11 DPIA-triggers explained by Hollywood blockbuster movies

Aug 1, 2019 4:31:46 PM / by PrivacyPerfect

We have now introduced a new DPIA module within our software. Besides all the serious stuff in and around it, we wanted to do something more in line with the time of year: summer, vacation, relaxation and fun. So we matched movie fragments with each of the eleven DPIA triggers that were issued by the European Data Protection Board. Seen all these movies? Relive the excitement. Never seen any of them? Check out the fragments and see if they’re worth a search on Netflix.


1. Automated decision making with legal or similar significant effect

Enemy of the State

Will Smith is a lawyer who unwillingly becomes the victim of a government conspiracy to push mass surveillance through parliament. His credit cards are blocked, and all electronic services that make life bearable are taken away from him. The automated decisions are almost literally drowning him. Apart from some comic relief this is a true American paranoia thriller. Clearly, a DPIA would have made a huge difference here - but then again, a true American blockbuster ends well anyway.


2. Data processed on a large scale

The Social Network

We do not know how accurate this depiction of the history of Facebook is, but if it is, the massive collection and manipulation of personal data starts with an outright sexist online response of the protagonist to his girlfriend dumping him, invoking the ‘creativity’ that ultimately is translated into the billions of dollars’ network. The script writer knows how to forecast Zuckerberg’s disdain to people’s privacy. Little explanation is needed that ‘data processing on a large scale’ applies to the biggest social network in the world.


3. Special categories of data or personal data relating to criminal convictions or offences

Minority Report

Ah, if only Tom Cruise can run for his life and look agonised, the role fits him like a glove. In this flick, he’s a cop of the pre-crime unit, where villains are caught before the act - until he himself is the subject of an investigation and he has to get a new identity to find out what would drive him to kill someone. All very convincing to the fact that indeed processing of criminal conviction data should be subject to a data processing impact assessment. There would have never been a pre-crime department with such a useful instrument...


4. Systematic monitoring (including of publicly accessible area)

12 Monkeys

Bruce Willis can look agonised too, and here he’s in a time travel paradox shaped by retro tubes in extravagant design that only Terry Gilliam can create. He’s on a quest to find the creators of a deadly virus that would wipe out almost the entire world population. Here comes the twist though:not only his surroundings, but he himself starts doubting his sanity. There’s a lot of systematic monitoring in this movie, especially in the dystopic future of 2035. Too real, too soon?


5. A processing category on the list of the national supervisory authority


A hard one. But then again, we always have James Bond, and the sole supervisory authority that oversees a country exiting the EU. So, this has to be the use of innovative technology, which is on the ICO’s list, and fits perfectly with Q’s department. Smart blood would qualify, featured in the grimmest of all Bond movies. It makes James Bond traceable anywhere on earth. Wed say a proportionality test would prove that there are simpler, less intrusive technologies to attain the same, but we are not  script writers.



6. Matching or combining data sets

Citizen X

Not a blockbuster, but the cast with Donald Sutherland and Max von Sydow makes it definitely worth to watch the painstaking search of a detective, trying to find a Soviet serial killer. The fact that the killer walks away the first time is based on a very rare mismatch between samples. The detective goes through a painstaking process to find the killer through the bureaucracy of the Soviet Union in the eighties. Definitely a case where matching data sets properly could have greatly helped.



7. Processing prevents data subjects from exercising a right or using a service or contract

The Matrix

Assume that the world as you know it, is just a reality ‘projected’ into your mind. Your body is a biological battery enslaved by machines. This would deprive you from free will, and no data subject access request filed to the Machines that keep you in prison will ever be answered. Keanu Reeves beats his deprivation by the Matrix by taking the red pill. But the rabbit hole is deep, and full of hardship. In the end, he luckily gets the answers he’s looking for - The Machine world complied with his data subject rights after all! You’ll have to watch all three parts to get there, though.


8. Data concerning vulnerable subjects


Let’s not forget that data processing is not only done by computers. People can process data as well, and they can do so for vulnerable subjects too. E.T. and the children looking after him definitely count as vulnerable in this Spielberg classic. The authorities, parents and other unidentified adults are the threat to the most likeable extraterrestrial being that movie history has ever seen. Some regard E.T. as Spielberg’s depiction of Jesus Christ. We keep it to deeply felt humanism, a rarity in sci-fi.



9. Innovative use or applying new technological or organisational solution


Christopher Nolan knows how to depict an original concept. In this film, the main character, played by Leonardo di Caprio, is a convicted man on the run, earning his money with breaking into people’s dreams. His grand accomplishment is ‘inception’, planting a seed for an idea that then becomes a life changer for the affected subject. This accomplishment is both his ticket to freedom and seeing his children again, and the reason behind his conviction. Surely inception would qualify as a technique that has to be assessed for its data protection consequences…



10. Evaluation/scoring (including profiling and predicting)

The Circle

This dystopian film shows a world where a single search and social media company takes control of everyone’s lives. Under the motto ‘sharing is caring’, main character Emma Watson happily lets the network stream her life day and night. But after an old-fashioned communist ‘self criticism’ vlog, still feeding her immense popularity, she starts realising that the owners themselves do have stuff to hide. Finally, she comes to realise that this may not be such a good idea after all. If you want to have a laugh, watch this film (and no, it’s not a comedy).



11. Sensitive data or data of a highly personal nature

The Net

It’s always nice to see how science fiction magnifies the design and fashion of the year it stems from. This is valid for The Net too, in that the internet doesn’t look quite like the internet we know now, or even as it was in 1995, the year this movie was released. The main character is Sandra Bullock. Of course, there is a romance, a conspiracy and a happy ending. And a warning about what you can do once you get your hands on a person’s personal data, including turning her into a criminal. In the computer, that is.


Topics: Data Privacy, Data Protection, DPO, Data Protection Officer, GDPR Compliance Program, gdpr, DPIA


Written by PrivacyPerfect

    Lists by Topic

    see all
    harmas_Rajztábla 1-1
    Keep informed!
    Sign up to the Weekly GDPR Digest now.