Direito e Informação na Sociedade em Rede: atas Direito e Informação na Sociedade em Rede: atas | Page 59

1. Introduction Law is often perceived as a reactive institution, which lags behind technological advances (Moses, 2007, p. 269). Generally speaking, European law addressing Information and Communication Technologies (ICT) appears to counter this belief1. An illustration is Directive 95/46/EC, the Data Protection Directive 2. Today, as the first broad reform of the EU data protection legislation is being achieved, EU institutions keep their ambition to remain “the global gold standard in the protection of personal data", even feigning to anticipate foreseeable impacts of ICT on this matter3. Yet, notwithstanding the confident discourse of EU institutions, a closer examination of the current reform raises scepticism about its ability to safeguard data protection principles and rights effectively in the face of evolving data processing techniques such as those underlying “big data”. One might wonder, however, whether these uncertainties should be attributed to a specific difficulty of the law to cope with technological progresses or rather to the policy choices embedded in the novel General Data Protection Regulation (GDPR) itself. In this article, we will examine key features of the evolving data protection legislation in the light of implications of big data technologies. We will then address the novel regulatory approaches introduced by the GDPR, relying on risk assessment and management and on self-regulation, and seek to understand them in the light of a “law-technology lag” versus a “law-technology driving” perspective, meaning a policy whereby law is deliberately used as a means to foster technological innovation. 2. The data protection reform and big data technologies As we write, the General Data Protection Regulation (GDPR) put forward by the European Commission (EC) in January 20124 has been approved following five years of intense negotiations (De Hert, Papakonstantinou, 2016)5. 1 The European Community, now the European Union (EU), has played a pioneering role in the legal regulation of ICT uses since the 1990s. European institutions did respond promptly to technological advances when adopting the directives on the legal protection of computer programmes (1991, revised in 2009), on the legal protection of databases (1996) or on e-commerce (2000), for example. 2 Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. 3 “By the 10th European Data Protection Day, we are confident that we will be able to say that the EU remains the global gold standard in the protection of personal data”. European Commission Statement, “Vice-President Ansip and Commissioner Jourová: Concluding the EU Data Protection Reform is essential for the Digital Single Market”, Brussels, 28 January 2015, (last accessed 18.03.2016). 4 Proposal for a Regulation of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM (2012) 11 final, Brussels, 25.01.2012. 5 Following political agreement reached in trilogue in December 2015, on 8 April 2016, the Council adopted its position at first reading, which paves the way for the final adoption by the European Parliament at its plenary session in April. The regulation is likely to enter into force in spring 2016 to be applicable as of Spring 2018. http://www.consilium.europa.eu/en/policies/data-protection-reform/data-protection-regulation/ (last 47