The new European Privacy Regulation

Sep 16, 2020

The term “privacy” is now part of common use and can be identified, in the Italian legal system, as the individual’s right to privacy for any type of intrusion or disclosure by third parties, in the absence of authorization. The new legislation already in force is made up of Regulation (EU) no. 2016/679 and Directive (EU) no. 2016/680 and has the aim, on the one hand, to adapt the protection of personal data to the evolution of technology and, on the other, to ensure uniformity of the circulation of data within the European Union.

The acknowledgement of the existence of privacy is the result of a slow historical and jurisprudential development, which began at the end of the 19th century in the United States. The first discussion on the subject was published in 1890 by two Bostonian lawyers, who saw the privacy right as the natural evolution of property rights. The article of the abovementioned lawyers mentions the so-called right “to be let alone”, the result of jurisprudential elaboration and an answer to the evolution of the social concept of protection of property, which is seen not only as a tangible and material element but also as a right to the protection of the private sphere from the emotional and intimate point of view of the human being. The innovation and importance of the article consist of the choice to consider the emotional wellness of the human being as pivotal, not by virtue of the value it has in the public sphere or in economic and legal relations, but for the intrinsic value that privacy has for its owner.

Privacy, therefore, originated in the United States as a moral right and evolved into the decisions of the United States Supreme Court, by becoming law in the modern era, where its translation from abstract principle to appropriate law regulated at a legislative level has occurred.

Italian Regulation

In Italy, due to the strong delay in economic development, the debate on privacy only began in the mid-twentieth century, in conjunction with the reform of the civil code, as a generic right to the free determination of the individual in carrying out his personality. In Europe, the first references to privacy date back to Article 12 of the Universal Declaration of Human Rights, according to which it is the right of everyone to be legally protected against arbitrary interference or injury to their private life.

In the Italian Constitution, privacy is not directly regulated, but it is possible to take it from the constitutional context, indirect protection of Articles 14, 15 and 21 concerning, respectively, the concepts of domicile, freedom and secrecy of correspondence and eventually, the freedom to demonstrate freedom of thought.

Going back to our days, the right to privacy has the aim of adapting data protection to the evolution and increase of cross-border traffic, balancing the need to facilitate the free movement of data within the European Union with the consequential need to ensure a higher level of protection.

The new Regulation (EU) no. 2016/679, in particular, expands the number of subjects to whom the legislation will be applied, overturning the traditional concept of the principle of establishment, no longer subordinating the application of privacy legal framework to the place where the treatment takes place. In fact, with the new European Regulation, (EU) no. 2016/679 the law of the subject whose data is collected will be applied, extending the application of the legislation also to cases where the Data Controllers are non-European subjects or the data are processed outside the Union. Furthermore, greater emphasis is placed on the transparency obligations pursuant to articles 5 and 12, with respect to the methods of data processing, sanctioning the need for a clear and comprehensible language for all.

Regulation  (EU) no. 2016/679 has a dual scope:

  • Material scope: it applies to the fully or partially automated processing of personal data, as well as to the non-automated processing of personal data contained in or destined to appear in an archive.
  • Territorial area: it concerns the processing of personal data carried out in the context of the activities of a specific place, i.e. within the framework of a stable organization, a Data Controller or a Data Processor, regardless of whether the processing takes place within the European Union.

The Regulation assigns new tasks to the figures of the Holder of the treatment and the Responsible for the treatment, concerning current legislation:

  • The Holder of the treatment has the task of implementing technical and organizational measures aimed at guaranteeing and demonstrating that the processing takes place by the Regulation. He also must carry out an impact assessment of the treatment, with related review obligations, if the latter may present a high risk for the rights and freedoms of natural persons.
  • Responsible for the treatment has the task of processing personal data on behalf of the Holder of the treatment, with prior written authorization. Both have communication obligations regarding the violation of personal data and must keep a record of the processing activities in writing, but only for those organizations that have a number equal to or greater than 250 employees.

The Regulation also introduces two new principles:

  • Privacy by design: provides that the Data Controller implements technical-organizational measures to protect the principles of data protection, from the design to the execution of the treatment.
  • Privacy by default: requires, in the operational phase of the treatment, measures aimed at ensuring the use of only the personal data necessary for each specific treatment purpose.

Data Protection Officer

One of the most important innovations introduced by the Regulation is the professional figure of the Data Protection Officer (DPO). The DPO must be present within public companies and in those where the processing of data presents specific risks, such as companies in which sensitive data are processed or in which large-scale regular and systematic monitoring of data subjects is required.

The DPO has the task of ensuring compliance with the regulations and may incur penalties, up to € 20 million or, for businesses, up to 4% of the total annual global turnover of the last financial year. This figure can be either an employee of the company that owns the treatment or an external person who performs his / her functions based on a service contract.

Finally, the introduction of the Regulation will lead to the increase of transparency obligations, providing that the interested party, especially if children under 18 the information is made in simple and understandable language and in written form unless otherwise requested by the interested party if there is the possibility of proving his identity in another way.

Also worth mentioning is the new right to data portability which allows data subjects to receive their personal data free of charge from the Data Controller in a structured and readable way by a computer, in order to simplify any transfer online data to another Owner.

The application of the Regulation also requires constant and continuous monitoring and verification activities, through audit requests, to guarantee the adequacy and effectiveness of the measures adopted, both technological and organizational, aimed at complying with the provisions of the GDPR.

It will be essential for companies to rely on competent professionals on the regulatory, organizational and technological dimensions present in the Regulation, able to accompany and support them in the process of adaptation and maintenance.

References:

  1. Regulation (UE) n. 2016/679
  2. Direttive (UE) n. 2016/680
  3. La tutela della Privacy sul web: Cosa cambia con il nuovo regolamento europeo 679/2016, 2017, Fisco e Tasse – Maggioli Editore;
  4.  Privacy e il diritto europeo alla protezione dei dati personali. Dalla Direttiva 95/46 al nuovo Regolamento europeo, Torino, 2016, Giappichelli.
  5. Garante della Privacy: https://www.garanteprivacy.it/