Meta regulation in data protection law: the risk-based approach

Abstract

Abstract Chapter 5 studies in depth the risk-based approach to data protection, including its rationale and its scope. It shows that it is only a partial implementation of meta regulation. Contrary to meta regulation, it refrains from delegating the regulatory function of standard setting to the regulatees. Instead of addressing all of the issues associated with the “diagnosis-prescription”diagnosis-prescription| flaw associated with command and” control (ie the selection of standards that will lead to satisfactory regulatory outcomes, and the adequate implementation/compliance with the latter), it only focuses on the better implementation of the data protection provisions. In any case, it is also predicated upon the responsibilisation, and hence, the risk transformation of data controllers’ activities. Such responsibilisation is to be found in the modern principle of accountability. Beyond the GDPR, many contemporary statutes have adopted a similar risk-based approach (even though not explicitly named as such). These include Canada’s PIPEDAPIPEDA|, Council of Europe Convention 108+Convention 108+|, etc. These various statutes are discussed and contrasted. Key to the discussion are issues such as the safeguards and type of regulatory collaboration these statutes provide for (eg data protection impact assessment), or how the risk management obligations fare in comparison to the ISO 31000 risk management StandardISO:31000 risk management Standard 2009|, which can be considered the canon in this matter. Finally, this chapter also examines a number of policy proposals that featured a different type of risk-based approach. Namely, one that espouses meta regulation’s delegation of the standard setting function to the regulatees.