Press release AdnKronos – Digital development and privacy protection
(AdnKronos) – From those who always click “I agree” on all site-web pop ups to those who even put duct tape on their computer cameras, attitudes towards protecting of our personal data and privacy are manifold. However, it is undeniable that these issues have become the focus of our daily lives.
Recently, the General Data Protection Regulation also known as GDPR, turned three years old. GDPR is currently the main European data protection regulation, although it came into force on May 24, 2016, its implementation took place two years later, so as of May 25, 2018.
Europe dealt with privacy even before the GDPR. Privacy expert lawyer Lapo Curini Galletti recalls, “privacy in Europe was born in the mid-1990s with Directive 95/46/EC of the European Parliament and the Council. Starting then from this legislation, over the years, all the privacy institutes were born and have evolved both within the Member States and at EU level”. To sum up: each Member State has enacted privacy laws and established its own body with control functions, while the EU has carried out interpretations of Community regulations and issued other directives to regulate specific areas. However, the need for EU-wide simplification and uniformity in conjunction with the very rapid evolution of technologies have made it necessary to raise the level of guard and protection. In response to these needs, the GDPR was born, which, as the Lawyer states, is “not a revolution in the world of privacy, but major reorganization of all the previous one”.
There are three major changes introduced by the GDPR.
The first: the introduction of a broader territorial scope. This implies that the legislation applies both if the entity processing the data and if the entity to whom the data relates is established in the European territory. As a result, “if a company based outside the EU processes data from a European subject (or otherwise located on European territory) it will have to comply with the GDPR.”
The second: “the growth in penality amounts imposes greater attention to privacy and compliance on all market players, regardless of their size,” says the Advocate.
The third: the GDPR introduced the so-called “accountability”, in Italian accountability. As of May 25th, 2018, with the introduction of accountability, assessments of processing risks and the appropriate measures to eliminate them shift entirely to the party processing the data. In fact, this is the only entity responsible for data processing identified by the GDPR. On the subject of Accountability, lawyer Lapo Curini Galletti clarifies that “those who process data – even before they start – will have to design their own privacy system for each activity and subsequently process only personal data to the extent necessary and sufficient for the intended purposes and for the period strictly necessary for those purposes.”
Differences between countries and effects of Brexit
The GDPR is a regulation and, as such, is implemented in the same way in said states with no leeway in adaptation. However, the Lawyer specifies “European privacy legislation, thanks to the GDPR, has reached a higher level of homogeneity than before but still not a perfect uniformity. In fact, as a result of the very parts for which the GDPR expressly provides for the possibility of derogation as well as due to the extreme generality of some of its provisions, some differences in interpretation and/or approach remain”.
As for the United Kingdom, which has just effectively left the European Union, “actually everything is still in the making, but we should soon have a clearer idea of the final scenario”, says lawyer Lapo Curini Galletti. However, it is certain that “companies based in the United Kingdom, from January 1st 2021, are subject to English legislation that provides – in the context of data processing – for the updating of all privacy documentation that will have to make explicit reference to the Information Commissioner’s Office, the authority of reference for data protection in the UK.” For now, the Advocate continues, “if an entity based within the EU is to make any data transfer to the UK for a client company or supplier, the processing must refer to the European GDPR certainly until June 30th, 2021.”
Large OTT companies
Large companies that provide only through the Internet services or content, also known as OTT (over-the-top companies), such as Facebook, Netflix, Amazon and Google, “will no longer be able to evade the legislation since it no longer matters in any way whether or not the seat is within the EU territory, nor ignore any penalties as these may reach up to 4% of the annual worldwide turnover of the company,” explains the lawyer.
As a result, since the implementation of the GDPR, the relationship between users and these companies has changed, as lawyer Lapo Curini Galletti argues “on the one hand, companies are much more attentive to perfect compliance with respect to the regulation, on the other hand, users, also as a result of the media hype created around the GDPR, are proving to be much more aware and demanding.”
Coming back to us users, while in most cases the concern is unjustified, nevertheless the Lawyer reminds that “many new technologies, social platforms, tools are born and explode so quickly that, even if we wanted to, it would not be humanly possible to foresee a priori their scope and effects in relation to data protection.” As a result, he advises that “we should never release our personal data first without a real need.” Finally, he suggests fearlessly using the tools granted by the GDPR to enforce one’s rights and concludes, “So I recommend, if necessary, to fearlessly use these tools and not to waste time and protect your rights.”