Traditionally, since the year 2006, 28th January has been celebrated as International Data Protection Day. At Objectivity, we celebrate it as Privacy Protection Day. Our motto is: "Privacy is Value".
This January it is particularly important as it’s been over half a year since the GDPR has been applied in Europe. Therefore, it is a perfect moment to discuss privacy and personal data protection issues.
Awareness, awareness and again… awareness.
It is already a tradition that this day is treated as an opportunity to stress the importance of protecting the privacy of individuals’ personal information. It is a great and valuable initiative. Consequently, awareness should be raised due to the growing number and declining age of Internet active users.
I believe it is worth referring to the results of the survey presented by the European Commission in 2015. The survey was carried out among nearly 28 000 citizens from 28 Member States of the European Union (Special Eurobarometer 431). The most disturbing results indicate that:
- 67 percent of the respondents are concerned about not having complete control over the information provided online;
- over 60% of the respondents say that they do not trust landline or mobile phone companies as well as internet service providers (62%) or online businesses (63%).
It is worth pointing out that the respondents express their concerns regarding their personal data collection and processing. However, can these concerns be actually verbalized by naming specific risks? Are they able to name the threats related to the excessive provision of their personal data? A short review of various social media as well as a number of reports on cyber frauds, shows that, unfortunately, it seems to be working in theory only and not in practice.
There are reasons to celebrate together.
Let's celebrate 28th January not only as Privacy Protection Day, but also as a joint holiday of those whose data is processed (later on named individuals) as well as the subjects processing data for they own (or others’) purposes (respectively data controllers and data processors). Let’s not treat personal data protection as an unpleasant duty concerning the second group only.
Bad narrative is detrimental.
Awareness campaigns carried out in order to prepare the society for the implementation of GDPR very often had a negative overtone and sounded like a scary story to tell. During trainings or on various other occasions, the following statements could be heard: "we have to do it because this is required by GDPR". Not quite! Privacy is a value itself, and all the rhetoric around GDPR should emphasize this fact. It is a common belief that bad narrative is detrimental to both parties. If the controller undertakes to protect the privacy only because it is their obligation, and if they do not respect its value, their employees are likely to follow in their footsteps.
What will the individual infer from skimpy prepared information about their personal data processing? The controller’s obligation only or an invitation to a dialogue? How is it going to affect the level of trust in relation to the controller? In case of some doubts- will the individual start a dialogue with the controller of their data? Or, will they immediately seek hard enforcement of his rights, which could have a negative impact on both sides (e.g. since the data controller will not be able to support individual needs). For sure, a relation built on that kind of foundation will not be comfortable or stable and is not bound to survive.
How to a build healthy e-society?
One of the four pillars of Objectivity’s ethics is the emphasis on people. Respect to people equals respect to their privacy, hence our narrative and the motto of today's jubilee. A few months ago, just after GDPR has been applied, I had the pleasure to write (GDPR- what is this for?) about privacy under design and by default as a tool necessary to build a culture of personal data management as well as a healthy e-society.
Speaking of the culture and values, let’s take a closer look at proper and mutual understanding of an individual’s rights and their honoring. If we want to build a healthy e-society and a good relationship between the controller and the individual, we need to bear in mind that mutual understanding and dialogue is required, an issue which I am going to refer to and try to encourage in a moment.
Dialogue is required.
Before I start, I would like to remind you all what rights are currently given by GDPR to individuals:
- the right to be informed,
- the right of access,
- the right to rectification,
- the right to erasure (right to be forgotten),
- the right to restrict processing,
- the right to data portability,
- the right to object,
- rights related to automated decision making including profiling.
I have not been able to reach potentially interesting research that would present the level of understanding of the above rights among individuals. Anyway, how to conduct such research? The questionnaire "do you believe that you understand your rights?" could not reflect the truth. However, I believe that time and experience will bring the answer.
There are two sides to every story.
Meanwhile, let’s focus on the right to erasure (right to be forgotten), which seems particularly intriguing at a first glance. “Right to be forgotten”- it sounds quite promising and certainly intriguing.
What is the truth behind this concept? I am going to use it as an example while discussing practical (!) rules of building a dialogue between both sides.
The general definition of the right to be forgotten says that the individual can request the controller to delete his personal data. Usually, it takes place after the contractual relationship between the parties has been completed, and it is also about this right being understood by individuals. Unfortunately, the every education carried out on GDPR is no more detailed. The truth is that this law is affected by other factors determining its applicability. Certainly, it is not an absolute and overriding law. One should bear in mind the requirements resulting from the contract concluded between the entity and the data controller. Data retention requirements and others, such as documentation (due to the possibility of claims) or financial/ accounting regulations are no less important.
All the above simply imposes controller’s obligation to store the data for a specified period.
What could go wrong?
In practice, one can imagine a situation when an individual, requests for erasure of his personal data due to the fact that:
- one does not trust in the controller,
- an individual does not understand the content of communication provided to him/her through the information obligation;
- an individual wants to completely clean up the history of processing their personal data for reasons known only to themselves;
- one understands their right to be forgotten as an absolute right to him/her always and everywhere.
The controller's role is therefore to build a foundation for a proper dialogue with the individual. The information provided to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language. In addition, the data controller should exercise all diligence while arguing his/her right to retain data with legitimate interest. The controller’s argumentation should result from an appropriate balance between the interest of the data controller and individual’s privacy. The diligence and reliability of this argumentation is a good example of the controller's respect for the individual’s rights. This will result in a fair and good relationship between the controller and individual.
Special thanks to our DPO - Grzegorz Makara for interesting and inspiring discussions about privacy protection.