Article by Francesco Giacomo Viterbo: The 'User-Centric' and 'Tailor-Made' Approach of the GDPR Through the Principles It Lays down
20 February 2020
Francesco Giacomo Viterbo, Associate Professor of Private Law in the University of Salento, from the Fondazione Scuola di Alta Formazione Giuridica-PSEFS team, has authored a paper on the topic of online privacy and personal data protection in the contemporary digital age. It is written in English and published in the Italian Law Journal, available in open access here.
The abstract reads as follows:
The European approach to online privacy and personal data concerns in the contemporary digital age appears to have embraced a ‘user-centric’ approach, inspired by values of ‘personalism’ and human dignity, regardless of the growing commercial value commonly given to personal data.
These two sides of the same coin have been taken into account by the GDPR. On the one hand, it seems to outline a system of protection of data subjects that presents certain similarities and connections with consumer protection directives, especially as regards the transparency principle and the aim to provide individuals with ‘effective’ protection, enforceable rights and awareness-raising activities. On the other hand, a radical shift in the data protection policies of big online companies and many other service providers is required by the implementation of the set of mandatory principles and obligations stated by chapter IV of the GDPR, while the notice-and-consent paradigm is now quite remote.
In particular, data minimisation, confidentiality, integrity, data protection by design and by default, as well as accountability and scalability principles require a model of approaching the new challenges brought about by data protection that should be ‘contextual’ and ‘tailor-made’. This means that the appropriate measures to be adopted by controllers and processors must consider the specific circumstances of each individual case, in accordance with a proportionality and reasonableness test on the extent of risks to the rights and freedoms at stake.
The new legal framework provided by the GDPR and Convention 108+ has weakened the role of national laws on personal data protection but has also posed the challenge of providing a uniform legal frame, at the European Union level, as well as of strengthening the harmonisation process among countries that are currently taking different approaches to data protection at a global level.
These two sides of the same coin have been taken into account by the GDPR. On the one hand, it seems to outline a system of protection of data subjects that presents certain similarities and connections with consumer protection directives, especially as regards the transparency principle and the aim to provide individuals with ‘effective’ protection, enforceable rights and awareness-raising activities. On the other hand, a radical shift in the data protection policies of big online companies and many other service providers is required by the implementation of the set of mandatory principles and obligations stated by chapter IV of the GDPR, while the notice-and-consent paradigm is now quite remote.
In particular, data minimisation, confidentiality, integrity, data protection by design and by default, as well as accountability and scalability principles require a model of approaching the new challenges brought about by data protection that should be ‘contextual’ and ‘tailor-made’. This means that the appropriate measures to be adopted by controllers and processors must consider the specific circumstances of each individual case, in accordance with a proportionality and reasonableness test on the extent of risks to the rights and freedoms at stake.
The new legal framework provided by the GDPR and Convention 108+ has weakened the role of national laws on personal data protection but has also posed the challenge of providing a uniform legal frame, at the European Union level, as well as of strengthening the harmonisation process among countries that are currently taking different approaches to data protection at a global level.