GDPR literally established a new field of law. For the first time ever, personal data protection has become more than a formal obligation. Such effect may seem positive. But is it really? Do we not witness situations, where a company is subject to proceedings about non-GDPR-compliance from absolutely formal reasons? Do we not witness situations, when a human`s dignity is clearly attacked, but in a GDPR-compliant (strictly formally) way?
For the first time ever, privacy has become the topic. Because personal data protection is nothing, but a part of tools to secure everyone`s privacy. However, the real effect is different. Anyone, subjected to GDPR, focuses on being GDPR-compliant. Regulators started to control the formal harmony between the processes established at data processors and the regulation. And even legal specialists started to claim there are two areas of law to focus on - personal data protection on one side and privacy protection on the other.
Inconspicuous, the threat starts to be visible more and more. Personal data processors are forced to implement rules required by GDPR. And by doing so, they consider this part of their social responsibility fulfilled. With no real concern about the privacy. Which, by virtue of the existing regulation, is but another topic. This is the reason, why we do have such a hard time with social networks. They hire professionals on personal data protection, but have no legal motivation to hire professionals on privacy protection. Even few months after GDPR, we can see the replies to privacy intrusion inquiries, such as - but we are GDPR-compliant.
In practice, it is much harder to enforce the right not to be compromised in privacy than the right to be provided with relevant information about personal data processing (which, seen isolated, has no value). In practice, GDPR is becoming an argument for privacy intruders rather than for the privacy-intruded. From the legal viewpoint, it is absolutely crucial to delete the division between personal data and privacy. To support the fact that personal data protection is but an instrument to achieve much higher goal- to protect one of the most sainted rights of human beings - the privacy. To make sure any court will, at the final stage, only punish personal data protection failure, if it threatens privacy, and on the other hand - not leave unpunished any formal application of GDPR, affecting privacy.
Not to sound too negative -there are GDPR interpretations, not supported by the regulation itself directly, but by the main purpose (privacy protection), published by regulators, providing for at least a small amount of optimism. One of the greatest examples being the “mobile phone” issue. Mobile phone number does not necessarily allow the processor to identify the data subject. But - disposal of the number opens the ability to reach “even anonymous” person to his/her most intimate zone, anywhere and anytime. Such interpretation was presented by European regulators and represents a drop of hope that GDPR does not become a topic per se. That it will always be considered a part of the main issue - the privacy. Because, otherwise, GDPR could become the greatest excuse to privacy intruders, and thus, much more sincere threat to privacy than police tapping, etc.
Article provided by: Tomáš Nielsen (NIELSEN MEINL advokátní kancelář, Czech Republic)