top of page
Ero Balsa
Ero Balsa

Cornell Tech

When (ET)


The Risks of Privacy Risk Assessments


Privacy risk assessments have been touted as an objective, principled way to encourage organizations to implement privacy-by-design. They are central to a new regulatory model of collaborative governance, as embodied by the GDPR. However, existing guidelines and methods are vague, and there is little empirical evidence on privacy harms, questioning the suitability of privacy risk assessments as an effective policy instrument. In this talk I will present a close analysis of US NIST’s Privacy Risk Assessment Methodology, highlighting multiple sites of discretion that create countless opportunities for adversarial organizations to engage in performative compliance. I will argue that the premises on which the success of privacy risk assessments depends do not hold, particularly in regard to organizations’ incentives and regulators’ auditing capabilities. I will highlight the limitations and pitfalls of what is essentially a utilitarian and technocratic approach. Lastly, I will briefly outline and discuss alternatives and proposals for a better realignment of our policy and research objectives.


Ero Balsa is a postdoctoral research fellow at Cornell Tech's Digital Life Initiative. He is interested in how the designs of information systems impact society, mainly in terms of privacy and fairness, and in how to redesign or intervene these systems to address the problems they create. His work examines the design and analysis of privacy enhancing technologies and, in particular, technologies that enable users to contest asymmetries of power and knowledge, such as obfuscation tools and protective optimization technologies (POTs). His research focuses on the critical analysis of the assumptions that underlie obfuscation technologies, the operationalization of privacy requirements, and the systematization of privacy engineering practice. He is also keenly interested in the interplay between technology, law, and policy. Ero previously completed his PhD at the University of Leuven (Belgium) and obtained an MSc in telecommunication engineering at the University of Vigo (Spain).

bottom of page