Home » “Why is privacy a problem and not an opportunity?”, The 6-point answer

“Why is privacy a problem and not an opportunity?”, The 6-point answer

by admin

Among the many controversies raised by the case of the Lazio Region could not miss the one on negligent protection of citizens’ “privacy”. This incident – it is said – proves that those important institutional personalities who, recently, had taken over theparalyzing attitude of the regulation on the protection of personal data with respect to the need to pursue purposes of collective interest such as the fight against tax evasion, for example, or the management of the pandemic.

These criticisms had already aroused the indignant (and in several cases, interested) reaction of those who consider “privacy” a kind of super-right in front of which all others, including those of the community, must take a step back. This is not the case in general terms (the Constitution establishes in several articles the possibility of compressing fundamental rights) and in particular for the “privacy” that does not even exist as an autonomous right.

If anything, we should discuss personal data protection which is a different and much broader concept. And most importantly, we should also ask ourselves whether the interpretation of the rules that the Guarantor of personal data has decided to support, based essentially on the precautionary principle, makes sense from a cost-benefit perspective.

What could appear as a purely academic question has, in reality, an extremely significant concrete impact because – depending on the operational approach – inertia can be produced without a real increase in the protection of citizens’ rights, or an effective level of protection can be achieved without unnecessarily compressing the activity of institutions and companies.

To analyze the first profile, let’s go back to case of the ransomware that infected the data of the Lazio Region.

As paradoxical as the statement may seem, if the theme is “protect privacy” (and if it is true that, as publicly stated, the data has not been exfiltrated), then it is clear that the ransomware did no harm. If on the other hand – as the law dictates – the issue is to guarantee the availability and integrity of data, then the attack creates a problem of non-compliance with the law and, in more substantial terms, of damage to citizens due to negligence of various kinds that they are inherently unexcusable. It should be remembered, in fact, that since the time of the Community directive that preceded regulation 679/16, the responsibility for the processing of data was subject to a regime similar to that of the management of nuclear power plants..

See also  Quit smoking due to the increase in cigarette prices: how to do it

However, and let’s move on to the second point, the (rightly) high responsibility of those who process personal data does not justify the choice of applying a precautionary principle in the name of which “block” or “prohibit” in advance, without using objective metrics to identify the acceptable risk threshold and to verify, in practice, what is the cost-benefit ratio of the treatment (fundamental issue, for example, in the field of medical-scientific research).

In other words, the application flexibility allowed by the EU regulation, which would have guaranteed a differentiated application according to the nature of the data, the treatments and the public interest, has been transformed into the unilateral application of an ideological vision that produces paralysis.

Although complex, this reasoning can be summarized in the following six points:

1 – The GDPR protects all fundamental rights, not just “privacy”

The GDPR (Article 2 paragraph I) regulates the processing of personal data so that the fundamental rights and freedoms of individuals are protected and the free circulation of personal data is guaranteed. This means that the rule applies to all cases in which an individual’s right is compromised through the misuse of his data. Eg, cases such as “crazy records”, damages suffered by a patient due to errors in filling out medical records or the unavailability of a (public) service due to unavailability of information are “covered” by the GDPR (the various “blocks” of institutional sites during click-days or due to more or less foreseeable incidents).

2 – The protection of personal data is different from “privacy”

Although the current narrative has equated the protection of personal data with privacy, this equivalence is incorrect.

Apart from the fact that the GDPR does not contain the word “privacy” or equivalent at all, the two terms express different legal institutions and two non-overlapping areas of protection.

Without going into the complex issue of defining “privacy” (that is, whether it is an autonomous right or an umbrella word that encompasses various constitutional safeguards), it is legally established that “privacy” is one of the rights protected by the GDPR and not the only one.

See also  【Game Trial】Death of Judgment DLC "Shoji Kaito Incident Book" Hot-blooded Boy Danzheng- ezone.hk - Game Anime- E-Sports Game

3 – The protection of personal data is a right-means

The previous paragraph allows us to conclude that the protection of personal data is a right-means with respect to the protection of a right-end. As such, the protection of this right is subject to a judgment of balance between competing fundamental rights but, above all, in relation to the duties of the State to guarantee its free exercise. In other words, the right to the protection of personal data is not a “super right”.

4 – The GDPR must be applied by balancing the rights at stake and according to concrete dangers instead of a paralyzing precautionary principle detached from concrete evidence

The crucial aspect of the application of the GDPR lies in two other structural choices historically adopted by the National Data Protection Authority.

The first is that of focus exclusively on the “privacy” issue (and in fact, the Authority can be reached online via the garanteprivacy.it domain), thus adopting a unilateral reading of the legislation on the protection of personal data.

The second is that of interpret the rules on the basis of a precautionary principle that is independent of the damage caused to the natural person or at least from its exposure to a concrete danger. Conversely, the Court of Cassation has often reiterated that even in the matter of processing personal data, the damage suffered by the data subject must be concretely demonstrated. We are therefore faced with a paradox: the compensation protection of the right to the protection of personal data requires proof of damage, but failure to comply with the GDPR is sanctioned even if there are no consequences for the data subject, similarly to purely formal violations of tax law.

Furthermore, the precautionary principle is applied without reference to metrics or data that can allow an effective evaluation of balance between the need to process certain data in a certain way and the consequences for the rights of the data subject.

5 – It is possible to apply the GDPR in a flexible way, favoring ex post controls over strict ex ante requirements

The GDPR can be interpreted flexibly because it is structured in such a way as to leave the individual subjects who process data the right to make choices in full autonomy provided they document the rationale and allow the authority to evaluate it.

See also  Microsoft Launches Special Ninja Turtles Edition Controller with Pizza Scent Release Device

Consequentially, nothing would prohibit an approach to the GDPR based on favoring the post-control phase rather than preventive taxation and transversal obligations regardless of their rationality or reasonableness with respect to the specific case. This is especially true when the need and urgency to manage organizationally circulation instruments such as the Green Pass it necessarily requires to privilege the collective interest of the protection of public health over a potential and unproven danger for the single individual.

6 – The transfer of (personal) data to the USA is a constituent element of the industrial models of the software sector and it is not acceptable to sanction it selectively

Another element often stigmatized by the Guarantor is the sending by computer and smartphone software of a series of data to servers located in the USA or in any case outside the EU.

This way of operating software is an IT market standard. Decentralized models, which require the terminal to interact with a server, have various functions, from identifying the user to verifying the existence of intellectual property rights, to collecting data for technical analysis. Obviously, the data collection is also aimed at behavioral or profiling analyzes.

If this way of designing services and products so that they communicate data outside the EU violates the GDPR, then this violation must always be contested and not only in specific cases.

In conclusion

  • · The right to the protection of personal data is different from “privacy” (which is not even mentioned in the GDPR).
  • The GDPR, which not only protects privacy, must be interpreted in such a way as to favor the circulation of personal data by balancing the rights of the individual and the latter with those of the community.
  • · The concrete application of the GDPR is based on a precautionary principle with no evidence based on data that unilaterally makes “privacy” prevail over other individual rights and those of the community.
  • A more flexible application of the GDPR is possible, which favors ex post controls instead of imposing preventive obligations detached from specific and concrete needs.
  • The application of this formal vision of the standard has the direct consequence of generating organizational inertia, uncontrollable costs, lower efficiencies and, in essence, less protection for individuals and their rights

.

You may also like

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Privacy & Cookies Policy