I’ve run across the promotional material for a new book by David Wright and Paul De Hert, Privacy Impact Assessment, Springer, Dordrecht, 2012. They argue that the book ‘is timely as the European Commission’s proposal for a new Data Protection Regulation would make privacy impact assessments mandatory for any organisation processing “personal data where those processing operations are likely to present specific risks to the rights and freedoms of data subjects”. I find the whole idea of PIA to be far too uncritically accepted by far too many within the privacy community.
My own sense is that this sounds good, parallel to an ‘environmental impact assessment’ (EIA). But the history of EIA should clearly alert us to the risk that impact assessments are unlikely to prevent risks to privacy and data protection. To the contrary, they are likely to cover the backside of actors who can say they submitted a risk assessment, be limited to primarily a symbolic victory for privacy, and clearly raise the costs of all software and systems developments, creating a new set of businesses employed to write PIAs for organizations.
The concept of a privacy impact assessment is one of those initiatives that sounds good, and rings all the right bells to be politically popular, but that will not accomplish its intended aims and undoubtedly have negative, unintended consequences. I hope the privacy community takes a more critical look at the rhetoric in support of this bureaucratic silver bullet that carries its own risks.
Happy to receive comments, as I am sure my view is a minority opinion, but every discussion of the issue convinces me all the more that the PIA is a mistake. I hope some bright students begin to evaluate the actual impact of the PIA.