On April 8th , the European Council approved as a first step the definitive draft of the new Data Protection Reform, and we are now waiting for its publication on the Official Journal of the European Union. Yesterday, April 14th, the European Parliament approved the new text and finally all the 28 member states – after a long and exhausting path of creation of new norms – have an uniform and immediately relevant discipline, useful to citizens, companies and to all the different organizations operating in those states.
Notwithstanding the two years’ period that took to publish and release this document, from this moment every state will start a personal journey through reflection and with a bigger awareness of the Privacy as a fundamental right of the men. As a matter of fact, this condition has been posed as the major pillar onto which is possible to build bigger guarantees for individuals and increase the control over the matter. With regards to this, each state will be responsible to adapt their internal normative, and therefore creating a law that can respect the right of privacy of the European citizen, even outside Europe’s borders. Likewise, special precautions need to be taken when personal data are transferred to countries outside the EU, and in particular, this can only be done when an adequate level of protection is offered by a third country.
Specifically, this global reform, built on one of the most elementary and fundamental right of the citizen – the right to confidentiality and privacy –seeks to dictate new rules of conduct in the digital area; at this point considered essential for the socio-economic development of a nation. As a result of the current situation, the EU decided to release two different documents, the General Data Protection Regulation and the Data Protection Directive for the police and criminal justice sector (the definitive draft of the latter is still on process). The first document, the General Data Protection Regulation allows the single citizen to have a better control of the amount and personal information that circulates, while the latter will ensure that the data of victims, witnesses, and suspects of crimes, are duly protected in the context of a criminal investigation or a law enforcement action.
By way of contrast , what can assure us that the new EU General Data Protection Regulation will better guarantee the citizens and companies’ privacy over the already existent internal regulations? What are the main pillars of the new Regulations?
Considering this, if we are referring to the Italian normative system over the matter, the legislator, already started the process years ago, with the emanation of the Privacy Code (updated with the reform in 2012), the establishment of an Autorità Garante, many general provisions and other permit proceedings. The different areas of strategic interests for citizens and companies in the protection of their data have therefore been regulated in a massive way even before the EU general one.
By the same token, the new European normative will allow an easier access to the personal data of the concerned person from the holder; as well as a more explicit and clarified “Right to be forgotten” which forces the data holder to delete any data kept without legit reasons. To consent the transfer of data from an old host to a new one the “Right to data portability” will be disciplined together with the “Right to know when your data has been hacked” (Data Breach). The latter, obliges any company or organization which operates in the EU territory to promptly communicate to the national authorities the violations of personal data. This, in order to let the involved person have the necessary time to take the required security measures.
In addition to this enlargement of the citizens rights’, there are a series of norms that facilitate the application of Privacy standards for companies, so that they can become more competitive and develop a stronger privacy policy. Consequently to the uniform application of the new regulation, it will be established a “One-Stop-shop” so that businesses (national and multinational) will only have to deal with one single supervisory authority. In addition to this, a new risk-based approach rules will avoid a burdensome one-size-fits-all obligation and rather tailor them to the respective risks.
Indeed, another main pillar of the new regulation is the institution of a “Data Protection Officer” (DPO). This new figure (already existent in some domestic legislatures), on one hand will help the companies in understanding their duties, obviously after a wide-ranging privacy impact assessment. On the other hand, through accurate explanations, the DPO will form and inform the Data Controller over his duties, raising awareness and proposing guidelines to follow in order not to go beyond the legal framework. Especially for this reason is important to wait for the definitive actuation of the new regulation, at least in the cases of “mandatory appointment/designation” (filling the grey areas of compromises) already expected for the use of personal data by the public administration. In regard to this, it often happens when the principal activities of the Data controller include a regular and systematic control of the involved citizens on a large scale or, when the data used and monitored are sensitive or have judicial nature.
On the overall, what will come after the actuation of the new regulation is a challenge. Which already shows problems in the application of specific norms that each state can adapt (slightly modifiable), created after numerous, as well as useless, sessions; made to please and satisfy many and different interests.
As in the case of Italy, our legislator together with the “Autorità Garante della Privacy” will have an easier life in designing the already existent normative framework, and in implementing new norms that to this day have only been partially adopted and accepted.
by Domenico Vozza,
Business Governance, Compliance and Privacy Specialist,
Member of S News Scientific Committee
