Data protection versus security: The debate on the restrictions taken during the pandemic is revived in the EU

  • By:jobsplane

22

02/2022

The impact of the pandemic has accelerated the need for the digital transformation of companies and institutions, a transition forced by the need to maintain business. In this context, some measures taken by the administrations have put the data protection and privacy of citizens to the test.

Today, January 28, marks the European Data Protection Day. With this anniversary, the European Union seeks to raise awareness about the importance of privacy and the rights of the General Data Protection Regulation (RGPD), which in May marks four years since its entry into force.

In our country, both the day before and this Friday, different events have been held to remember the importance of privacy.

At the same time, we are witnessing the completion of the selection process for the new president and assistant to the president of the Spanish Agency for Data Protection (AEPD), after the approval of the new Statute of this regulator.

Confilegal has asked for the opinion of three representative associations at the level of privacy, expert lawyers in this practice, privacy professionals and user citizens to find out how data protection is currently perceived.

Companies and DPOs, proactive in privacy

Carlos Alberto Saiz, partner of EcixGroup and president of the Association of National Experts in ICT Law (ENATIC), an entity that encompasses lawyers in digital law, believes that the effort made by companies is important, "to mature their system of Privacy Governance, as well as the implementation of systems that allow for data traceability, since it enters the company, where it is stored, who treats it, how it is blocked or deleted, etc.”.

For Saiz, "having a consent management system that brings together the guarantees provided for in the standard has become an essential point for data protection officers (DPO) to put in place the appropriate guarantee measures to carry out profiling, segmentation and commercial with customer data”.

Regarding the emergence of new technologies, he recalls that "we live with new technologies almost every month, AI, Machine Learning, Cloud, Big Data, facial identification, 5G... and many more."

“I consider that not all technological phenomena require new regulations, since I believe that the challenges they propose can be resolved with the existing regulatory framework (administrative, civil or data protection). Other phenomena are so large that they have many more edges than data protection, for example, Artificial Intelligence”.

For this expert, “the RGPD and Spanish Law have a spirit of long survival and are established as rules of great guiding principles, which obviously, we will have to interpret with day-to-day practice in the face of the appearance of disruptive technologies and new challenges to the that we will have to look for practical solutions that guarantee rights”.

Regarding the task that awaits the new president and deputy of the AEPD, now in the selection process, he believes that some of the challenges that the regulator will face have to do with "providing itself with the means to efficiently attend to the increase in requests, claims, doubts , etc. raised by citizens”.

Another issue will be to "work closely with the different industrial sectors and professional communities to promote good practices and guides that facilitate and raise awareness of the importance of regulatory compliance in data protection."

It also considers that another milestone will be "working towards the defense of a fundamental right, but in a public and private context of acceleration of innovation, digital transformation, promotion of the data economy, application of AI in many data processing, etc.”.

Lastly, he speaks of the need for the AEPD to “foster relations and the international context, with other control authorities, the European Supervisor, etc. to achieve the homogeneous application of a European Regulation that at the same time is interpreted together with national regulations of each member country”.

Privacy Professionals Needed

For her part, María Arias Pou, vice president of the Association of Privacy Professionals (APEP), points out that “at the start of 2022 we observe that companies have suffered a lot from the pandemic crisis and have evolved, in an accelerated manner in many cases, to the digital environment”.

“Exposure to digital channels increases attention to the different legal aspects that affect their services, including privacy. There is still a lot of expectation about the future regulation of 'cookies' with the future e-privacy regulation, ”she says.

In her opinion, many companies are attentive to the evolution of privacy in relation to international data flows. Thus, for example, with the new scenarios such as the one created with the United Kingdom, after Brexit.

"On the other hand, there are the new challenges that privacy entails in the field of use of biometric data, artificial intelligence, big data and the multiple options for exploiting large databases."

For the vice president of APEP, there is still much to be done to make privacy an important element of our society. “It is a long-term job that the privacy professional must carry out, from their role as data protection delegate or consultant to ensure that the awareness of the company or entity grows”.

In her opinion, "the current regulatory framework in terms of privacy is going to be completed with other sectoral regulations at European and national level that pursue the objective of covering the different realities that technological evolution is presenting".

She believes that "undoubtedly the evolution towards Digital Europe leads us to pay attention to technologies, as well as cybersecurity as issues that go hand in hand with privacy".

Regarding the challenges facing the new president of the AEPD, this expert points out that "being the first president of the AEPD elected by the procedure established by law is already a great challenge in itself."

“From the point of view of privacy professionals, I think that among the main challenges is to finish consolidating the channel of communication with professionals as well as promoting the training and professionalization of data protection officers in particular and of the privacy professionals in general.

In her opinion, “the joint work of those of us who are involved in the day-to-day application of the regulations and the control authority is a necessary alliance”.

Citizens and privacy

Ofelia Tejerina, doctor in Constitutional Law and president of the Association of Internet Users, points out that “we have been fighting Covid 19 for two years and it seems that its end is near. In that period of time, technology has adapted to our lives.”

In his opinion, the entry into force of the RGPD in May 218 was a milestone for the awareness of privacy by companies and citizens themselves who have already begun to be interested in privacy policies, as well as "in the use of mobile applications ask you for a lot of data, just as the security breaches of Facebook have had a great impact”.

In these two years, “the problem is that we have succumbed, especially to the principle of comfort over utility and protection. Technology is fast and useful, but we have asked ourselves the question if we felt protected. The AEPD itself pointed it out in a report on certain control measures that were useful, not supposed to be efficient in guaranteeing our rights”, she indicates.

Tejerina recalls how applications for the use of citizens such as Radar covid has not taken off in this pandemic, “it was intended to control the pandemic, but as in other countries it has not caught on among the people. It seems that we trust private applications more than those that are supported by governments”.

This expert acknowledges that the security and privacy debate has returned, "situations of social alarm are taken advantage of to impose measures that offer us security, such as masks or temperature taking but that have not justified their usefulness."

In her opinion, “many seriously affect privacy and data protection and the secrecy of communications. We must continue to question its real usefulness.”

As for whether changes will have to be made in the current GDPR or in Spanish regulations, Tejerina recalls that "we have yet to approve the 'eprivacy' Regulation, which can be a complement to the GDPR, without having to modify it. It will be necessary to see if it is necessary to adapt the existing guarantees to the new technology that is coming”.

Regarding what is expected of the new president and deputy of the AEPD, the president of the Spanish Internet users indicates that “from the user's point of view it would be good if in this new stage it could simplify the response and explanation processes”.

For this lawyer, “it is easy to file a claim, but when she approaches our association she asks us how she has to write the claim and what she has to put. It is still thought that a lawyer is needed to write those claims.”

Regarding the sanctioning activity of the AEPD, it seems that the Spanish regulator ended up following the sanctions of other European countries. “It started strong in 2018, but there was a peak with the pandemic. I believe that at a European level, the digitization of work and leisure has been prioritized to promote recovery. That is why the sanctions are proportional.

This news talks about:

Spanish Agency for Data Protection (AEPD)Association of Internet UsersAssociation of Privacy Professionals (APEP)Ecix GroupENATICOfelia TejerinaData ProtectionGeneral Data Protection Regulation (RGPD)Related News:Spain, first country in sanctions for privacy: Exceeds 170 and triples those of Italy and Slovakia, according to DLA Piper Javier Fernández-Samaniego, candidate for the presidency of the AEPD, integrates his office in EY Abogados Breaks his neutrality: The EU Data Protection supervisor uses the official Twitter in favor of «his candidate » to the AEPD The Supreme Court condemns a group from Villena for revealing that one of its associates was in default CESCE is sentenced to pay 8,000 euros for non-material damages suffered by a company for its illegitimate inclusion in a file of defaulters Ecix Group develops an algorithm with the aim of becoming the reference firm in «Compliance»

Data protection versus security: The debate on the restrictions taken during the pandemic is revived in the EU
  • 1458
  • Can I put on a mask after the facial?

Related Articles