and should be considered in the risk analysis.
The definition of privacy harms adopted in this book is inspired by Solove’s vivid description of how feared events may affect individuals and society as a whole [140]. It also bears close similarities with the definition of harms proposed by Center for Information Policy Leadership (CIPL) [26].
Definition 2.11 Privacy Harms. Privacy harm is a negative impact of the use of a processing system on a data subject, or a group of data subjects, or society as a whole, from the standpoint of physical, mental, or financial well-being or reputation, dignity, freedom, acceptance in society, self-actualization, domestic life, freedom of expression or any fundamental right.
The above definition takes into consideration the impact on society, because certain harms, like surveillance, are bound to have global impacts such as chilling effect or loss of creativity which are matters for all society, not just individuals. As discussed in Chapter 1, this definition of privacy harms does not concern the impacts on the data controllers or the data processors themselves, which could be considered in a second stage (as indirect consequences of privacy harms) but are not included in the scope of this book.8
2.6 PRIVACY RISKS
The word “risk” is used in this book (as often in the risk management literature) as a contraction of “level of risk.” Levels of risk are generally defined by two values [17, 32, 55]: likelihood and severity.9
The GDPR also refers explicitly to these two dimensions in its Recital 76:
“The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.”
In the context of privacy, the likelihood characterizes the probability that a privacy harm may be caused by the processing system, and the severity represents the magnitude of the impact on the victims. The likelihood should combine the probabilities that a risk source will initiate a harm scenario, the probability that it will be able to carry out the necessary tasks (i.e., perform the scenario, including the exploitation of the privacy weaknesses of the system, to bring about a feared event) and the probability that the feared event will cause a harm [17]. The likelihood and the severity can be defined in a quantitative or qualitative manner (for example, using a fixed scale such as “low,” “medium,” “high”). Risks are often pictured in two dimensional spaces [33] or matrices [17]. They are also sometimes reduced to a single value through the use of rules to calculate products of likelihoods by impacts [55].
2.7 PRIVACY RISK ANALYSIS
The first goals of a privacy risk analysis are the identification of the privacy harms that may result from the use of the processing system and the assessment of their severity and likelihood. Based on this analysis, decision makers and experts can then decide which risks are not acceptable and select appropriate measures10 to address them. The risk analysis can be iterated to ensure that the risks have been reduced to an acceptable level. Considering that risk analyses always rely on certain assumptions (e.g., about the state-of-the art of the technology or the motivations of the potential risk sources), they should be maintained and repeated on a regular basis. Among the challenges facing the analyst, particular attention must be paid to two main difficulties:
1. the consideration of all factors that can have an impact on privacy risks and
2. the appropriate assessment of these impacts and their contribution to the assessment of the overall risks.
To discuss these issues in a systematic way, we propose in the next chapters a collection of six components (respectively: processing system, personal data, stakeholders, risk sources, feared events and privacy harms), each of them being associated with:
1. categories of elements to be considered for the component11 and
2. attributes which have to be defined and taken into account for the evaluation of the risks.12
Even though they are not necessarily comprehensive, categories are useful to minimize the risks of omission during the analysis. They take the form of catalogues, typologies or knowledge bases in existing methodologies [33, 55]. For their part, attributes help analysts identify all relevant factors for each component. The use of templates in certain methodologies [33] fulfill a similar role. Table A.1 in Appendix A provides a summary of the categories and the attributes suggested for each component.
1The Working Party 29, or Article 29 Working Party, is a group set up under the EU Directive. It includes a representative from each European data protection authority. One of its missions is to provide recommendations to the European Commission and to the public with regard to data protection and the implementation of the EU Directive.
2This person is the “data subject” defined in Definition 2.2.
3Here we define “processing” in the same way as in the EU Directive as “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction”
4This issue is further discussed in Section 5.1.
5However, a data subject may act as a risk source for another data subject.
6For example, in the case of video-surveillance systems or location-based services.
7This happened for example in the case of the murder of actress Rebecca Schaeffer in 1989 where the murderer extracted her home address from the Department of Motor Vehicle records [104, 140].
8This phase can typically take the form of a more traditional risk/benefit analysis considering the potential consequences of privacy harms for the controller (mostly in financial, reputational and legal terms).
9The severity is sometimes called the “impact” or “adverse impact” [17, 55].
10In general, the decision can be to accept a risk, to avoid or mitigate it, or to share or transfer it. Mitigation or avoidance measures can be combinations of technical, organizational and legal controls.
11For example, the categories of data being processed by a health information system may include health data, contact data, identification data, genetic data, etc.
12For example, the level of motivation of a risk source or the level of precision of location data.
CHAPTER 3
Processing System
The first step of a privacy risk analysis is the definition of its scope, which requires a detailed and comprehensive description of the processing system under consideration. This description should include all personal data flows between the components of the system and communications with the outside world. This information
