During the session "Data Protection and Defining Personal Information” at the annual Conference of Data Protection and Privacy Commissioner in Mexico City last November, one panelist asserted that privacy regulators need a better toolkit. Specifically, Prof. Charles Raab of the University of Edinburgh said regulators need to better understand probability theory, statistics and risk analysis. The Privacy Advisor caught up with Prof. Raab recently to find out why he feels this important.

There has been much concern in recent years that data protection authorities (DPAs) or privacy commissioners do not have sufficient knowledge of information and communication technologies (ICTs). This lack is said to leave DPAs prey to the pleading of special interests who are concerned to portray technological development as innocuous in terms of its effects on privacy and other social values that DPAs are supposed to protect. Many DPAs cannot find the resources to hire technologically knowledgeable staff at levels high enough, and in the numbers that might be required, to make a difference. Of course, other governing institutions that make or carry out public policy are at the same disadvantage: how many legislatures and executives are up to speed on ICTs? Especially at a time when Privacy by Design (PbD), and related tools such as Privacy-enhancing technologies (PETs) and Privacy Impact Assessment (PIA) are to the fore as privacy protection instruments, how can DPAs and others adequately assess the impact of the latest technologies and information processes so that they can take appropriate regulatory action?

These concerns are valid, and they highlight crucial issues for privacy protection. But it is also important—as part of technological understanding, but not only for that reason—that DPAs have a grasp of probability theory, statistics and risk analysis. This is because so much of the debate about technology, privacy and security (both information security and national security) revolves around evaluations of the likelihood of events and broader phenomena happening, so that laws, technical solutions and regulatory activity can be at least commensurate to the threats, and at best anticipate them. For different reasons—competing interests included—different proponents or critics of ICTs and their application promote light or dark scenarios about the benefits and losses of new innovations, playing up or playing down the benefits or the dangers. Regulators have to make up their own mind about this, and they are handicapped without an understanding of the likelihood and severity of privacy risks. How far should they entertain worst-case scenarios? How far should they espouse glowing visions of the technical boon? How, and in what way, should they develop their regulatory strategy around applications of the precautionary principle, or instead should they wait for things to happen and then respond resiliently?

PbD and PIA are predicated on an appreciation of probabilities and magnitudes of the consequences of using certain technologies, and they are founded on a basis that includes, at its very centre, the assessment of risk. This requires both conceptual understanding and numeracy, and a socio technical perspective on the ICTs and systems to which DPAs are supposed to apply laws, codes and other instruments of regulation. The latter include raising the level of public understanding; education about risk questions is at least implicit in this. How likely are data breaches? How likely are we to suffer harm from them? How large are the dangers of putting huge quantities of personal data on social networking sites? How many crimes would go undetected without the creation of yet more inter-operative databases of personal information, and is that a risk we can live with? Finer discriminations are needed than to say, too simply, that “x poses (or does not pose) a threat to privacy (or to national security),” or that “you are (or are not) at risk through this form of data processing.” If they had the ability and inclination to so do, DPAs would be in a good position to offer guidance on these questions. They could demand evidence and sound reasoning— ideally, scrutinised publicly—from interested parties when claims are made or denied about the privacy-friendliness or the necessity and proportionality of new ICTs, information systems and applications. Many DPAs may already act in something like this way, because assessments of necessity and proportionality are central to many regulatory judgments that are made daily, and to the developing jurisprudence on privacy. But how well equipped are DPAs to get their minds around the risk issues and to analyse them in a nuanced and sophisticated way? Arguably, as little equipped as they are to understand how technologies work, and what they are capable of, let along what their social and privacy consequences might be. How can they do better?

This note is not the place to develop these points in any depth, or to explore the complex issues of improving regulatory policy and practice to which they give rise. But the IAPP might be well placed to take up these matters, along with academics and others, from its own vantage point. It could provide the means and locus for focusing attention and deliberation on what, precisely, DPAs—not uniquely—need to know about risk, and how they might acquire and incorporate the necessary knowledge and understanding within their own structures. Many DPAs are already in the throes of taking stock of their roles as they enter a new era of global information flows and patterns, new regulatory challenges and new legislation—for instance, the new European Union regulatory pattern that will supersede the 1998 European Data Protection Directive. This would be an opportunity for the IAPP to foster and disseminate greater learning about crucial questions of risk amongst privacy professionals and broader constituencies and publics with a stake in privacy, including DPAs and chief privacy officers. Without this, we might only be left with yet more of the deadly antinomy of scare stories and complacent whitewash about ICTs and the corporate or governmental life in which they play a large part. This is not a happy prospect for DPAs or anyone else.

Written By

Charles Raab


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»