Vulnerability

Vulnerable Data Subjects' by Gianclaudio Malgieri and Jedrzej Niklas in (2020) Computer Law and Security Review comments

The discussion about vulnerable individuals and communities spread from research ethics, to consumer law and human rights. According to many theoreticians and practitioners, the framework of vulnerability allows formulating an alternative language to articulate problems of inequality, power imbalances and social injustice. Building on this conceptualisation, we try to understand the role and potentiality of the notion of vulnerable data subjects. The starting point for this reflection is wide-ranging development, deployment and use of data-driven technologies that may pose substantial risks to human rights, the rule of law and social justice. Application of such technologies area can significantly contribute to systematically disadvantage marginalised communities, exploit people in particularly sensitive life situations and lead to discrimination. Considering those problems, we recognise the special role of personal data protection and call for its vulnerability-aware interpretation. However, to better delineate and contextualise the general understanding of human vulnerability we first review the theories of vulnerability and the use of the concept in international human rights law and European law. Consequently, we recognise two dichotomies that are related to human vulnerability that also emerge in the data protection field: the first one relates to the definition and the second one to the manifestation of vulnerability. As regards the definition, we observe the tensions between the universal approach (vulnerability is a general human condition) and the particular one (only specific groups are vulnerable). As regards manifestation, we observe the dichotomy between vulnerability within the data processing itself and vulnerability to the outcome of data processing. To overcome limitations that arose from those two dichotomies we support the idea of layered vulnerability, which seems compatible with the GDPR and the risk-based approach. We also see particular connections between vulnerability and issues of consent, Data Protection Impact Assessment and the role of Data Protection Authorities.