Will our data be safe with the GDPR?
2 May 2018 | Written by Cesare Venturoli
A few weeks after the Cambridge Analytica scandal, the General Data Protection Regulation will be effective from 25 May. Here’s what the new regulation entails
The General Data Protection Regulation – or GDPR – is the new European Union regulation (EU 2016/679) on the processing and protection of personal data. With the Regulation, the European Commission intends to make the protection of personal data of European citizens and persons resident in the Union stronger and more homogeneous. Although it was approved two years ago, it happens that the start date of the effectiveness of the GDPR is really close to the most clamorous data scandal of our time.
The GDPR will entered into force on 25 May 2016 and will begin to take effect on 25 May. It will replace the previous European legislation on the protection of personal data (the Directive 95/45 / EC) and will repeal the provisions of the Code for the protection of personal data – incorporated into Italian law by the legislative decree 196/2003. Unlike a Directive, the Regulation doesn’t require any form of application legislation by the member states: the GDPR, therefore, will be automatically applied to all internal regulations of EU countries.
The context. Last March, an inappropriate use of personal data by Cambridge Analytica, a giant of strategic political communication, came to light. The British company, for years, builds hyper-segmented ads through the data mining, targeted for electoral campaigns. The problem arose when the New York Times and Guardian revealed how effectively these data were collected. Cambridge Analytica profiled, initially for academic purposes, the data of almost 90 million Facebook users, then using them in the recent US presidential campaign and, shortly before, in the one that preceded the UK vote on the permanence or not in Europe. The data, therefore, collected regularly and for academic purposes (with users logging through Facebook giving their consent), were then sold to third parties for political and for some commercial purposes.
Who doesn’t know Cambridge Analytica, or trivially those who are not familiar with the processes of online data collection – cookies and so on – will have felt vulnerable, discovered, depleted of their privacy. Those who have a familiar with the subject will be wondering whose is the fault, if Cambridge Analytica, Facebook or ours, that we have given our consent without asking too many questions.
The Cambridge Analytica scandal, as mentioned, happened a few days after the introduction of the first single regulation on the protection of personal data in the European Union, which aims to simplify the rules and harmonize the laws of the member countries, in addition to guarantee greater data protection for its citizens and residents.
What changes? The GDPR concerns, we have said, the processing and protection of personal data, inside and outside the borders of the European Union, of natural persons, whether they are EU citizens or residents of the countries of the Union. According to the European Commission, we mean personal data “(…) any information relating to an individual, connected to his private life (…), any personal data: names, photos, email addresses, bank details, interventions on social websites network, medical information or IP addresses “. The Regulation applies to companies or organizations in general, with registered offices outside the European Union, but which process personal data of EU citizens or residents. Instead, it doesn’t concern the processing or management of data for public security activities, an area left to the competence of the authorities in charge.
As mentioned earlier, then, before the GDPR, each member state had the need to apply the provisions of the Directive to its own legal system. So, in fact, there is a discrepancy between the various systems in Europe today. With the GDPR all the EU member states will apply a single set of rules.
The Regulation then distinguishes between four “types” of data: personal data, which concerns information relating to a physical person, identified or identifiable; the genetic data, inherited or acquired; the biometric data, which includes, among other things, the facial image (acquired, perhaps, through the smartphone’s face recognition); the data on health, physical or mental, regardless of the source.
Regarding responsibility and consent, the GDPR introduces the right for citizens to challenge automated decisions, including profiling (ie cookies), especially when made based on the activity of an algorithm or machine learning and not on valid and explicit consent of the interested party. In the event of a dispute, the data controller of the data subject retaining or processing the data must be able to prove that the consent was given explicitly (opt-in). However, it remains the opportunity for citizens to withdraw this consent or to apply limitations.
The “right to be forgotten” is also replaced with a right to the deletion of personal data on the basis of non-compliance with the principle of legality. The interested party must be able to exercise this right as easily as he has given his consent to the processing of personal data.
Finally, regarding the issue of portability, a person must be able to transfer his personal data from one computer system to another without this step being prevented or hindered by the person who holds the personal data in question.
The Cambridge Analytic case has brought the delicate issue of the use and management of personal data online to the center of public debate around the world. The General Data Protection Regulation, therefore, probably arrives at the best time but, at the same time, will be immediately under the spotlight and subject to criticism and observations, even before having the tools to judge its effectiveness and validity. What makes the arrival of the GDPR extremely interesting is, without a doubt, the introduction of a single and homogeneous legislation for all the countries of the European Union. The ball now passes to the companies, which will have to be ready and aligned with the provisions of the Rules.