Data Protection

Privacy and data protection are fundamental rights protected by the EU law. The terms data protection and data privacy are often used interchangeably, but there is an important difference between the two. Data privacy defines who has access to data, while data protection provides tools and policies to actually restrict access to the data. In the EU, the fundamental right to privacy is covered by Article 7 of the Charter of Fundamental Rights of the European Union, while the protection of natural persons, with regard to the processing of personal data and on the free movement of such data, is governed by the Reg. UE 2016/679 (General Data Protection Regulation – in short GDPR).

Within the data protection paradigm, the Net4U Lab, in collaboration with ICT4Law&Forensics,  investigates key issues in the following areas:

Privacy and data protection in the digital age

In the digital age new technologies have been widely deployed in all aspects of life. Many new technologies can be privacy-invading if they are misused or abused. This may cause harm to individuals and society, even without our knowing it. However, we become more and more dependent on such privacy-invading technologies and the ever-growing data processing. The major challenge is to determine how to improve the protection of fundamental rights to privacy and data protection for EU citizens in light of these developments. In this regard, it is important to clarify what specific rights individuals and data subjects are entitled to under EU law. The GDPR has provided us with good answers.

Data protection by design

Data protection by design is a significant notion contributing to the implementation of the rights to privacy and data protection. This is especially relevant in the age when numerous systems are designed to process personal data and are deployed on a large scale. It has been introduced by the Canadian Information and Privacy Commissioner Ann Cavoukian and seeks to promote the idea that these rights can and should be protected not merely by regulatory measures but by implementing certain principles by design and by default by organisations in the systems that process personal data.

In this regard, 7 principles of Privacy by Design are of importance:

1. The Privacy by Design approach must adopt a proactive rather than reactive stance and aim at preventing privacy risks and not at addressing them after they occur.
2. Privacy is to be used as a default setting.

1. The Privacy by Design approach must adopt a proactive rather than reactive stance and aim at preventing privacy risks and not at addressing them after they occur.
2. Privacy is to be used as a default setting.
3. Privacy must be embedded into design.
4. Privacy by Design ensures full functionality and seeks to achieve both privacy and security.
5. Security must be made an integral part of the systems throughout their whole lifecycle.
6. It seeks to achieve visibility and transparency.
7. Systems are to be kept user-centric and users interests and needs must be taken into account.

In Article 25 of the GDPR, a reference is made to the data protection by design and by default that constitutes a more specific notion given the nature of this legislative act and focuses on the obligations of controllers that will be discussed in the coming weeks.

The accountability principle

The main key concept of the GDPR is that controllers need to be able to show that their processing activities are in line with the data processing principles determined by the GDPR. The accountability principle in Article 5, par. 2, means that controllers are responsible for and should be able to demonstrate their compliance with the GDPR data processing principles listed in Article 5, par. 1. The GDPR furthermore requires that controllers implement appropriate procedural and technical measures to protect personal data. They need to be able to show that they have taken concrete measures within their capacity to meet their obligations Article 24. Controllers can show that they have taken appropriate measures and that processing activities are in line with the GDPR with clear evidence, for example:

• Documentation of comprehensive privacy policies.
• The appointment of a data protection officer and representatives.
• Adopting and following codes of conduct or Binding Corporate Rules.
• Keeping records of all data processing activities.

This evidence needs to demonstrate that concrete steps have been taken to comply with the GDPR provisions in order to meet their obligations.

Technical and organisational measures – Risk based approach

Under Article 32 GDPR, controllers have the obligation to take technical and organisational measures to achieve a level of security appropriate to potential risk. There is a need for organizations to take a risk based approach to data privacy. Risk based approach to privacy is a process that allows to identify potential high risks and focus their efforts towards high risk areas. When taking these measures, they need to consider the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

Examples of such measures include:

• Pseudonymisation and encryption.
• Ensuring the ongoing confidentiality, integrity, availability and resilience of processing system and
• services.
• The ability to restore the availability and access to personal data in a timely manner in case of physical or technical incident.
• A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures to ensure the security of the processing.

Both controllers and processors have to take measures to ensure that persons acting under their authority (employees for example) will not process personal data, unless they are acting under instructions or if it is required by EU and Member State law