• Privacy and Data Protection Impact Assessments (PIAs/DPIAs) are tools for organisations to manage privacy risks. They emerged in various jurisdictions from the 1980s, initially as a purely voluntary measure. DPIAs are now set to become a mandatory requirement in certain circumstances under the European General Data Protection Regulation (GDPR). This article addresses impact assessments from the perspective of regulatory theory. Their transition from a voluntary tool to a mandatory requirement raises questions about their purpose and role, as well as implications for the direction of data protection in Europe more generally. • Previous analyses have tended to assess such impact assessments in relation to a limited set of regulatory categories, namely self-regulation, command-and-control regulation, or some form of 'co-regulation'. Drawing from regulatory theory, this article suggests a more nuanced account of the mandatory impact assessment regime outlined in the GDPR. • It argues that this regime can be understood as a form of 'meta-regulation'. The final section draws on a framework for assessing the prospects of meta-regulation, in order to assess the prospects for a meta-regulatory approach to impact assessments.

中文翻译：

---

数据保护影响评估：元监管方法

• 隐私和数据保护影响评估 (PIA/DPIA) 是组织管理隐私风险的工具。它们从 1980 年代开始出现在各个司法管辖区，最初是作为一种纯粹的自愿措施。根据欧洲通用数据保护条例 (GDPR)，DPIA 现在将成为某些情况下的强制性要求。本文从监管理论的角度讨论影响评估。它们从自愿工具到强制性要求的转变引发了对其目的和作用的质疑，以及更普遍地对欧洲数据保护方向的影响。• 以前的分析倾向于评估与一组有限的监管类别相关的影响评估，即自我监管、命令和控制监管或某种形式的“共同监管”。本文借鉴监管理论，对 GDPR 中概述的强制性影响评估制度提出了更细致入微的解释。• 它认为该制度可以理解为一种“元监管”形式。最后一部分借鉴了评估元监管前景的框架，以评估影响评估的元监管方法的前景。