GDPR: A global mentality shift towards personal data
by Efi Thoma, Lawyer LL.M.
Data is incontestably the new gold! In the new digital era,
personal data of individuals is being collected, processed, and transferred
around the globe from companies and organizations involved in this process,
without the individuals’ prior knowledge and explicit consent. The companies
and organizations that collect and use such data, have a competitive advantage
and strengthen their market position by analyzing this data. Data may be even
sold to third parties worldwide, without neither the prior knowledge of the
individuals concerned, nor their “unambiguous” consent. The new General Data
Protection Regulation (GDPR) constitutes a huge breakthrough in privacy laws,
leading to a drastic transformation of the privacy landscape on a global scale.
It is not just the GDPR large fines in cases of breaches or serious
non-compliance that make the difference, it is the new culture of awareness
that is being established regarding personal, and namely sensitive data, as
well as the notion of the protection of privacy and integrity of individuals in
order for them to start feeling less comfortable with providing easily personal
information, by just assuming that this is acceptable.
Pursuant to GDPR, once individuals consent to have their
personal data processed by an organization, they automatically become “data
subjects”. Their privacy has been essentially strengthened by the right to be
informed, to access their data, to rectification, to erasure, to restrict
processing, to data portability, to object and to restrict automated decisions
and profiling, and the right to know when their data has been hacked. Thus,
European residents enjoy the guaranteed rights to determine whether, when, how
and to whom their personal information is revealed and how it can be used.
Notwithstanding the comprehensive data protection framework provided by GDPR,
enterprises’ successful compliance with the latter, and the key role of Data
Protection Authorities (DPAs) in interpreting and enforcing GDPR’s provisions,
as well as their effective collaboration, the key factor that shall determine
the accomplishment of GDPR’s aim lies within individuals’ informed approach
towards their personal data. It is imperative that European residents engage
proactively and collaborate with DPAs towards GDPR’s de facto application. For
example, it is important to know that they may file a complaint with the Data
Protection Authority and to seek a judicial remedy, in case their above rights
are being compromised or denied.
GDPR’s primary objective is to ensure the growth of the
digital economy while keeping personal data of EU citizens secure and
protected. It particularly aims at the enforcement of personal data safeguards
and has a direct impact not only on the EU countries, but also globally with regard
to enterprises engaged in economic activity associated with the collection
and/or processing of personal data of individuals located inside the EU. US
companies which may have adhered to the EU-US Privacy Shield which provides a
lawful basis for transfers of personal data from the EU to US organizations, in
order to be GDPR compliant, must meet much stricter requirements. The Privacy
Shield reflects the requirements set out by the Court of Justice of the EU in
its ruling of October 2015 (“Schrems”), which declared the old “Safe Harbour”
framework invalid. A sustainable GDPR compliance is undeniably a challenging
task for enterprises worldwide and entails an indisputable shift in mentality
regarding the perception of personal data. EU should share its values on
privacy and personal data protection in the international domain and build
strategic partnerships with likeminded countries. An ambitious step for EU is a
UN-Treaty ensuring a minimum standard of data protection.
Previous initiatives launched by the European Commission,
such as “Citizens First” seeking to promote EU citizens’ rights by providing
practical guidance, succeeded in raising awareness and exchanging best
practices between EU countries. Ultimately a change in mentality, notably in
the importance of valuing personal data, is required in order to
transform this robust legislative framework into reality. Regardless of the
mandatory nature of GDPR and its direct application throughout the EU, if
individuals do not feel empowered to effectively exercise the rights stemming
from it, it shall remain a hollow statement. Rights are guaranteed not by the
existence of laws but by their enforcement. It is a unique opportunity to take
control of our personal data and uphold our fundamental privacy rights. (efi.thoma@gmail.com)
Comments
Post a Comment