Direito e Informação na Sociedade em Rede: atas Direito e Informação na Sociedade em Rede: atas | 页面 67

data collection, tracking and profiling allowed by the growing capacities of technologies portray the big data phenomenon as a defining moment in ICT uses and their aftermaths for both individuals and society. Definitely, the spread of big data is changing the relationship between a person and the data about him or her, as the notion that data protection is designed to empower the individual by giving him/her rights to control the processing of his/her data looks growingly illusory (Colonna, 2014, p. 299). These developments look especially problematic in view of the upgrading of data protection to the rank of a fundamental right by the Treaty of Lisbon (Article 16 of the Treaty on the Functioning of the European Union) and the Charter of Fundamental Rights (Article 8). This move opened up the expectation that the balancing of the right to personal data protection with market freedoms would lean towards the former by the means of heavier constrains on rights restrictions (Gonçalves, Gameiro, 2014, p. 21 ff). Indeed, current trends in personal data uses increase the imbalance between large corporations and consumers, the Article 29 Data Protection Working Party admitted36. What’s more, the GDPR itself endorses the move towards personal data appropriation and control by the operators by means of risk-based approaches and self-regulation, as it will be shown below. At the end of the day, the issue is, how legislation could be possibly construed so as to respond more adequately to the challenges for data protection. 4. The turn to risk-based and self-regulatory approaches At the end of the day, the recognition of the difficulty to apply key data protection principles to the big data context, although not openly assumed, may explain the leaning of the EU legislator on alleged “more realistic” approaches to protect personal data, i.e. risk-based and self-regulatory approaches (Zanfir, 2014, p. 237 ff; Lynskey, 2015, p. 81 ff). Let’s recall some major innovations have been introduced by the GDPR in this direction, i.e.: the data protection impact assessment; the prevention of ex-post misuse of data through prompt notification of data breaches; and the "right to be forgotten"37. Let’s start with Article 33 GDPR’s command that data controllers and processors carry out a data protection impact assessment “prior to risky processing operations”. The data protection assessment procedure looks instrumental to the implementation of technical and organisational measures that the data controllers are due to apply in order to comply with the GDPR, and be able to demonstrate it (socalled privacy by design and privacy by default) (Articles 22 and 23). In so doing, the data controllers are due to have regard not only of the state of the art of technologies, but also of the cost of implementation (Article 23), which may actually widen the 36 37 Article 29 Data Protection Working Party, Opinion 03/2013 on Purpose Limitation. Recital 53 and Article 17 GDPR. 55