In the GDPR, the term “vulnerable” appears once. Recital 75 says that the risk to the rights and freedoms of natural persons may result from personal data processing of vulnerable natural persons in particular children, which could lead to physical, material, or non-material damage.
What does “vulnerable” mean? Who is a vulnerable natural person, how do you identify such a person? Can it be dependent on who the specific data subject is, their environment, or the context? Can there be different levels of vulnerability? How should vulnerable persons be protected under data protection law? I opened Vulnerability and Data Protection Law to try and find out.
Chapter 1 provides an overview of the book and sets three goals: to analyse the notion of the data subject and the relevance of personal situations in applying the law, to understand what data subject vulnerability is in the GDPR, and to promote specific protections for these data subjects. Cross-referencing the Contents sections, you will not find chapters devoted to examining traditionally vulnerable groups such as children, people with disabilities, LGBTQIA+. This is because the author prefers not to consider vulnerability as merely based on traditional labels, and aims to overcome an ex-ante labelled approach to vulnerability, which he thinks might lead to increasing existing stigmatisation. Instead, the author proposes a taxonomy involving layers of vulnerability, considering power distribution, vulnerability manifestation (during data processing or at the outcome of processing), and effects.
Chapters 2, 3, and 4 dig into what a vulnerable data subject is in the GDPR, first by exploring what the notion of the data subject in the GDPR is, and next by looking into what a ‘vulnerable’ person is. Here, the author discusses theories of human vulnerability from different fields, in particular the areas of research regulation and consumer protection. The author concludes that although the GDPR does not contain an explicit definition of vulnerable data subjects, it contains at least two indirect references to vulnerable individuals: the special protection of children (Articles 8 and 12), and the notion of data subject vulnerability to the risk of harm to fundamental rights and freedoms (Recital 75).
Chapters 5 and 6 analyse data protection principles, rights, and duties vis-à-vis vulnerable data subjects. Chapter 7 discusses how GDPR provisions can be used as a tool to mitigate negative impacts that result from data processing of vulnerable data subjects. Since data protection impact assessments (DPIAs) need to be done before controllers start a data processing activity that risks harming the fundamental rights and freedoms of data subjects, I found it very helpful that the author followed the DPIA structure to analyse different layers of vulnerability.
That might seem like a good point to call it a day, but the amazing about this book is that the author does not stop there. Chapter 8 goes on to talk about the limitations of a vulnerability-aware interpretation of the GDPR, for example how the controller might be unaware of possible vulnerable data subjects involved in data processing, and how a too-individualistic approach to vulnerability can underestimate the structural and collective nature of vulnerability sources. The author then explores alternative models. The final chapter summarises the main conclusions of the book.
There are books on the philosophical and theoretical aspects of data protection that make for good bedtime reading, because they put me to sleep within ten minutes. But Vulnerability and Data Protection Law contains such rich and thoughtful analysis that I think it is a book to be avoided close to bedtime. It is easy to read and can be easily understood by both lawyers and students. I love that each chapter starts with a summary of what the chapter aims to cover, and ends with a conclusion. While it would probably not be classified as a traditional practitioner’s handbook, I think it is a useful reference for lawyers whose work involves sensitive personal data and ‘vulnerable’ data subjects.
Darren Grayson Chng is a data and tech lawyer in Singapore.
About the book
- Vulnerability and Data Protection Law by Gianclaudio Malgieri
- Published April 2023
- Hardcover, 304 pages
- ISBN: 9780192870339
- £90.00