Today marks the International Day of Data Protection, which invites us to take stock of a particularly intense period in the matter and to try to see how we will affect the regulatory and social changes that are taking place around the data.
At European level, on May 25, 2018 marked the beginning of the application of the General Data Protection Regulation (RGPD). In Spain, the year has ended with the approval of the new data protection law. Both regulations propose very significant changes in regulation and open a period of greater complexity, not only because of the difficulty of interpreting the new regulation, but also because the data economy itself is in the midst of an authentic revolution.
Europe has opted for a preventive model that tries to avoid abuse
The question can have very different readings depending on the perspective. For citizens it has been the year of the great security failures and the political manipulation through our data. Not that it did not happen before, but now it happens more and it is better known. But do we really care? The data is a currency for multiple free services and a large majority are not willing to give them up or, of course, pay them. Our assessment of privacy is changing. Should regulation protect us from ourselves? The consent of the individual as a key to the treatment of their data is losing relevance to the evidence that we do not understand what we accept or we do not bother to read it. The RGPD recognizes new rights such as portability that grant greater control to the individual, but its impact has yet to be seen. The legislator's concern that our data is not used in an abusive way could give way to being ourselves, and not just the companies, which we will profit with our privacy, or rather, the lack of it.
- Difficulties for small business
For organizations, the challenge is complex. The market tells us about digital transformation, big data and customization. All this implies an intensive use of data, in a game that companies must play if they want to survive. The protection of the individual is not questioned, but we must be aware that Europe has chosen to establish a preventive model, with important formal obligations They try to avoid abuse, not just correct it and punish it. These formal requirements will be easier for large organizations to meet and the biggest difficulty will be experienced by small companies that want to grow within Europe with these regulatory costs.
The RGPD is also complicated for regulators. The game of political interests and balances has led to the creation of a kind of Normative Frankenstein, with a lot of margin for the States to establish their own exceptions and regulations, and with complex coordination mechanisms between the authorities. This swampy terrain is encouraging the dispersion of criteria and will increase litigation. On the other hand, the hypertrophy of the right to data protection is causing it to conflict with other fundamental rights such as freedom of expression, the Right to information and even the right to health protection and an unbalanced interpretation could lead to loss of legitimacy.
- In favor of the Administration
Lawmakers do not help much either. Our new LOPD, approved with a surprising parliamentary consensus despite the existing political division, forces the limits of the RGPD when it establishes special conditions in favor of political parties. It also contrasts the sanctioning burden imposed on private organizations with the option taken by the Spanish legislator to exempt administrations from possible economic sanctions.
In short, there are uncertain times for data protection as we can say in these days of so many other things that we are living. If someone thinks that this is just a thing of lawyers, to apply one more rule, I think that is wrong. What does seem certain is that, given all this uncertainty, legal knowledge must be sophisticated, developing a deep understanding of the businesses and sectors in which it has to lend its support and integrating with other areas of knowledge. This will avoid problems but opportunities will also be generated. The digital transformation, at least in Europe, will be strongly conditioned by legal and regulatory aspects. This date, the day of data protection, makes us a little more aware of it.
Raúl Rubio He is director of the data protection program at IE Law School and partner of Baker Mckenzie.