Paper long abstract:

In its 2012 proposal for a General Data Protection Regulation (confirmed in the European Parliament and Council Proposals), the European Commission introduced the obligation for data controllers to perform so-called data protection impact assessments. These in turn, introduce the novel notion of "risk to a right": they should be triggered where "processing operations present specific risks to the rights and freedoms of data subjects".

This paper reflects critically upon the "risk to a right" notion. Granted that they belong within different spheres of knowledge, what kind of relation is instituted? The contribution explores different possible relations (risks or rights, rights as risks, risks within rights), and on this basis, speculates on possible meaning(s) of a risk to a right; keeping in mind that merging the two concepts entails that their respective initial meaning are changed into something that could hardly be predicted in advance. In devising such possible meaning(s), lessons could be learnt from the field of environmental governance, which has now long dealt with the governance of new and emerging technologies. Specifically, it could provide insights to the following questions. What kind of knowledge should be mobilised, who can be involved, and according to which methodologies and principles? The shape and outcome of impact assessments will differ depending on who is allowed to define and answer such questions, which in turn will determine whether the introduction of this methodology in its current form might itself pose a risk to the rights of privacy and data protection.