The last two years will not only be remembered for the end of roaming charges or Brexit. These have also been memorable years for the great amount of European legislation regarding personal Data’s protection and its transfer abroad. Can European citizens’ Data be considered safe under the current European legislation or does it require further development? How can this legislation be practically implemented?
First of all, what is ‘personal data’? Be aware that the term does not only refer to passwords or email and social media accounts’ settings. ‘Personal Data’ refers to “any information relating to an identified or identifiable natural person (‘data subject’)” being it a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Thus, keep in mind that data treated by a hospital, an insurance company, a public transport company, fall within the category of data treatment.
In an increasingly connected and technological world, can EU citizens’ data be considered to be safe? If not completely, I believe that it is close to being so. First and foremost, in order of importance, the General Data Protection Regulation (GDPR) entered into force on the 24th of May 2016, directly applicable in all the Member States by 25th May 2018, sets out a new season for citizens’ rights to privacy by public administrations and companies. For the first time the GDPR provides for privacy to be set “by default”, underlining that the essential focus point necessarily must regard privacy as a pivotal aspect. By placing the rights of EU citizens first, this Regulation grants essential rights such as data portability (the right to receive personal data in structured, commonly used and machine-readable format, for example when deleting a social media account), data erasure (the right to have data erased when these are no longer necessary, unlawful or treated on non-legitimate grounds), the right to being informed in a transparent manner on the processed data, also and foremost in case of a violation. The GDPR also aims at creating specific conditions that prevent any privacy violation, for instance by obliging public administrations and companies treating high amount of personal data to adopt Privacy Impact Assessments and to designate a Data Protection Officer.
What about personal Data transferred abroad? The GDPR provides for very strict rules and conditions with regards to Data transfer. Transfer cannot happen unless third countries provide for a high level of protection including accurate and detailed procedures. Particular reference must be made to the recent EU-USA Privacy Shield, adopted on the 12th of July 2016. The deal focuses on the protection of personal data transferred to the US for commercial purposes. Unfortunately, the first concerns on its factual application in the US have already risen. On the 6th of April 2017, the European Parliament voted a resolution on its application specifically regarding the legal safeguards adopted by the Trump administration. Their compliance with the GDPR and the Charter of Fundamental Rights and the right to privacy is enshrined.
Recent legislative measures that deserve a special mention are the proposals for an E-communication Regulation and a “Regulation on Data processed by Union institutions, bodies, offices and agencies and on the free movement of such data”. Why are these particularly important? The E-communication Regulation proposal aims at ensuring the confidentiality of personal data in the electronic communications sector. It also aims at guaranteeing free movement of electronic communications data, equipment and services within the EU. The proposal for a Regulation on protection of individuals’ data processed by the EU institutions, bodies and agencies, instead, is a further sign of the great attention given by the European Institutions to the protection of Personal Data. In such context, it is of fundamental importance for European institutions and bodies to strictly apply current legislation, in order for Member States to effectively implement Data Protection.
EU Data Protection legislation has been and is currently one of the most topical issues, thus continuously developing. In an increasingly technological environment, it is essential that Data Protection remains at the core of European legislation in order to ensure the respect of such fundamental right. It is also important that Member States’ national authorities responsibly inform citizens of their rights and implement existing legislation effectively. Associating privacy with social media and email account settings is reductive. Data Protection involves online purchase, medical, insurance and banking treatment together with Data transfer to third parties. European legislation is working towards an effective protection of all European citizens in order to guarantee Data Protection measures’ application. Be aware of your rights and make them count.