Data Protection Impact Assessment under the EU General Data Protection Regulation: A feminist reflection

Abstract

Can the Data Protection Impact Assessment (DPIA) under Article 35 General Data Protection Regulation (GDPR) address the power imbalances between those in control of information and the most vulnerable and marginalised persons to whom this information refers? Put another way, can DPIA be considered a feminist tool?Whilst data protection scholars and regulators consider DPIA a promising instrument for the protection of the fundamental rights threatened by personal data processing, particularly when performed by automated systems, a feminist critique thereof, essential to comprehensively evaluate whether such optimism is justified, is still missing. This contribution addresses this knowledge gap using a combination of doctrinal and non-doctrinal analysis, feminist legal methods and intersectionality.Building on the state of the art about DPIA, I revisit its advantages and drawbacks through feminist lenses, concluding that DPIA cannot be considered a feminist tool as such. Yet, it could still serve feminist goals and become an empowering instrument for data subjects. For that, my proposals are to incorporate feminist legal methods and intersectionality principles in the process and to conceptualise a “right to DPIA”.