Читать книгу Privacy and Data Protection based on the GDPR - Leo Besemer - Страница 6
Foreword
ОглавлениеChapter 1 of “Privacy and Data Protection based on the GDPR” describes how in 1890 the Boston lawyer and future U.S. Supreme Court Justice, Louis Brandeis, together with his partner Samuel Warren, published in the Harvard Law Review a classic article – “The Right to Privacy”. A key topical concern of Brandeis and Warren was the first introduction to consumer markets of portable and cheap cameras and their potential use by 19th century paparazzi to harm people’s confidentiality. In other words, the main issue which triggered their article was technological development resulting in abuse of the individual’s right to privacy – plus ça change …
The right to privacy was included in the European Convention on Human Rights drafted in 1950. It created an essential human rights standard which is binding on the Council of Europe members. The consistency it introduced to Europe is highly important. For instance, when comparing privacy rights in Irish and English law, Article 40.3.1 of the Constitution of Ireland adopted by a vote of the people in 1937 provides that “the State guarantees in its laws to respect, and, as far as practicable, by its laws to defend and vindicate the personal rights of the citizen”. The courts have held that one of these personal rights is the Irish citizen’s right to privacy.
On the other hand, in Kaye v Robertson [1991] FSR 62, it was stated by Lord Justice Glidewell that “it is well known that in English law there is no right to privacy, and accordingly there is no right of action for breach of a person’s privacy”. Both countries have subsequently incorporated the Convention rights – including the Article 8 right to privacy – into national legislation. And another vital point is that these are “human” rights – rights we all have by virtue of our common humanity and not because of our citizenships, or the jurisdictions in which we reside. Likewise, our right to the protection of our personal data under European Union law provides a shared standard for and across all Member States.
Although there is significant overlap between our right to privacy and our right to protection of our personal data, they are not identical. This is often misunderstood – privacy and data protection are frequently thought to be 100% synonymous. But as Leo points out, they are separate and distinct rights under the Charter of Fundamental Rights of the European Union. Similarly, the Council of Europe has its Convention on Human Rights, separate from its more specific Convention 108+ for the protection of individuals with regard to the processing of personal data.
To demonstrate, Article 5 of the GDPR sets out six basic principles for the application of our data protection rights. And, for example, a failure to adhere to the obligation under Article 5(1)(f) for securing personal data from “accidental loss” is not, per se, an infringement of privacy. However, a data protection failure resulting in accidental loss, e.g., of a hospital patient’s medical records, could have potentially fatal consequences – there can be nothing more serious.
This highlights a key theme of the GDPR – taking appropriate account of the risks to data subjects resulting from failures to protect their personal data. Part IV – “Risks assessment and mitigation” – covers this very well. The word “risk” appears eight times in the English language text of data protection Directive 95/46/EC, compared to 75 times in the GDPR. However, this is very frequently ignored by organizations. This was plainly shown to me by a survey I did in 2019 of data protection officer (DPO) recruitment advertisements throughout Europe. DPOs are required under Article 39(2) to take a risk-oriented approach to the performance of their tasks. The implication is that risk assessment and management is an essential component of the DPO’s expertise. But in my survey this risk expertise was neither required by, nor desirable for, 76% of employers.
It is also important to emphasize that although the six basic GDPR principles are legal obligations, they also provide a first-rate framework for the data management and governance described in Chapter 6. So, even if not required to, it would still be in every organization’s interests to apply them. An obvious illustration is the Article 5(1)(d) requirement to keep personal data accurate and up-to-date. However, to the extent that our organizational decisions are based on data which is inaccurate or out of date, they will be flawed and less effective. Therefore, we clearly should be doing this anyway.
In order for organizations to reach a good compliance standard with the data protection principles, it must be absorbed into organizational culture from top to bottom. Under GDPR Article 38(3), DPOs must “directly report to the highest management level”. This infers that, firstly, the highest management must have a reasonable understanding of what is being reported to them and, secondly, that data protection compliance must be carried out as a strategic issue. Leo’s book can provide very effective support to you and your colleagues in reaching this understanding and applying it in practice.
Fintan Swanton,
LLM MSc CEng FICS MBCS.
Senior Data Protection Consultant & Managing Director,
Cygnus Consulting Ltd.
Fintan Swanton is the Irish representative in the Confederation of European Data
Protection Organizations (CEDPO).