Vulnerable data subjects

Abstract Discussion about vulnerable individuals and communities spread from research ethics to consumer law and human rights. According to many theoreticians and practitioners, the framework of vulnerability allows formulating an alternative language to articulate problems of inequality, power imbalances and social injustice. Building on this conceptualisation, we try to understand the role and potentiality of the notion of vulnerable data subjects. The starting point for this reflection is wide-ranging development, deployment and use of data-driven technologies that may pose substantial risks to human rights, the rule of law and social justice. Implementation of such technologies can lead to discrimination systematic marginalisation of different communities and the exploitation of people in particularly sensitive life situations. Considering those problems, we recognise the special role of personal data protection and call for its vulnerability-aware interpretation. This article makes three contributions. First, we examine how the notion of vulnerability is conceptualised and used in the philosophy, human rights and European law. We then confront those findings with the presence and interpretation of vulnerability in data protection law and discourse. Second, we identify two problematic dichotomies that emerge from the theoretical and practical application of this concept in data protection. Those dichotomies reflect the tensions within the definition and manifestation of vulnerability. To overcome limitations that arose from those two dichotomies we support the idea of layered vulnerability, which seems compatible with the GDPR and the risk-based approach. Finally, we outline how the notion of vulnerability can influence the interpretation of particular provisions in the GDPR. In this process, we focus on issues of consent, Data Protection Impact Assessment, the role of Data Protection Authorities, and the participation of data subjects in the decision making about data processing.


Introduction
For decades, experts in research ethics have assumed that some research participants and communities are more likely to be mistreated, abused, exploited or harmed. 2 Such groups seem to possess a level of vulnerability, which generates certain obligations and responsibilities for researchers and oversight entities. The principle of special treatment of "vulnerable groups" was incorporated into various declarations and guidelines that regulate especially clinical research, like the Belmont Report or the Declaration of Helsinki. 3 Those documents predominantly focus on the issue of consent and informed participation, highlighting problems of autonomy and integrity. Nevertheless, some other interpretations add more elaborated understanding of vulnerability and raise issues of power imbalance and political and economic disadvantage. 4 In other words, the language of vulnerability in research ethics allows greater sensitivity and responsiveness to equity, discrimination and different socio-historical contexts. However, the notion of vulnerability is also discussed in other fields. From human rights to political philosophy, the concept is seen as a framework that enables the articulation of broad issues that fill into the category of social justice and uncover human exposure to harms, pain and suffering. 5 As it will be argued below, human vulnerability is also (to some extent) present in the discussions about data protection, privacy and data-driven technologies. Calo, a prominent voice in this debate, argues that the rationale for privacy protection is precisely addressing vulnerability of individuals. 6 Put it differently, privacy and data protection regimes are manifestations of the idea that all individuals are vulnerable to the power imbalances created by data-driven technologies.
Additionally, different scholars explain how data-driven technologies can lead to discrimination, social marginalisation or affect human autonomy and dignity and exploit particular communities. 7 Such controversial cases in the data-driven research concern automated systems that identify sexual orientation, 8 detect children anxiety and depression 9 or predict and prevent suicide. 10 Finally, the notion of vulnerability appears in the discussion about ethics and regulation of Artificial Intelligence. Here some of the guidelines and ethical policies call for the governance frameworks that recognise the situation of vulnerable groups such as women, persons with disabilities, ethnic minorities, children, and consumers. 11 It seems to us that the issue of human vulnerability should be an important topic in the data protection debate, considering the new risks of individual exploitation in the algorithmic environment. Involving vulnerability as a "heuristic tool" could emphasise existing inequalities between different data subjects and specify in a more systematic and consolidated way that the exercise of data rights is conditioned by many factors such as health, age, gender or social status. However, the scholarly discussion about vulnerable data subjects is still largely underdeveloped. Accordingly, in this article, we try to understand and conceptualise how the notion of vulnerable individuals finds its way in the data protection debate. More precisely, when human vulnerability can influence the way we are interpreting data protection regimes.
We are aware that it is not possible to address this complex topic in one article satisfactorily. Our modest goal here is to initiate a discussion about this topic and its problematic aspects, suggesting some first interpretative paths, while calling for further analysis and research. To do this, we first investigate the meaning of "vulnerable individuals", looking in particular at the theoretical discussion about vulnerability ( Section 2 ). Taking into account this background, in Section 3 we then review how data protection and the GDPR in particular address the position of vulnerable individuals. Building on these findings, we then try to understudy how the notion of vulnerability is present in other branches of EU  11 See for example: High-Level Expert Group on Artificial Intelligence, 'Ethics Guidelines for Trustworthy AI' (European Commission 2019), 11 < https://ec.europa.eu/newsroom/dae/document. cfm?doc _ id=58477 > . secondary law ( Section 4 ). Acknowledging the limits of existing legislation and discussion, in Section 5 , we finally propose a new vulnerability-aware interpretation of data protection law.

Theorising human vulnerability
The discussion about vulnerability has always had a multidisciplinary character. It emerged in a variety of fields, like political philosophy, gender studies, law, ethics and sociology. Very often, scholars from those different fields entered into dialogue with each other and adapted understanding of vulnerability developed in other areas (for example from political theory to bioethics). Our goal here is to demonstrate some seminal works that represent a variety of voices and at the same time help in grasping the crux of this debate. Throughout the whole article, we extensively refer to the legal literature on the problem of vulnerability. However, legal scholars have not yet fully developed the original approach to the notion of vulnerability. Most of them base their ideas on the work of theoreticians, especially Martha Fineman, who writes extensively about the relations between law, state and individual vulnerability. Presentation of those different theoretical approaches helps in placing the origins of this notion and its implications for institutions, legal systems and communities. Therefore, we found a theoretical introduction necessary for developing a vulnerability-aware interpretation of data protection. Some early definitions and conceptualisation of vulnerability stressed its links to fragility, harms and the experience of being wounded, as its etymology suggests ('vulnus' in Latin means wound). 12 The term served almost as a synonym of dependency, helplessness, pain, violence and weakness. 13 As it was expressed by Goodin, "vulnerability implies more than susceptibility to certain sorts of harm … it also implies that the harm is not predetermined". 14 Accordingly, vulnerability refers to the potentiality of harm, not to actual harms occurred. 15 The concept of vulnerability has also been portrayed as a promising and alternative way to address injustices present in modern societies. For many scholars, vulnerability becomes a language to describe, e.g., social marginalisation, economic insecurity, precarious employment conditions or violence caused by wars. Fineman and Butler express that the concept has a great potential to challenge liberal individualism and redefine some of the existing frames about injustice, 12 16 While the field engaged in understanding the nature of vulnerability and explored its associations and consequences for political practice, ethics, research and law, the term is still deemed vague, complex and ambiguous. 17 However, some problematic dichotomies and uncertainties affect the application of the vulnerability concept in the institutional environment.
One of these dichotomies is between the particular and universal character of vulnerability. In more traditional approaches, vulnerability is a distinctive character of particular weaker individuals and groups, based on specific situations or socio-economic contexts. 18 Typical examples of such groups are racial minorities, asylum seekers, and people with disabilities. It is a predominant way of using the notion of vulnerability in more practical circumstances like research, social policy, or policing. 19 This way of understanding vulnerability was, however, accused of bringing stigmatising effects and harmful regulation for minorities. 20 For these reasons, some critical scholars reformulate the understanding of vulnerability as a universal human condition, which can change in different situations, different periods and also in spaces. The concept is portrayed as an ontological category and a general feature of human existence and embodiment. 21 However, some critics accuse that the emphasis of the universal character of vulnerability ignores structural violence, injustice and exploitation that are experienced by particular groups. 22 On the other hand, apologists of a universalised notion of vulnerability show this can be a way to run away from failures of existing diversity and equality policies and anti-discrimination laws. 23 Another area of disputes about vulnerability concerns the organisational, legal and political responses to vulnerability. In this sense, vulnerability has a normative feature that involves specific actions, ethical judgments and institutional arrangements. For Goodin, vulnerability implies a justification for welfare state institutions that could help in addressing the lack of essential goods and services (in this sense, it has a clear distributive character). 24 In a similar tone, Fineman calls for re- 16 Fineman, "The Vulnerable Subject," 8; Butler, Precarious Life, 22-24. 17 Peroni and Timmer, "Vulnerable Groups," 1058; Fineman, "The Vulnerable Subject," 9. 18  sponsive institutions and state architecture that recognise human vulnerability. She criticises existing systems of rights and laws that depend on the formal equality and embrace individualistic, self-sufficient and rationalist liberal subject. Fineman offers a different approach for the legal system and suggests a central role for "vulnerable subjects" in order to give institutional responses to context-specific dependences and injustices. 25 Theorising in the field of bioethics, Rogers et al. explain that social practices and institutions can offer mitigation strategies toward vulnerability and encourage resilience. 26 Commentators in the research ethics field also stress that there are two ways of conceptualising and addressing consequences of vulnerability. 27 The first approach focuses on the harms and the ways to eliminate them. 28 The second approach focuses on individuals' ability to overcome their vulnerable position and empower them with various decisional and procedural safeguards. Put it differently, in one approach the emphasis is put on damages (physical or psychological), while in the second on consent or participation in the decision-making about the research process.
Those two problems discussed at the theoretical level (tension between universalistic and particular character of vulnerability and questions about vulnerability manifestation and related mitigation strategies) also have far-reaching consequences for the practical use of the vulnerability framework. However, some scholars have tried to conciliate these different views and to overcome dichotomies. One of them is Luna, who tried to reply to different criticalities through a new conception of vulnerability as layers . According to Luna, layers of vulnerability are not fixed attributes of specific individuals or groups but are features constructed by status, time and location. In this sense, the concept of layering provides an opening to a more intersectional approach and stresses its cumulative and transitory potential. 29 As Luna indicates, it is true that vulnerability is a universal condition of human beings, but it is also true that such condition of weakness may vary from an individual to another, may have different degrees of severity and many different factors.
We could summarise this universal-particular theory as follows: all individuals are vulnerable (there should be no labels on some groups), but some individuals have more layers of vulnerability than others. This is a consequence of different social contexts and relational balances. 30 The intensity of 25  the legal protection of vulnerable individuals should be proportional to the quantity and quality of layers of vulnerability. 31 The identification and assessment of layers of vulnerability should be based on several criteria: an analysis of the origins of vulnerability (that is, an analysis of the stimulus conditions including if some layers are "cascade vulnerability", i.e. layers that have a cascade effect on other sources of vulnerability) and of its effects (that is, probability and intensity of harms). 32 Lastly, Luna's theory on layered vulnerability suggests that each vulnerability layer has its own mitigation measures. The obligations originated by layers evaluation (see above) should be: avoiding exacerbating layers, eradicating layers and minimising layers of vulnerability through different strategies (protections, safeguards, empowerment). 33 In sum, the discussion about vulnerability is not singular and can lead to different paradoxes and dichotomies. Among the strengths of this discourse is a search for a more progressive conceptualisation of justice that is deeply rooted in human nature and different socio-historical contexts. Under this perspective, vulnerability may serve a ground for transformations of ethics, policy and law. At the same time, the relative vagueness and instability of this concept are its main weakness and create some serious challenges in its practical application. In this article, we argue that layered vulnerability can be one of the most suitable approaches to address those issues and the best response to several criticisms. More precisely, we will rely on the layers theory to understand vulnerability in the data protection field.

Situating vulnerable individuals in the data protection field
Building on these different theories and ways of understanding human vulnerability, we will now look at the notion of vulnerability in the data protection discourse and in particular in the GDPR. So far, vulnerability per se has not been a significant area of discussion among privacy and data protection scholars. However in our interpretation the notion plays a vital role in situating the position of the individual in the context of data processing. Nevertheless, at the same time we see that introduction of vulnerability in the data protection field may duplicate problematic dichotomies that we summarised in the previous section.
The first dichotomy relates to the definition of vulnerability in the field of privacy and data protection: there is a tension between particularistic and universalistic approaches. According to the universalistic approach, privacy and data protection safeguard all individuals equally in digital ecosphere, because we are all equally exposed to violations. As explained by Calo, knowledge and information confer power over individuals and make them vulnerable. 34 Therefore privacy and data rights play a protective function and create 31 Ibidem, 86-95. 32  barriers for discovering, rendering and exploiting those vulnerabilities. However, in reality, the position of different data subjects is very diverse: they have different understandings, different levels of awareness, decisional capacity, propensity to disclose their data, and weakness. However, in the data protection discourse, the notion of data subject has generally been unique and rigid, 35 and there is no clarity about whether such unique notion refers to an average data subject (like in the consumer field) or not. 36 Scholars articulate how different situations of specific groups and individuals shape their capabilities, enjoyment and expectations about privacy and data protection. A typical example here is the situation of children .
Put it simply, children have limited capacity to understand the complexity of data-driven architecture, have less experience, less awareness of risks and rights and may be easily manipulated. For those reasons, processing data of minors is shaped by specific rules in data protection regimes and is also subject to numerous studies. 37 Nevertheless, the inequality between data subjects goes beyond the issue of age. In other contexts, scholars show that intrusion of privacy can be marked by social differences -race, ethnicity, class, sexual orientation, migration status or gender. 38 For example, those conditions very often act as a justification for particularly onerous forms of surveillance. Furthermore, Gilman argues that privacy laws are not always protecting those in less advantaged positions, mirroring existing inequalities and power dynamics. 39 Similarly, analysing the European context, Blume recognises that numerous factors like age, mental capacity, literacy or gender can affect the enjoyment and execution of individual data rights. 40 In addition, we observe a distinction between vulnerability risks related to the data processing and vulnerability risks related to the outcomes of such data processing. Under the first perspective, vulnerability can emerge, for example, as the limited capability to provide free consent for collection of personal data, to understand information about data processing or to exercise data protection rights adequately. Those limi- Under the second perspective, vulnerability in the data protection framework emerges in the form of harms to which individuals are exposed. As explained by commentators, datadriven systems can serve as tools of potential discrimination, manipulation or may lead to physical and psychological harms. Different examples from law enforcement, welfare, banking or housing are showing that those technologies can reinforce social inequalities and lead to discrimination in the access to services and goods. 41 This discussion focuses very often on harmful biases embedded in models, training data and definitional problems. 42 Similarly, some controversial examples of data-driven research are accused of reproducing inflammatory stereotypes and creating life-threatening situations for specific marginalised communities. 43 In sum, there are two major dichotomies in human vulnerability theories that we can find relevant also in the data protection discourse. One dichotomy concerns the definition of vulnerable subjects and is between universality (everyone is equally vulnerable) and particularity (some subjects are more vulnerable than others). The other dichotomy regards manifestations of vulnerability: vulnerability may arise within the data processing (decisional vulnerability risks related to data collection, consent provision, and inappropriate exercise of data protection rights) or as a consequence to the outcomes of the processing (some data processing may generate discrimination, manipulation or secondary harms such as physical or psychological harms).
Therefore, situating vulnerability in the data protection framework is a problematic task. If we affirm that all data subjects are universally vulnerable, we may ignore significant differences among them, which may weaken the protection of individuals in an already disadvantaged position. At the same 41 Julia Angwin and Jeff Larson, "Bias in Criminal Risk Scores is Mathematically Inevitable, Researchers Say," ProPublica , December 2016, https://www.propublica.org/article/bias-in-criminalrisk-scores-is-mathematically-inevitable-researchers-say ; Virginia Eubanks, Automating Inequality,  43 Jacob Metcalf, "'The Study Has Been Approved by the IRB': Gayface AI, Research Hype and the Pervasive Data Ethics Gap," Medium (blog), 2017, https://medium.com/pervade-team/ the-study-has-been-approved-by-the-irb-gayface-ai-researchhype-and-the-pervasive-data-ethics-ed76171b882c . time, more specific protection rules and safeguards can lead to fragmentation of the already complicated legal regime. Also, while focusing on harms, the discussion could easily end up with a never-ending list of damages, which are not providing any additional value. On the other hand, concentrating on procedural safeguards can neglect the importance of actual damages, suffer and pain that some individuals may experience as a result of the use of particular data-driven technologies. Those problems may lead to the conclusions that vulnerability in the data protection framework can be a dead end, butas we argue below -there is at least one theory that could help develop the notion of data subjects' vulnerability in a constructive way. We refer to Luna's theory of layered vulnerability (see below).

Data subjects' vulnerability in the General Data Protection Regulation
In order to better understand what the notion of individual vulnerability in the GDPR is and why a layered approach to vulnerability might be a constructive step further, we will now analyse the wording of the GDPR and the interpretations offered by the Article 29 Working Party (WP29) and the European Data Protection Board (EDPB). As we affirmed in the previous section, when dealing with the notion of vulnerable subjects there are two dichotomies to address: definition (universalism versus particularism) and manifestations (vulnerability within the data processing versus vulnerability to the outcomes of the processing).
The first dichotomy to consider regards the definition: what is the status of a vulnerable person in the GDPR and how could we eventually solve the dichotomy between universal and particular vulnerability interpreting the wording of the GDPR? Actually, the GDPR does not contain an explicit definition of vulnerable data subjects. There is just one slight reference in recital 75 about relevant risks to consider when performing a Data Protection Impact Assessment: "where personal data of vulnerable natural persons, in particular of children , are processed". "In particular" means that children are vulnerable subjects, but that also other data subjects might be considered vulnerable. The situation of children is specifically addressed in the GDPR -through requirements for consent for information society services (Article 8) and specific transparency duties towards children (Article 12(1). 44 Considering that children are specifically vulnerable data subjects, one may conclude that the GDPR approach to vulnerability is particular and not universal: just some groups (namely, children) are vulnerable. However, the definition of the data subject -as already affirmed -is universal and unique 45 and children are just one group at high risk, but other groups can usually have similar risks (for example: elderly, mentally ill persons).
Importantly, the GDPR offers at recital 38 a justification for this special protection for children: "children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data". In other words, a lack of awareness and understanding about consequences and legal rights (what we can call decisional vulnerability) justifies the particular protection for children. The idea of decisional vulnerability of children is then reaffirmed at recital 65 that emphasises the problem of consent in the context of erasing personal data. Additionally, recital 58 reveals that the reason for protection is mainly based on children's reduced capacity of understanding. However, one may wonder whether some of the rationales for the protection of children in the data protection framework can be considered -by analogy -also for other vulnerable adults. Although the answer is not clear, WP29 has provided some guidance on this matter and it remarked in several opinions that vulnerability could not be limited only to children.
In particular, WP29 argues that the key factor in identifying individual vulnerability is a power imbalance between the data subject and the data controller. Power imbalance means that individuals may be "unable to easily consent to, or oppose, the processing of their data, or exercise their rights". WP29 tries to enlist some vulnerable data subjects: children, since "they can be considered as not able to knowingly and thoughtfully oppose or consent to the processing of their data"; employees; more vulnerable segments of the population requiring special protection ("mentally ill persons, asylum seekers, or the elderly, patients, etc."), and "in any case where an imbalance in the relationship between the position of the data subject and the controller can be identified". 46 Here the link between power imbalance and vulnerability of the data subjects is clear: when the data controllers are in a position of significant power imbalance (in particular in terms of possible impacts on fundamental rights and freedoms, significant information asymmetry based on predictive analytics, etc.) towards the data subject, the latter should be considered vulnerable.
portance of Privacy by Design and Data Protection Impact Assessments in Strengthening Protection of Children's Personal Data Under the GDPR," Communications Law 23 (2018), https://papers.ssrn. com/abstract=3107660 . 45 See Article 29 Working Party, Opinion 4/2007 on the concept of personal data, WP136, 21-22. 46 Article 29 Working Party, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679, WP 248 rev.01, 10.
Similar wording can be found in the WP29 Opinion on legitimate interests. 47 When data controllers perform the balancing test that is required if they want to process personal data on the basis of legitimate interests (Article 6(1)(f) of the GDPR), they need to consider the nature and source of the legitimate interest, if there are additional safeguards and what is the impact on the data subject, considering in particular "the status of the data controller and data subject, including the balance of power between the data subject and the data controller , or whether the data subject is a child or otherwise belongs to a more vulnerable segment of the population ." 48 Again, the idea of vulnerability is linked to power imbalance. In particular, vulnerability is considered as a contextual notion: "the question whether the data subject is an employee, a student, a patient, or whether there is otherwise an imbalance in the relationship between the position of the data subject and the controller must certainly be also relevant. It is important to assess the effect of actual processing on particular individuals ." 49 Similar views were articulated in the WP29 Guidelines on Purpose Limitation under the Data Protection Directive and WP29 Guidelines on Transparency. 50 WP29 has also expanded the notion of vulnerable groups beyond children, when addressing the meaning of "significant effects" under article 22, GDPR. In that opinion, WP29 clarifies that when assessing the effects of automated decisions on individuals, one factor to be considered is whether the controller used "knowledge of the vulnerabilities of the data subjects targeted". 51 The notion of vulnerability is very much related to adverse impacts: "processing that might have little impact on individuals generally may in fact have a significant effect for certain groups of society, such as minority groups or vulnerable adults ". 52 As regards the other dichotomy, i.e. the manifestation of vulnerability within the data processing or as an outcome of the data processing, it seems that WP29 addresses both aspects. The analysis of children vulnerability focuses predominantly on the processing side (i.e. decisional vulnerability related to the collection of data, to the provision of consent and to the exercise of data subject rights). 53 However, in the Guidelines on Data Protection Impact Assessment, the vulnerability of data subjects is considered one of the nine indexes for iden-  54 Recital 75 suggests the reason why vulnerable data subjects (in general, not only children) require special attention when determining whether a data processing is of high risk for rights and freedoms of natural persons. Those risks "may result from personal data processing which could lead to physical, material or non-material damage, in particular (…) where personal data of vulnerable natural persons, in particular of children, are processed". 55 In other words, some subjects should be protected not only because of their limited capacity to understand and give consent, but from higher risks of material or non-material damages. The examples might be several: some subjects are more at risk of discrimination during an automated data processing (in particular in case of, e.g., automated profiling); other subjects might be more easily impaired in their freedom of thought when their data are processed for direct marketing; other subjects might have bigger physical or psychological damages in case of a data breach, etc. Children are a category that is both decisionally vulnerable and is exposed to the higher risks of harms. However, we can easily imagine categories of data subjects who have no reduced decisional capacity but can suffer from higher risks of damages from a data processing.
In sum, we preliminarily analysed the definition of vulnerable subjects and the manifestations of vulnerability in the GDPR. In both these areas, we observe dichotomies: as regards the definition of vulnerable individuals, there is a tension between a universal notion of vulnerability (since there is no reference to vulnerable groups and just an open reference to vulnerability in recital 75) and a particular one (just children are mentioned as an example and there are specific safeguards only for children). However, it seems that the GDPR is open to both approaches: particularism and universalism. As we will argue in the final sections, the solution to this apparent contradiction is in the notion of "risk", which is very close to Luna's notion of "layers" of vulnerability. The risk-based approach in the GDPR suggests a layered analysis of vulnerability, i.e. everyone is potentially vulnerable, but at different levels and in different contexts.
As regards the manifestation problem, vulnerability risks within the data processing itself (i.e. decisional vulnerability related to data collection and the lack of capability to exercise data rights) are the declared rationale for protecting the only explicit vulnerable category (i.e. children). However, recital 75 and WP29 emphasises more on vulnerability risks arising as an outcome of the data processing.
In order to better solve these apparent contradictions, the following section will investigate the understanding and scope of individual vulnerability in the international human rights law and the EU law. To do that, we will look both at the European Convention on Human Rights (and the relevant caselaw of the ECtHR) regarding vulnerable individuals and at the EU law to understand if we can profit from more developed notions of vulnerability. In particular, we will observe whether the approach is to propose a specific list of vulner-54 Ibid. 55 See Recital 75, GDPR. able groups or assuming an open clause for a universal notion of vulnerability. Also, we will see whether vulnerability manifestations are focussed more on decisional vulnerability or to risks of subsequent harms.

4.
The broader perspective: vulnerability in the EU law

Vulnerability and human rights: the rise of the concept of vulnerable persons in the ECtHR jurisprudence
The notion of vulnerability plays a significant role in the human rights discussion. Although the concept of vulnerability is neither present in the European Convention on Human Rights nor the EU Charter of Fundamental Rights, scholars and human rights institutions and organisations refer to it as an imperative that entails special protection of socially marginalised groups like women, people with disabilities, children, or ethnical minorities. 56 The ECtHR recognises vulnerable situations of particular groups, but it never employed the notion of vulnerability in the field of private life, privacy or data protection (Article 8 ECHR).
The Court has firstly addressed the idea of vulnerable persons in 1981, referring to children. In Dudgeons v. UK 57 the Court referred to "the moral interests and welfare of certain individuals or classes of individuals who are in need of special protection for reasons such as lack of maturity, mental disability or state of dependence ". 58 In this judgment, the Court adopted the idea of inherent vulnerability based on ( age as an index of) weakness, inexperience and dependence. 59 In particular, the category of children vulnerability qualifies as intrinsically gradual and temporal. However, the Court tends to assume a hybrid definition of vulnerability, both universal and particular , as the wording "specially vulnerable" reveals: all individuals are potentially vulnerable, but some are especially vulnerable. 60 In later judgments, the ECtHR extended the notion of vulnerability to politically and socially disadvantaged groups. For example, in Chapman v. The United Kingdom the Court stated that "the vulnerable position of Gypsies as a minority means that some special consideration should be given to their needs and their different lifestyle both in the relevant regulatory planning framework and in reaching decisions in particular cases". 61 The category of vulnerable groups was also expanded to asylum seekers, people living with HIV and individual fac- 56  ing social disadvantage and material deprivation. 62 The partly dissenting opinion of Judge Salò has critically developed the definition of vulnerable persons under the ECtHR jurisprudence. He originally observes that the concept of vulnerability is not a monolith, there are different grades of vulnerability based on different situations. 63 Those different cases show also that the Court perceives vulnerability as relational, harmbased and depending on the situation of particular communities, ethical groups or life situations. 64 The reference to vulnerability in the ECtHR jurisprudence also has three significant legal consequences. 65 Firstly, vulnerability requires establishing positive obligations toward disadvantaged groups and providing tailored measures that recognise their particular needs and situations. For example, in Chapman case the Court called British authorities to acknowledge the situation of Roma in the policymaking process. 66 In other cases, the Court obliged governments to provide special financial assistance to asylum seekers or shelter to people who were evicted by force. 67 Secondly, vulnerability of particular groups can also influence the weight of harm in the proportionality test, amplifying the consequences and scope of harms. As stressed in the Yordanova case: "the applicants' specificity as a social group and their needs must be one of the relevant factors in the proportionality assessment that the national authorities are under a duty to undertake". 68 The third consequence is related to the margin of appreciation. As it was explicitly mentioned in the Kiyutin v. Russia case, in the situation of vulnerable groups: "State's margin of appreciation is substantially narrower, and it must have very weighty reasons for the restrictions in question". 69 Vulnerability is a central and vital aspect of human rights legal practice. It helps understand the particularity of certain disadvantaged groups and understand that economic, historical and social conditions play an important role in the enjoyment of rights. Therefore, the recognition of vulnerability allows to acknowledge problems of discrimination, procedural safeguards, distributional policies or political participation. Such approach links vulnerability in the human rights discourse to the broader problems of social justice. This contrasts with the conceptualisation of vulnerability in other fields (i.e. research ethics) that focus predominantly on consent and other decisional aspects.

The rise of vulnerable individuals in the EU secondary law: an overview
While vulnerability emerges somehow "naturally" in the human rights field, other fields of law refer to it as well. Although neither the Charter of Fundamental Rights nor the Treaty of the European Union and the Treaty on the Functioning of the EU contains a single reference to vulnerable persons, special considerations of vulnerable individuals can be found in several pieces of EU legislation.
One of the first legal mentions of personal vulnerability was in 1983 Council Decision on the European Social Fund. 70 The preamble refers to "categories of persons who are particularly vulnerable on the labour market (in particular women, the handicapped and migrants)". The following year, two other Council acts referred to vulnerable persons, always in the field of the market (in particular disabled workers). 71 In 1990 the concept of vulnerability was then used in the even more context-dependent case of road users. It is the case of Council Directive on Civil Liability insurances, 72 whose preamble referred to motor vehicle passengers as "vulnerable category of potential victims". However, for many years vulnerable groups were mentioned only in the preambles of legal texts. For the first time, in 1994, the notion of vulnerability was included in one article of a European Directive: it is the case of young workers. 73 Over the years, the notion of vulnerability slowly appeared in different socio-legal contexts to describe a variety of groups, as illustrated in Table 1 . Examples of legal instruments that refer to vulnerability of particular groups range from employment, biomedical research, migration policy, to social assistance. Importantly, those instruments do not always describe those vulnerable groups in detail. Sometimes they even refer to the universal and inherent concept of vulnerability as in the first medical device directive ("the vulnerability of human body"). 74 Two fields of EU law, namely consumer protection law and the regulation on clinical trials, require some more attention, as they generated meaningful theoretical and practical discussions about the notion of vulnerability that could also be imported in the data protection discourse.

Vulnerable consumers in the EU law
The first explicit application of the notion of vulnerability in the consumer field can be found in the Directive 97/55/EC on misleading advertising. 75 Recital 22 allowed Member States to limit comparative advertising, in particular for advertising which targeted vulnerable consumer groups . 76  in Table 1 , consumer law took into account consumer vulnerability also in specific sectors, like energy or e-payments. In more general terms, the Directive 2005/29/EC, the socalled Unfair Commercial Practice Directive (UCPD), refers in Article 5(3) to vulnerable groups of consumers as "people particularly vulnerable to the practice or the underlying product because of their mental or physical infirmity, age or credulity". The recognition of those vulnerable consumers is based on the idea that they should be ensured a higher level of protection than 'the average consumer' referred to in Article 5(2). 87 However, the understanding of vulnerability in the UCPD is a matter of vivid discussion. For example, a report of the European Commission in 2016 confirmed the gradual nature of vulnerability, 88 in particular highlighting that the notion of vulnerable consumers should be assessed on several elements, "as a result of socio-demographic characteristics, behavioural characteristics, personal situation or market environment". 89 Additionally, the Study has also argued that consumer vulnerability is "multi-dimensional" 90 and so is "the impact of personal characteristics on the likelihood of being vulnerable as a consumer". For example, "characteristics like age and gender can increase vulnerability in some dimensions, but not in others". 91 The discussion about vulnerability in the UCPD also stresses the limitations about the division between "average" and "vulnerable" consumers and focus on temporal, gradual and contextual-relational aspects. 92 Interestingly, the European Commission has also recently relayed on the gradual approach to vulnerability in the Guidelines for the General Product Safety Directive. 93 The CTR addresses the question of vulnerable research subjects under different perspectives. Article 10, whose title is "specific considerations for vulnerable populations", requires that for specific groups (minors, incapacitated subjects, pregnant or breastfeeding women, or 'other specific groups or subgroups') specific consideration shall be given to the assessment of the application for authorization 95 of a clinical trial. This provision does not clarify whether this "specific consideration" should be dedicated to the decisional vulnerability of such research subjects (i.e. their higher difficulty in giving consent to their involvement in the research) 96 or to the higher risks of harms that these subjects might encounter during a medical research project. 97 Articles 31-33 address more specifically decisional vulnerability. These articles dictate particular rules for obtaining free consent from and giving adequate information to minors (Article 31), incapacitated subjects (Article 32), pregnant or breastfeeding women (Article 33). Member States can even guarantee further protection for other subjects in a situation of institutional or hierarchical dependency likely to influence their freedom of consent (Article 34). 98 In terms of decisional vulnerability, recital 31 mentions incidentally another category of vulnerable subjects that should require specific attention when collecting informed consent: individuals belonging to "an economically or socially disadvantaged group or in a situation of institutional or hierarchical dependency that could inappropriately influence her or his decision to participate".

Vulnerable research subjects in the EU law
A further reference to vulnerable people is at recital 15. Here the notion of vulnerability does not refer to decisional vulnerability, but to the weaker health conditions of specific categories of persons that the research should take into account. The reference to vulnerable groups at recital 15 aims to encourage specific medical research for vulnerable people, in order to avoid underrepresentation of vulnerable groups. In other words, this recital does not provide any particular safeguard or limitations for protecting vulnerable research subjects: on the contrary, it encourages to involve more vulnerable individuals in research projects. 99

Beyond dichotomies: layers of vulnerability in the GDPR and the risk-based approach
After this overview, we can argue that in the EU, there is no single definition of vulnerable individuals. Although in several sectors we observed specific lists of vulnerable subjects, the general picture reveals a highly contextual and relational understanding of vulnerability based on power imbalance (as also the GDPR suggests). As regards the manifestation of vulnerability, although in the research field decisional vulnerability plays an important role, other legal fields present strong links between vulnerability and harms . Being vulnerableacross different legal sectors -generally means being more exposed to harms (if compared to other individuals) in some particular contexts. 100 Connecting this analysis to the overview of vulnerability theories ( Section 3 ), it seems to us that the EU legal approach to individual vulnerability can well fit with the layeredvulnerability idea proposed by Luna. 101 Her theory -based on layers of vulnerability (i.e. universal vulnerability tempered by an evaluation of different degrees of weakness) -can perhaps well describe the relational and contextual notion of vulnerability that we find in the EU law and in particular in the data protection field.
As we mentioned before, the notion of vulnerability is present and central to the data protection law and practice, although it is not adequately recognised yet. This results in limited capability of the data protection debate to acknowledge inequalities and contextually framed situations of different data subjects. We believe that implying vulnerability as one of the interpretative frameworks could address those limits and unleash the GDPR potential in responding to particularly harmful practices that affect those in a disadvantaged position. However, to do that, we need to overcome problematic dichotomies present in vulnerability theory. As we mentioned above, Luna's layered theory might offer some preliminary solutions. The theory of layered vulnerability 102 has had success in the academic debate 103 because it may solve both the limits of vulnerability as a label (source of stigmatisation) and the 99 Gennet, Andorno, and Elger, "Does the New EU Regulation on Clinical Trials Adequately Protect Vulnerable Research Participants?," 929. 100  limits of universal vulnerability (if everyone is vulnerable, the notion will lose its usefulness in protecting weaker individuals). Layered understanding of vulnerability can also bring some certainty to the mitigation strategies and address some confusion between harm-based and procedural approaches. Luna in her recent article on layers of vulnerability tried to operationalise the concept and propose a method to identify and assess different layers of vulnerability. In particular, she recommends assessing risks of vulnerability considering two factors: the harmfulness of effects and the likelihood of risks. 104

The layered approach to vulnerability and the risk-based approach in the GDPR
As noted by Gennet et al., Luna's theory adopts a risk-based definition of vulnerable persons. Interestingly, in the GDPR the notion of risks to fundamental rights and freedoms is pivotal. In particular, according to the risk-based approach in the GDPR (Article 24), the data controller is obliged to implement appropriate technical and organisational measures to ensure the compliance with the data protection principles: "taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons". 105 When assessing such risks of varying likelihood and severity for rights and freedoms, the controller should of course consider situations in which a certain data processing could damage more some particular (vulnerable) individuals.
Indeed, vulnerable persons are often defined as persons at higher risks (in terms of likelihood and severity) of damages to their rights and freedoms. 106 The notion of severity and likelihood seems perfectly in line with the two criteria for evaluating vulnerability layers in Luna's theory (harmfulness of effects and likelihood). Therefore, the risk-based approach can play a significant role in recognising and conceptualising the variety of risks (and layers) that can amplify, expose and exploit different vulnerabilities. Furthermore, it helps extend the scope of the GDPR to problems that are not traditionally related to the data protection discourse, like discrimination or inequality. This aspect of the risk-based approach plays, a significant role in mitigating potentially harmful outcomes of data-driven technologies.
Also, according to the principle of data protection by design (Article 25), the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, which are designed to implement dataprotection principles. Even in this case the controller should take into account "the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons", but also "the state of the art [and] the cost of implementation".
The difference between Article 24 and Article 25 is that in the first case the data controller should merely prove his or her compliance with the data protection principles. In the latter he or she should also "implement" data-protection principles (according to what is proportional to the state of the art and the costs of implementation). 107 In both cases, the attention to vulnerable data subjects and the implementation of specific safeguards to protect their rights and freedoms (i.e. to mitigate factors of vulnerability) seems necessary.
One further protection for vulnerable data subjects is the Data Protection Impact Assessment (DPIA). As already explained above, Article 35 (as interpreted by recital 75 and by WP29) requires performing a DPIA in case of high-risk data processing, including the case where the data subjects can be considered vulnerable. The DPIA is based on several steps (Article 35 (7)): the systematic description of the processing, the assessment of necessity and proportionality, the assessment of risks and the description of measures envisaged to mitigate such risks. In other words, even according to the accountability principle, it is the controller who should autonomously determine measures for protecting vulnerable individuals.
It is clear that each measure should be linked to a risk. We have often referred to vulnerable subjects under different risk factors: in particular, decisional vulnerability and risks of more significant harms. Data controllers may suggest mitigation measures for particular vulnerable groups: e.g., in case of decisional vulnerability, the data controller could implement specific forms of consent or information disclosure measures; in case of individuals that might be easily discriminated, the data controller could implement periodical audits against discrimination, etc.
In addition, the DPIA can also overcome tensions between the notion of vulnerability as a risk within the processing and the notion of vulnerability as an outcome of the data processing. The holistic approach of Article 35 requires to analyse risks broadly, and also to systematically describe the data processing and assessing its necessity and proportionality.
We observe that such rules might appear as blank provisions, conditional to the will and activity of the data controller. 108 However, some tools could reduce arbitrariness of data controllers: e.g., codes of conduct could better specify what to do in case of vulnerable data subjects, in specific sectors ; 109 certification mechanism could also help. 110 Also, the Data Protection Authorities (DPAs) (e.g. through their powers, according to -inter alia -Article 36 about prior notifications) could release clear guidelines on how to deal with some vulnerable individuals. 111

Legal bases for processing data of vulnerable subjects
The layered-based notion of vulnerability and the risk-based approach can be a key also for addressing the issue of deci- According to Article 24, the data controller needs to analyse the level of risk (for fundamental rights and freedoms of data subjects) and so the level of vulnerability of the data subject before proceeding with the data processing. Accordingly, when choosing the legal basis for data processing (consent, legitimate interests), it is necessary to do a vulnerability layersevaluation of the data subjects and adapt the safeguards.
As mentioned above, the only vulnerable category that has group-specific protection under the GDPR is the category of children. Their specific protection is mostly based on two elements: consent and information duties of data controllers. When data processing is based on consent and relates to the offer of information society services, under a certain age (16 years, that Member States can reduce to 13) consent should be given or authorised by the holder of parental responsibility for the child (Article 8). At the same time, transparency duties and any communication within the exercise of data protection rights, should be "in a concise transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child " 112 (Article 12(1)).
One might wonder whether, by analogy, these safeguards could also be used for other (adult) vulnerable data subjects. Interestingly, the WP29 guidelines on consent, when referring to the child's consent in Article 8, affirm: "[c]ompared to the current directive, the GDPR creates an additional layer of protection where personal data of vulnerable natural persons, especially children, are processed ". 113 This sentence seems to suggest that special rules for consent were conceived for all vulnerable natural persons: "especially children" does not mean "only children". However, parental consent for information society services is a special rule that cannot be easily applied in different contexts. The only similarity with some "vulnerable adults" is that legally incapacitated persons might need consent (or authorisation to consent) from their legal representatives, according to the national laws. 114 In more general terms, we could assume that data controllers should adopt special safeguards when collecting consent from vulnerable adults . This is in line with the characteristics of consent under Articles 4(11) and 7: freely given, specific, informed and unambiguous. Consent is free only if the data subject is capable of choosing whether to give consent and controlling how to give and withdraw it. 115 In particular, WP29 adds: "any element of inappropriate pressure or influence upon the data subject (which may be manifested in many different ways) which prevents a data subject from exercising [her] free will, shall render the consent invalid". 116 In other words, when the data subject is in a situation of decisional vulnerability, consent should not be valid.
Recital 43 relates the idea of freedom of consent to the notion of power imbalance: "in order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller , in particular where the controller is a public authority". We already observed how individual vulnerability is defined, especially in the data protection field, as power imbalance between controllers and subjects. 117 WP29 explains that imbalances of power are not limited to public authorities but also include the relationship between employees and employers and even other situations: "[c]onsent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences (e.g. substantial extra costs) if he/she does not consent. Consent will not be free in cases where there is any element of compulsion, pressure or inability to exercise free will". 118 In other words, consent should not be a legal basis when the data subject can be in a situation of decisional vulnerability. The EDPB Opinion on Clinical Trials Regulation also highlights that consent should not be a legal basis for data processing in case of vulnerable data subjects. In particular when the potential subject is not "in good health conditions" or "belongs to an economically or socially disadvantaged group, or is in a situation of institutional or hierarchical dependency that could inappropriately influence her or his decision to participate". 119 However, we remark that consent should be avoided not in all cases of vulnerable data subjects, but only when the data subjects are affected by decisional vulnerability. 120 In other cases, consent is not only possible but even recommended: this is why WP29 Guidelines on Purpose Limitation affirm that further processing of data (the so-called repurposing of data processing) for vulnerable data subjects should be possible just upon consent. 121 In that context, the notion of vulnerable individuals seems associated with the risk of, e.g., discrimination, rather than to situations of decisional vulnerability. 122 tive consequences if they do not consent, then consent will not be valid". 116 Article 29 Working Party, Guidelines on Consent, 6. 117 Article 29 Working Party, Guidelines on DPIA, 10: "Vulnerable data subjects may include […] any case where an imbalance in the relationship between the position of the data subject and the controller can be identified". 118 Article 29 Working Party, Guidelines on Consent, 7. 119 European Data Protection Board, Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR) (art.70.1.b), 6, 120 About the distinction between decisional vulnerability and other forms of vulnerability see Section 5(a). 121 Article 29 Working Party, Opinion 03/2013 on purpose limitation, 32. 122 Ibidem, 32: "further processing of personal data concerning health, data about children, other vulnerable individuals, or other However, in a few cases, the decisional vulnerability can be mitigated with the adoption of better safeguards, in particular transparency safeguards. As we observed, Article 12 seems to require a very high standard of legibility for information policies and for other communications within the exercise of data protection rights. 123 If such communication is addressed to persons with reduced understanding (including -but not limited to -children), data controllers might be required to give information in a way that might be easily understandable by every recipient. Also, WP29 Guidelines on Transparency refer to other vulnerable positions: "if a data controller is aware that their goods/services are availed of by (or targeted at) other vulnerable members of society, including people with disabilities or people who may have difficulties accessing information, the vulnerabilities of such data subjects should be taken into account by the data controller in its assessment of how to ensure that it complies with its transparency obligations in relation to such data subjects". 124

Participation of vulnerable data subjects in the decision-making about data processing
The layered approach to data subjects' vulnerability also requires mitigation strategies that are adequate to the particular context and situations. We explore some of the possible directions toward interpreting existing mechanism within the GDPR that could adequately react to vulnerability of certain groups. Those ideas include, for example, procedural safeguards related to participation or institutional responses.
Some authors have suggested involving individuals in the decision-making about research. 125 The participatory principle is also part of a long discussion within the humancomputer interaction field in the context of designing technologies. 126 If the participatory process is meaningful it can highlight and respond to experiences and situation of vulnerable com-munities. 127 In the context of Big Data research, Jackson et al. argue that the engagement of vulnerable groups in research as participants but also contributors to study design, implementation, and the analysis can help address problem of discriminatory biases. 128 However participation in research and decision-making about data-driven technologies should also fulfil certain conditions. One example of such participatorydriven design process is the "Design Justice" project. 129 It recommends engaging with the questions about power, distribution of risks and benefits, reproduction of domination and oppression as well as creating a space for the more equitable and fair design process. The data protection field can use those insights to understand the role of participatory process in decision-making about data-driven technologies and their impact on fundamental rights.
Interestingly, the DPIA under the GDPR already provides some forms of participation of the data subjects. In particular, Article 35(9) states as follows: "where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations". Although the involvement of data subjects is required only when "appropriate", 130 the DPIA Guidelines envision that this input could be, for example, in the form of surveys crafted by data controllers and sent to future customers. Also, those Guidelines explain that if data controllers do not seek these external views, they must justify such decision. 131 In addition, if data controllers do seek these views and then disregard them, they must document why they have chosen to disregard external inputs. 132

Data protection as backstop for high-risk data processing
In some cases, the vulnerable condition of the data subjects is so relevant that the data controllers could find no adequate safeguards to mitigate them: in these situations, the only way is not to start (or not to continue) the data processing. 133 Sev-should choose another legal basis under article 6. 139 If it is not possible to process data on the basis of contract, legal obligation, public interest and vital interests, the data controller might consider processing data on the basis of legitimate interest (Article 6(1) point f). However, even in that case, she is asked to assess the balancing between her interests and the data subject's ones. In such assessment, WP29 suggests considering, inter alia, "the status of the data controller and data subject, including the balance of power between the data subject and the data controller, or whether the data subject is a child or otherwise belongs to a more vulnerable segment of the population. (…) It is important to assess the effect of actual processing on particular individuals". 140 In other words, it might be the case that considering the particular effects of a data processing, the right to privacy and data protection of vulnerable data subjects prevails on the legitimate interest of the data controller: in this case the data processing should not start at all.
In addition, Article 36 (as interpreted through recital 94) describes when data controller needs to consult the DPA before the processing activities. Such prior consultation is necessary if the DPIA reveals that the processing would result (in the absence of safeguards, security measures and mechanisms to mitigate the risk) in high risks to the rights and freedoms of natural persons and the controller is of the opinion that the risk cannot be mitigated by reasonable means in terms of available technologies and costs of implementation.
Interestingly, recital 94 explains that these cases of high risks are "likely to result from certain types of processing and the extent and frequency of processing, which may also result in a realization of damage or interference with the rights and freedoms of the natural person". In other words, there might be cases of higher risks of damages (i.e. cases of vulnerable individuals as explained above) that cannot be mitigated through particular measures.
Once consulted, the DPA could give specific indications about safeguards to adopt in the particular situations, but may also "use any of its powers referred to in Article 58" (Article 36(2)), including the power to impose a temporary or definitive limitation including a ban on processing (Article 58(2), point f). In other words, if the risk assessment (the "vulnerability layers" assessment) reveals high risks that could not be mitigated through reasonable efforts, a system of cooperative governance between controllers and DPAs could take place. However the DPAs could even prohibit certain data processing where specific forms of vulnerability of certain data subjects cannot be rebalanced.

Data protection agencies as a responsive authority
The notion of vulnerability can also play a role in the operations of DPAs. 141 Theoreticians in the vulnerability field call for institutional responses to certain dependencies, inequalities or capabilities of specific groups. 142 Such a way of looking at DPAs is mentioned just once in the GDPR.
Under Article 57, DPAs should conduct specific activities, including raising public awareness about data protection (point b). When carrying out this task, DPAs should pay special attention to addressing the situation of children. This approach is consistent with other provisions that construct a special position of children in the GDPR. Indeed, some national DPAs already took actions toward promoting knowledge about data protection in schools or try to come with particular guidelines addressing the situation of children. 143 However, the question remains if and how vulnerability can act as a paradigm in conducting other activities, especially those that have a substantial aspect like handling complaints, carrying inspections or imposing fines. Another aspect to consider is the risk limitations of access to authorities and obstacles in receiving redress when data rights are violated. As the Fundamental Rights Agency emphasised, individuals belonging to vulnerable groups may face structural problems, like lack of financial resources, inadequate level of legal literacy and empowerment in exercising access to justice in general. 144 Similar problems can be experienced in the data protection field. 145 That is why there might be a particular responsibility of DPAs (and broader national legal systems) to ensure that they take necessary steps to grant people belonging to such vulnerable groups access to redress mechanisms.
As it was already mentioned, DPAs may also use their powers under the mechanism of a priori consultation, when processing of personal data would result in a high risk to the fundamental rights and freedoms (Article 36 and 58(3), point a). In such a situation, DPAs may issue recommendations and guidelines if the processing is related to vulnerable individuals. DPAs' power related to guidance, consultation, and opinions can be enforced vis-à-vis national legislations