In Search of Flexibility

Risk, circumstances and context in interpreting the GDPR

• Dr. Jeroen de Jong

The GDPR lays down many requirements on data processors. Most of those requirements appear to be unconditional and not adaptive to the nature and context of the processing. Those requirements lead to considerable compliance costs for businesses. It is often claimed that the adverse effects of absoluteness and non-scalabiity are mitigated to a large extent by the risk-based approach in Chapter IV of the GDPR. In this article the claim of the mitigating effects of the risk-based approach is addressed by a textual analysis of the meaning of the risk-based approach in Chapter IV of the GDPR. The anaysis shows that the risk-based approach in Chapter IV offers less than promised. However, an analysis of the text of the GDPR demonstrates that risk is a fundamental notion, which not only has an important meaning outside the boundary of Chapter IV of the GDPR, but can be interpreted in line with the other fundamental notions of the GDPR, in order to offer more flexibility. More so if it is combined with the context principle. The context principle, which underlies the GDPR like the risk based approach is just as fundamental, since it draws in the nature of the legal relationship between controller and data subject which is different from situation to situation. An explicitly formulated context principle, like the one in the draft for a Consumer Privacy Bill of Rights, proposed by the United States Government in 2012, may be considered for the future. If a more flexible interpretation of the GDPR, built upon the principles of risk and contextuality, is adopted by regulators and courts the same result can be achieved.