work has already been carried out on PRA in the computer science community [39, 40, 52, 169] but the results of these efforts are not yet integrated within existing PIA frameworks. A first step to achieve a better convergence between PIA frameworks geared toward legal and organizational issues on one hand and technical approaches to PRA on the other hand, is to agree on a common terminology and a set of basic notions. It is also necessary to characterize the main tasks to be carried out in a privacy risk analysis and their inputs and outputs.
Surveys of current practices and recommendations have already been published for PIAs [29, 160, 163, 164] but, as far as we know, not for PRAs. The goal of this book is to fill this gap by providing an introduction to the basic notions, requirements and key steps of a privacy risk analysis. Apart from Chapter 9, in which we put PRA into the context of PIA, we focus on the technical part of the process here. For example, we do not consider legal obligations such as the obligation to notify the supervisory authority before carrying out personal data processing (in European jurisdictions). Neither do we discuss the organization of the stakeholders consultation which forms an integral part of a PIA.
Another choice made in this book is to focus on privacy risks for persons (including individuals, groups and society as a whole) who have to suffer from privacy violations rather than the risks for organizations processing the data (data controllers or data processors in the European terminology). Certain frameworks [55, 106, 107] integrate both types of risks but we believe that this can be a source of confusion because, even if they are interrelated, these risks concern two types of stakeholders with different, and sometimes conflicting, interests. The risks to business, or to organizations in general, posed by privacy can be analyzed in a second stage, when privacy risks for persons have been evaluated, since the former can be seen as indirect consequences of the latter.
Chapter 2 sets the scene with a review of the common terms used in privacy risk analysis, a study of their variations and a definition of the terminology used in this book. We proceed with detailed presentations of the components of a privacy risk analysis and suggestions of classifications, considering successively, processing systems (Chapter 3), personal data (Chapter 4), stakeholders (Chapter 5), risk sources (Chapter 6), feared events (Chapter 7) and privacy harms (Chapter 8). Then, we show how all the notions introduced in this book can be used in a privacy risk analysis process (Chapter 9). We conclude with a reflection on security and privacy risk analysis and avenues for further work (Chapter 10).
We use a running example in the area of smart grids (the BEMS System introduced in Chapter 3) to illustrate all the notions discussed in this book.
1Conducting a PIA will become mandatory for certain categories of personal data processing.
CHAPTER 2
Terminology
Before getting into the substance of the matter, it is necessary to define precisely the main concepts involved in a privacy risk analysis. Indeed, technical terms are not always used in a consistent way in this area and different authors sometimes use the same words with different meanings. The objective of this chapter is to set the scene and introduce the terminology used throughout this book.
In the following subsections, we define successively the notions of:
1. personal data, which is the object of protection;
2. stakeholders, which relate to or handle personal data at various stages of their lifecycle;
3. risk sources, which may cause privacy breaches;
4. feared events, which may lead to privacy harms; and
5. privacy harms, which are the impacts of privacy breaches on individuals, groups of individuals or society as a whole.
Some of these notions, such as privacy harms, have been extensively discussed by legal scholars even though they have received less attention from law makers. Others, such as personal data, are defined by privacy laws and regulations. Still others, such as feared events, have been used only by certain data protection authorities. However, even for terms that are well-discussed, there is generally no single interpretation of their meaning. Therefore, in the following sections we provide a concise definition of each of these terms (which will be further discussed in the next chapters). For some of them, we agree with one of the existing definitions, while for others we provide our own and justify our choice. In the rest of the book, unless otherwise mentioned, these terms will be used in the sense defined in this chapter.
2.1 PERSONAL DATA
Both the European Union (EU) and the United States (U.S.) privacy regulations rely on notions of “data” or “information” but they follow different approaches. While the EU defines the notion of “personal data,” the U.S. refers to “personally identifiable information” (or “PII”). The use of these terms reveals substantial differences in the ways of considering privacy on each side of the Atlantic.
The notion of personal data used in this book is mainly inspired by the definitions provided by the EU Data Protection Directive (“EU Directive” in the sequel) [47] and the EU General Data Protection Regulation (“GDPR” in the sequel) [48]. The primary reason for this choice is that the EU provides a single, uniform definition, which contrasts with the multiple, competing attempts at defining PII in the U.S. [134, 135].
Article 4(1) of the GDPR [48] defines personal data as follows:
‘“Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The GDPR (Recital 26) adds a clarification about pseudonymization and identification: “Personal data which has undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.”
This position is inspired by the Working Party 29.1 Opinion 08/2012 [10] suggesting that “any information allowing a natural person to be singled out and treated differently” should be considered as personal data. Our definition of personal data is in line with the approaches followed by the GDPR and the Working Party 29.
Definition 2.1 Personal Data [10, 47, 48]. Personal data is any information relating to an identified or identifiable natural person2 and any information allowing such a person to
