New rules of the game in the network of networks, changes, behaviors, scope and details.
By Osvaldo Gallegari*
At present it is very difficult to keep personal and private information safe, since simply by a friend who disseminates this information after 8 hours goes around the globe. The issue is that this information reaches a certain audience and remains there, which is far from what is desired by the exposed user, the scopes may be unimaginable or unexpected.
Fortunately, society in general, except for scientists or specialists with particular gifts, can keep this news or fact in force.
Such is the case that emerged in the 2018 World Cup in Russia, where some people played with the language by playing bad jokes in home videos, which went viral globally in a matter of hours, becoming the first covers of newspapers with global reach, which seems to be their new way of giving information.
This generated collateral effects for these people upon returning to their country, for example the customers of one of these subjects stopped attending their trade due to the rejection effect produced by such a joke.
Now, after two months of the event no one remembers the fact in a reliable way, a vague notion that it was the same and contrary to the initial effect inspires in its clients a greater curiosity seeing what happened as something of importance, the factor of this is the diffuse memory in the collective memory.
Nothing that goes viral remains valid if people or media remember it daily, there is a very famous phrase on television that is "no one resists a file".
On the other hand, people exercise a certain narcissism or fetishism when filming videos of their own, it is the effect of popularity that attracts them to do so. Collateral damage can be unthinkable.
New European Data Protection Regulation
With the introduction of the amendments to the European data protection rules, we document information from one of its partner countries, Spain.
10 main novelties of the new European Data Protection Regulation
1. New principles
Art. 5 of the GDPR contains the list of principles to be taken into account in the processing of personal data.
Some of them were already foreseen in the LOPD, but new ones are added.
Principle of Transparency
"Personal data will be treated in a lawful, loyal and transparent manner in relation to the interested party."
This principle focuses on facilitating relations between the data controller and the data subject, as well as between the data controller and the supervisory authorities.
Its materialization entails an important change, since the obligation to notify and register the files containing personal data before the control authority disappears.
In the new GDPR, a "Record of Processing Activities" has been defined.
This registration will be carried out internally and will contain, among others, the following data:
- name and contact details of the controller
- name and details of the Data Protection Officer
- purpose of the processing
- description of categories of the data subject
- description of categories of data processed
- international data transfers
- Principle of purpose limitation
"Personal data will be collected for determined, explicit and legitimate purposes, and will not be further processed in a manner incompatible with those purposes (...).
These explicit and legitimate purposes must be determined at the time of data collection.
Data minimization
"Personal data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed."
In the golden age of Big Data, this principle obliges us to apply the appropriate technical and organizational measures to ensure that, by default, only personal data that are necessary for each of the specific purposes of the treatment are processed (Article 25.2).
2. New citizens' rights
The Organic Law on Data Protection established 4 rights for interested parties: Access, Rectification, Cancellation and Opposition (known in Spain as ARCO rights).
- Extension of Rights
- Right to transparency of information, (art. 12)
- Right to erasure (right to be forgotten), (art. 17)
- Right of limitation, (art. 18)
- Right of portability, (art. 20)
Due to its important practical consequences, we analyze in more detail the right to be forgotten and the right to portability:
Right to be forgotten
The new GDPR states that anyone will have the right to have their personal information deleted from internet service providers whenever they wish, as long as whoever owns that data has no legitimate reason to retain it.
It also obliges those responsible for the data that have disseminated the information to third parties to inform them of the obligation to delete any link to the published data, as well as to delete any copy or replica of said data.
Its objective is to eliminate from the network and search engines any trace of the data of the person who wants to be "forgotten" definitively.
Right to portability
The new GDPR provides for the possibility of transmitting data from one controller to another, so that the data subject will have the right to have personal data transmitted directly where technically possible.
A common example is when an individual wants to change telecommunications operator or electricity company: portability allows the personal data of the individual to be transferred directly to the new chosen company, in an agile and simple way for the end user.
In addition to incorporating these new rights, the GDPR also requires that visible, accessible and simple language procedures be created to facilitate the exercise of their rights by the data subject. It must also be possible through electronic means as indicated in Recital 59.
3. Extension of the duty to provide information
Our current legislation establishes that when collecting the consent of the interested parties, they should be informed of the person responsible for the file, of the existence of the files registered in the General Registry of Data Protection, of the purpose of the collection of the data and of the possibility of exercising the ARCO Rights.
Since May 2108, in addition to these data, the Regulation requires the obligation to report on new aspects:
- The legal basis for data processing has to be explained
- The retention period must be reported
- You should inform about the possibility of making claims
- You must be informed of the other rights that the new GDPR incorporates
4. Obtaining consent for data processing
The current LOPD requires the unequivocal consent of the interested parties for the processing of their data. However, if the data collected is not particularly sensitive (such as biometric data), it is accepted that such consent may be tacit.
The GDPR will maintain the same principles of consent established by the LOPD, requiring free, informed, specific and unequivocal consent.
However, as a novelty with respect to the LOPD, the new GDPR indicates that in order to consider that the consent is unequivocal, there must be a declaration from the interested party or a positive action that expresses their agreement.
Important note
Silence, boxes already ticked or inaction shall not constitute proof of consent
On the other hand, other important developments is in relation to the processing of data of minors.
In Spain, the LOPD establishes, with legal exceptions, the possibility of collecting personal data from people over 14 years of age without the need to obtain the consent of their parents.
From May 2018, information society services may not be offered to children under 16 years of age without the consent of their father or legal guardian, unless a national law establishes a lower age, which in no case will be less than 13 years.
Do I have to obtain explicit consent from existing customers under the new GDPR?
One of the aspects that is causing more debate is the way in which the consents of customers or users obtained prior to the entry into force of the new European Data Protection Regulation will be regulated.
In this sense, the new GDPR is categorical: if the consent was not clearly identified or was based on tacit forms or by omission, it must be requested again.
It will have to be taken into account, because the processing of data without the consent of the users is understood as a very serious infringement according to the new regulation.
Conclusion Part I
In America in general, these changes are reflected and often forced by websites of international origin, which display pop-ups with notices of the use of cookies on their pages.
Although social networks are current markers of trends lately they have had an important retraction as is the case of Facebook® when personal information is known to be stolen by intelligence agencies, something close to the obvious but with the latest complaints in presidential elections individual protection took effect. Also as we have commented in previous articles there is a great distance between the people who manage the networks and ordinary people. If someone discusses, for example, a leak on Twitter ®, they have to apply very expensive resources to raise information to justice.
One of the factors that drove the European Community was the hegemony of the Google search engine with respect to the partiality or not in the search results, which made us fear a direction in the positioning of the market, a struggle of powers and government between: where is the information, who sees it and who consumes it.
Also Europe to stop the monopoly of search engines set a legal precedent in the large network of networks, although it did not stop there was a considerable brake, simply with seeing a large number of companies adopt the position of "Cover" by indicating that their site has "Cookies" which could collect your personal data, the good thing is that before it was done and they did not inform it and now they say it and they do it.
In part II we will see the following topics Obtaining consent for the processing of data | Establish security actions and measures|. Impact assessment of the processing of personal data | Communication of failures to the data protection authority | The Figure of the Data Protection Delegate | Data protection authorities
Glossary of abbreviations:
LOPD: Organic Law on Data Protection
GDPR: General Data Protection Regulation
The sites, information and products mentioned are registered sites and products of their own authors, information is reflected from reliable sites with wide reputation.
*For more information contact the author of these articles write to [email protected]
Leave your comment