulierung der KI: normative Herausforderungen und politische Entscheidungen. Stellungnahme zum Weißbuch der Europäischen Kommission „Zur Künstlichen Intelligenz ‒ ein europäisches Konzept für Exzellenz und Vertrauen“
Wir bedanken uns für die Möglichkeit, Stellung zum Weißbuch „Zur Künstlichen Intelligenz ‒ ein europäisches Konzept für Exzellenz und Vertrauen“ (COM(2020) 65 final, vom 19.2.2020) nehmen zu können.
Nesnesitelná lehkost zpracování osobních údajů orgány veřejné správy
Zakon o zpracovani osobnich udajů přinesl některa specificka pravidla pro zpracovani osobnich udajů ze strany organů veřejne moci a veřejných subjektů. Jednim z těchto specifik je nemožnost uložit
Data Breaches and GDPR


Legitimate interest of the data controller New data protection paradigm: legitimacy grounded on appropriate protection
It can be argued that the Draft Regulation contains a set of requirements and obligations that can be described as a comprehensive 'Data Protection Compliance Program' ("DPCP") which itself creates an "appropriate balance" between data protection and free flow of information/data.
The EU data protection reform and the challenges of big data: remaining uncertainties and ways forward
ABSTRACT As the first broad reform of the EU data protection legislation is being achieved, and notwithstanding EU institutions’ confident discourse, scepticism remains about the reform’s ability to
Privacy, proceduralism and self-regulation in data protection law
This paper conceptualizes EU data protection law as a largely procedural regulation of the boundaries between the public and the private. The GDPR regulates the processing of personal data through a
Data Protection Impact Assessments: A Meta-Regulatory Approach
• Privacy and Data Protection Impact Assessments (PIAs/DPIAs) are tools for organisations to manage privacy risks. They emerged in various jurisdictions from the 1980s, initially as a purely
Really Responsive Risk-Based Regulation
Regulators in a number of countries are increasingly developing "risk-based" strategies to manage their resources, and their reputations as "risk-based regulators" have become much lauded by
Meta-Regulation: Legal Accountability for Corporate Social Responsibility
The law is traditionally concerned with accountability - 'holding people to threshold criteria of good conduct and performance'. Responsibility goes beyond accountability to ask how much people 'care
The trouble with European data protection law
The trouble with Harry, in Alfred Hitchcock’s 1955 movie, is that he's dead, and everyone seems to have a different idea of what needs to be done with his body. The trouble with European data
The law of everything. Broad concept of personal data and future of EU data protection law
ABSTRACT Article 29 Working Party guidelines and the case law of the CJEU facilitate a plausible argument that in the near future everything will be or will contain personal data, leading to the