Data protection is concerned with the use of data while protecting individual’s privacy preferences and their personally identifiable information. Today, almost whatever we do, we leave behind a trail of data and revealing information, in particular in the online environment. Since the establishment of the first EU legislative framework on the protection of personal data with the enactment of Directive 95/46/EC and the introduction of Directive 2002/58/EC, the technological and social context that those laws were meant to address has changed considerably.
The use of Information and Communication Technology (ICT) has become pervasive. The outburst of the Web 2.0 has blurred the fundamental distinction at the base of the pre-existing data protection laws between the data controller, i.e., the entity who processes personal data, and the data subject, i.e., the individual whose data are being processed. The Internet itself has become highly personalized, with people receiving services and applications fine-tuned to their needs and wishes, and service providers hosting now huge data warehouses of users’ personal information.
In this fast-paced changing landscape, the framework created by the European directives no longer provides an adequate protection. Thus, against this background the EU institutions have developed a comprehensive reform of the EU data protection rules, which consists of a General Data Protection Regulation (GDPR), meant to replace the current Directive 95/46/EC, and a special Data Protection Directive for the criminal justice sector.
Aimed at offering better protection for personal data, the GDPR was finally approved on the 14th of April 2016, after a long legislative process, and it applies in the EU from the 25th of May 2018. It will be binding for all Member States. Failure to observe it could result in severe penalties for private companies as well for actors from the public sector. The GDPR introduces a comprehensive reform of current data protection rules and, unlike the Directive 95/46/EC, will be directly and uniformly applicable across the Union.
The GDPR does not come without application difficulties. Several of the GDPR provisions are wide-scoped and independent of the context and domain where personal data are processed, and their application will depend in a large part on their future interpretation of courts and authorities. In other words, the GDPR provisions are voluntarily generic and adopt evaluative terms leaving ample space to legal interpretation. It is meant to create a flexible regime applicable to all forms of processing of personal data and to address future technologies and needs.
From the legislative perspective, the aims of the GDPR are to become a piece of legislation that will not become obsolete in a few years. On the other hand, it leaves some blank spaces to be filled directly by national and EU regulators, by courts as well as by the practices of the operators involved in the processing of personal data. But what is clear is that the GDPR establishes a severe enforcement of its provisions, introducing very high fines for infringements which go as high as 4% of a company’s annual worldwide turnover. Still, the GDPR remains rather vague and intentionally general in some parts.
This poses a serious risk to companies that wish to be compliant as failure to comply could imply major financial losses and the inability to carry on their business, a fatal possibility in the frantically competing environment of Internet services. The risk of breaching the GDPR provisions may be even higher for small and medium enterprises, because of their less-structured approach to the processing of personal data.
At the University of Luxembourg, the legal professionals cooperate closely with the IT experts believing that in order to enable effective protection of data, one needs to have a collaborative approach, uniting legal and technical expertise. But this is not always easy. Even basic terminology can create communication barriers. For example, the often encountered term of `accountability’ can be read quite differently by legal and IT experts. An equally important part of a holistic approach to protecting personal data is awareness raising among those who will have to implement the regulation. In light of this, University of Luxembourg, together with law firms, organized (and will organize) series of round-table discussions on this topic of “IT Governance and the GDPR” focusing on actual problems encountered by companies intending to setup compliance mechanisms.