Twenty years ago, the first Personal Data Protection Law entered into force in Italy.
Since then, both the complexity of the regulations and the public awareness have been growing wide, same pace with the thriving technological progress.
Nowadays we hear about a “Personal Data Protection Right’’, often misunderstanding the real meaning of this concept.
It is vital to take into consideration that, the act of coding rights’ regulations followed an actual social-driven necessity, sprung from an economic, political and cultural context, afterwards represented onto juridical field.
In the first half of ‘90s, the personal data had merely a value as information related to the private sphere, and were protected only under the right to confidentiality.
At present, the gathering, processing and exchanging of personal data are daily activities in any business; the sources and purposes of processing consequently expanded, allowing for more accurate services, requiring increasingly analytical information.
In this context, the personal data feature prominently in the information society’s “working capital”: a direct outcome of this situation is the growing main economic value for the data availability.
Having to cope with the personal data’s newly acquired weight, the current regulatory system had to readapt from traditional ‘’right to confidentiality’’, by acknowledging a new and autonomous “data protection right”.
This new right is not purely defensive, but it introduces an actual right of disposal of one’s own private data, based on affirmation of the prevalence of natural person’s fundamental values – dignity and equality firstly – sustained by the tool of the informed consent.
However, today, the current regulations do not seem to be sufficient.
Last years’ swift expansion and affirmation of the new-tech, on both, the market and the public administration (e.g. cloud computing, biometric tracking, use of radio-frequency Identification creating ‘’intelligent’’ items – “IoT“ –, processing of genetic data, geo-localisation, development of e-government...) gave further impulse to the invention of new processing models.
These models require information which are, for their nature, more likely leading to loss of control on both personal data management and protection.
We all agree on the technological evolution being unavoidable and beneficial for global socio-economic development, however, the request for public protection and control on personal data is consequently reaching its peak.
Hence it is necessary to update the current laws, but, as we acquire from the latest experiences of technologic development, a long-term perspective for durable efficiency of regulations must be researched.
We may reach such a perspective only through the “sustainable development” of technological dynamics, grounded on a righteous balance between the economic growth and the guaranteed disposal on own data for every physical person.
With this aim we must read GDPR as a system of regulations:
- no longer restrained to the single States, but globally and uniformly applied.
- increasing the value of all the modern facets of personal data, such as:
- object of processing
- part of a “working information capital”
- an economic value bearer
- a moral value bearer, considering social projections of the person, even when on-line,
- acknowledging the natural person’s need to detain both the use and the protection on his/her own data, as a wholly different entity.
In order to guarantee a durable efficiency for this system, the flexible tool of the fundamental rights’ interaction has been highlighted: GDPR states the human person’s right to privacy as fundamental, “considered in relation to its function in society” (GDPR’s whereas 4) and this interacts with all the other fundamental rights recognised by European law – such as, freedom of expression and information, and freedom of enterprise (but also the human dignity, liberty and equality) – in a progressive balance ruled by the principle of proportionality.
Above the armour forged by balancing the fundamental freedoms, the regulation weaves a net of principles and definitions, referring to the personal data processing:
- the traditional ones: lawfulness, transparency, pertinence and avoiding excesses in processing, accuracy of processed data.
- and those recently codified: simplification, effectivity of protection, data protection by design and by default.
It is vital to consider this base structure as referring to the dynamics of interactions between the fundamental rights as not limited by the need to comply with rapid-ageing legislations; in such way a dynamic and flexible scheme will rise, which could adapt itself to the new technologic innovations without losing efficiency.
Inside this well-defined dynamic container, the Community bodies, the member countries, the national DPAs collaborate to progressively define details of regulations.
This mechanism ensures the maintenance of a constantly adequate personal data protection measures, in harmony – not in conflict – with the technological progress, a precious flywheel of the economic development.