How to build data-driven innovation projects at large with data protection by design
Grafenstein, M. v.
As part of the research project “Data Protection by Design in Smart Cities”, this Discussion Paper consists of a legal-scientific Data Protection Impact Assessment (DPIA) and discusses, on the basis of a technological Smart City project in Berlin (at Ernst-Reuter-Platz), how to build large data-driven innovation projects using a data protection by design strategy. The aim of this evaluation is to demonstrate how a DPIA can help to define a data protection by design strategy ensuring that the project meets the legal and societal expectations. The study illustrates that the EU General Data Protection Regulation does not forbid data-driven innovation projects per se, but rather forces the stakeholders involved to coordinate in due time how to process personal data to avoid unnecessary risks to individuals and the society as a whole. By means of certification schemes and codes of conduct, private companies can use such a data protection by design strategy as a competitive advantage and at least as a business opportunity. However, the study also points out some to-do’s for the regulator: First, this study provides some conceptual clarifications on the methodology of the risk assessment, which are addressed to the Commission nationale de l'informatique et des libertés (CNIL) and the Technology Working Group (“AK Technik”) of the Conference of the German Data Protection Authorities. Second, the regulator should follow its instruction from Art. 40 and 42 GDPR to support micro, small and medium-sized companies to set up certification schemes and codes of conduct for their processing activities. Third, national legislators should use the flexibility clauses in the GDPR to increase legal certainty for data-driven innovation projects, especially in the public interest, by applying a data protection by design strategy as presented. Finally, the EU legislator should reconsider its envisaged approach for the ePrivacy Regulation: instead of focusing on the consent of data subjects as the main legal basis for data processing, the legislator should establish a “legitimate interests”-clause with an obligation to adhere to an appropriate code of conduct or certificate for the processing activity in question.