Direito e Informação na Sociedade em Rede: atas Direito e Informação na Sociedade em Rede: atas | Seite 67
data collection, tracking and profiling allowed by the growing capacities of
technologies portray the big data phenomenon as a defining moment in ICT uses and
their aftermaths for both individuals and society.
Definitely, the spread of big data is changing the relationship between a person and the
data about him or her, as the notion that data protection is designed to empower the
individual by giving him/her rights to control the processing of his/her data looks
growingly illusory (Colonna, 2014, p. 299).
These developments look especially problematic in view of the upgrading of
data protection to the rank of a fundamental right by the Treaty of Lisbon (Article 16
of the Treaty on the Functioning of the European Union) and the Charter of
Fundamental Rights (Article 8). This move opened up the expectation that the
balancing of the right to personal data protection with market freedoms would lean
towards the former by the means of heavier constrains on rights restrictions
(Gonçalves, Gameiro, 2014, p. 21 ff). Indeed, current trends in personal data uses
increase the imbalance between large corporations and consumers, the Article 29 Data
Protection Working Party admitted36. What’s more, the GDPR itself endorses the
move towards personal data appropriation and control by the operators by means of
risk-based approaches and self-regulation, as it will be shown below.
At the end of the day, the issue is, how legislation could be possibly construed
so as to respond more adequately to the challenges for data protection.
4. The turn to risk-based and self-regulatory approaches
At the end of the day, the recognition of the difficulty to apply key data
protection principles to the big data context, although not openly assumed, may
explain the leaning of the EU legislator on alleged “more realistic” approaches to
protect personal data, i.e. risk-based and self-regulatory approaches (Zanfir, 2014, p.
237 ff; Lynskey, 2015, p. 81 ff).
Let’s recall some major innovations have been introduced by the GDPR in this
direction, i.e.: the data protection impact assessment; the prevention of ex-post misuse
of data through prompt notification of data breaches; and the "right to be
forgotten"37.
Let’s start with Article 33 GDPR’s command that data controllers and
processors carry out a data protection impact assessment “prior to risky processing
operations”. The data protection assessment procedure looks instrumental to the
implementation of technical and organisational measures that the data controllers are
due to apply in order to comply with the GDPR, and be able to demonstrate it (socalled privacy by design and privacy by default) (Articles 22 and 23). In so doing, the
data controllers are due to have regard not only of the state of the art of technologies,
but also of the cost of implementation (Article 23), which may actually widen the
36
37
Article 29 Data Protection Working Party, Opinion 03/2013 on Purpose Limitation.
Recital 53 and Article 17 GDPR.
55