Written by Efi Thoma, Legal Advisor
Data is incontestably the new gold! In the new digital era,
personal data of individuals is being collected, processed, and transferred
around the globe from companies and organizations involved in this process,
without the individuals’ prior knowledge and explicit consent. The companies
and organizations that collect and use such data, have a competitive advantage
and strengthen their market position by analyzing this data. Data may be even
sold to third parties worldwide, without neither the prior knowledge of the individuals
concerned, nor their “unambiguous” consent. The new General Data Protection
Regulation (GDPR) constitutes a huge breakthrough in privacy laws, leading to a
drastic transformation of the privacy landscape on a global scale. It is not
just the GDPR large fines in cases of breaches or serious non-compliance that
make the difference, it is the new culture of awareness that is being
established regarding personal, and namely sensitive data, as well as the
notion of the protection of privacy and integrity of individuals in order for
them to start feeling less comfortable with providing easily personal
information, by just assuming that this is acceptable.
Pursuant to GDPR, once individuals consent to have their
personal data processed by an organization, they automatically become “data
subjects”. Their privacy has been essentially strengthened by the right to be
informed, to access their data, to rectification, to erasure, to restrict
processing, to data portability, to object and to restrict automated decisions
and profiling, and the right to know when their data has been hacked. Thus,
European residents enjoy the guaranteed rights to determine whether, when, how
and to whom their personal information is revealed and how it can be used.
Notwithstanding the comprehensive data protection framework provided by GDPR,
enterprises’ successful compliance with the latter, and the key role of Data
Protection Authorities (DPAs) in interpreting and enforcing GDPR’s provisions,
as well as their effective collaboration, the key factor that shall determine
the accomplishment of GDPR’s aim lies within individuals’ informed approach
towards their personal data. It is imperative that European residents engage
proactively and collaborate with DPAs towards GDPR’s de facto application. For
example, it is important to know that they may file a complaint with the Data
Protection Authority and to seek a judicial remedy, in case their above rights
are being compromised or denied.
GDPR’s primary objective is to ensure the growth of the
digital economy while keeping personal data of EU citizens secure and
protected. It particularly aims at the enforcement of personal data safeguards
and has a direct impact not only on the EU countries, but also globally with
regard to enterprises engaged in economic activity associated with the
collection and/or processing of personal data of individuals located inside the
EU. US companies which may have adhered to the EU-US Privacy Shield which
provides a lawful basis for transfers of personal data from the EU to US
organizations, in order to be GDPR compliant, must meet much stricter
requirements. The Privacy Shield reflects the requirements set out by the Court
of Justice of the EU in its ruling of October 2015 (“Schrems”), which declared
the old “Safe Harbour” framework invalid. A sustainable GDPR compliance is
undeniably a challenging task for enterprises worldwide and entails an
indisputable shift in mentality regarding the perception of personal data. EU
should share its values on privacy and personal data protection in the
international domain and build strategic partnerships with likeminded
countries. An ambitious step for EU is a UN-Treaty ensuring a minimum standard
of data protection.
Previous initiatives launched by the European Commission,
such as “Citizens First” seeking to promote EU citizens’ rights by providing
practical guidance, succeeded in raising awareness and exchanging best
practices between EU countries. Ultimately a change in mentality, notably in
the importance of valuing personal data, is required in order to
transform this robust legislative framework into reality. Regardless of the
mandatory nature of GDPR and its direct application throughout the EU, if
individuals do not feel empowered to effectively exercise the rights stemming
from it, it shall remain a hollow statement. Rights are guaranteed not by the
existence of laws but by their enforcement. It is a unique opportunity to take
control of our personal data and uphold our fundamental privacy rights. (efi.thoma@gmail.com)
Σχόλια