The first steps of a revolution with a set date (25 May 2018): the “new” General Data Protection regime


by Pedro Madeira Froufe, Editor

1. Homo digitalis[i] is increasingly more present in all of us. It surrounds us, it captures us. Our daily life is digitalising rapidly. We live, factually and considerably, a virtual existence… but very real! The real and the virtual merge in our normal life; the frontiers between these dimensions of our existence are bluring. Yet, this high-tech life of ours does not seem to be easily framed by law. Law has its own time – for now barely compatible with the speed of technologic developments. Besides, in face of new realities, it naturally hesitates in the pursuit of the value path (therefore, normative) to follow. We must give (its) time to law, without disregarding the growth of homo digitalis.

2. Well, today (25 May 2018) the enforcement of Regulation 2016/679 (GDPR) begins. Since 25 January 2012 (date of the presentation of the proposal for the Regulation) until now the problems with respect to the protection of fundamental rights – in particular the guarantee of personal data security (Article 8 CFREU) – have been progressively clearer as a result of the increase in the digital dimension of our lives. Definitely, the personal data became of economic importance that recently publicized media cases (for example, “Facebook vs. Cambridge Analytics”) underline. Its reuse for purposes other than those justifying its treatment, transaction and crossing, together with the development of the use of algorithms (so-called “artificial intelligence” techniques) have made it necessary to reinforce the uniform guarantees of citizens, owners of personal data, increasingly digitized.

It is necessary to create a legislative framework that will allow the development of the digital single market, where personal data will necessarily circulate within the limits and guarantees intended to be effective with Article 8 CFREU and with Article 16 TFEU, which retakes the programmatic formulation of the fundamental right in paragraph 1: “Everyone has the right to the protection of personal data concerning them”.

In summary, and as stated in Recital 6 of the RGPD, “rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data”.

3. In the context of European integration, the importance of an effective uniform regime for the protection of personal data – a system that is capable of dealing with technological advances and, at the same time, concretizing the fundamental right enshrined, directly and autonomously, in Article 8 CFREU – it must also be observed and understood in the light of the meaning and objectives which, in the end, have guided the deepening of integration.

As the goal of building a solid Internal Market was achieved, the “engine” of deepening integration began to gradually focus on building effective European citizenship. In a way, the Union, this kind of ‘unidentified political object’, according to the expression of Jacques Delors, no longer has prejudices regarding the assumption of its nature and its political yardstick (political Union). To a certain extent, the priority focus of the institutions is no longer the construction of the Internal Market (basically achieved), in order to concentrate on the citizen, regardless of his or her quality or “clothing” as an economic or consumer agent.

Freedom of movement was affirmed and guaranteed, initially through the case law of the CJEU, as a freedom of personal movement, independently or in addition to freedom of movement. Social intervention, inherent in the affirmation of European citizenship (being still and above all a “citizenship of rights”), has become one of the concerns of the action of the Institutions. A certain return to some ordoliberal views was reaffirmed as a way to mitigate the hardship of a construction focused solely on the market and economic competition: with the Lisbon reform, the TUE expressly associates the Internal Market with a “highly competitive social market economy, aiming at full employment and social progress” – Article 3(3) TEU.

I want with this note to affirm that today and in the context of the European Union’s affirmation as a Union based on the rule of law, the importance and attention given to the effectiveness of this fundamental right to the protection of personal data, is not justified only by the pressure of the technological times that we live and by the progressive emergence of a homo digitalis. Upstream, the increasingly (more or less) political sense of deepening integration, the priority placed on the construction of European citizenship (Articles 20 and 21 TFEU) and the reinforcement of an extra-economic integration dimension have favoured the development of a culture fundamental rights. The Internal Market and the application of economic freedoms initially served as a pretext for the jurisprudential construction of a dogmatic and European personalist culture of Fundamental Rights; but nowadays, more and more, the strengthening and deepening of the Internal Market (of integration) develop themselves according to a teleology of protection of fundamental Rights, inseparable from the densification of European citizenship.

We can reasonably say that the referential paradigm of the Internal Market in the Union is nowadays a market where citizens (Europeans) are moving and circulating, who are also, incidentally, economic agents and consumers.

4. Since January 2012, the Institutions of the Union have been promoting the need to undertake a revision / reform of the legal framework for the protection of personal data by updating the system established by the Directive of 1995 (Directive 95/46/EC). Moreover, the fragmentation of national systems resulting from the various transpositions of the Directive was one of the causes which, to a certain extent, technically and from the point of view of legal certainty and uniformity, also justified this need for reform[ii]. Therefore, it was always clear that the intention was to move ahead with a Regulation (henceforth standardizing) repealing and replacing that Directive.

The “new” GDPR becomes the central element of a real reform of the regime in terms of personal data protection – reflecting this reform, the (now added) concerns of reconciling the necessary competitiveness and flexibility of business/economic agents strengthening effective protection of fundamental rights. A complex conciliation and necessarily always dependent on casuistic circumstances as well. An equation that seeks to optimize a culture of citizenship and the protection of individual freedom (reserve and domain of one’s privacy), while contributing to (at least not preventing) economic efficiency and the inevitable development and deployment of digital economy. To some extent, a real “revolution”, with a view to placing Europe at the forefront of technological development, economic growth and competitiveness provided by the “digital economy” wave, but at the same time ensuring that the European citizenship, their personhoods and their fundamental rights are the watermarks of Europe and of integration.

[i] The expression has already begun to be used regularly, as a synonym for literacy / knowledge and dependence in relation to the New Information Technology that, more and more, we have in our daily lives. See, for example, NATASHA SAXBERG – «Homo Digitalis». How the Human Needs Support Digital Behavior For People, Organizations and Societies, Friis & Saxberg (edition), 2015.

[ii] In this regard, Recital 9 of the GDPR states: “The objectives and principles of Directive 95/46/EC remain sound, but it has not prevented fragmentation in the implementation of data protection across the Union, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity. Differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the Member States may prevent the free flow of personal data throughout the Union. Those differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. Such a difference in levels of protection is due to the existence of differences in the implementation and application of Directive 95/46/EC”.

Picture credits: Regulation…  by TheDigitalArtist.

The author is part of the Jean Monnet Project “INTEROP – EU Digital Single Market as a political calling: interoperability as the way forward”.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s