After one year, many people make evaluations, while others forecast or organise events. My purpose is not celebratory but purposeful and prodromal: what are the aspects concerning the protection of personal data on which it would be appropriate to reflect and which deserve further investigation?
One of the most relevant aspects is undoubtedly the “awareness” that it means “to have exact consciousness about himself”. Among the principles laid down in the GDPR, the “accountability” (art. 5, paragraph 2) is the central pillar. The data controller or the data processor who has to respect the “accountability” principle must necessarily be aware of “having a perfect consciousness about himself” on the knowledge of the GDPR rules and principles. It is not about a purely technical-juridical knowledge that would favour the jurist in the application of the laws. Reading the GDPR often goes beyond the qualification of the rules of conduct that are part of the legal system: there is much more over. We cannot ignore the fundamental rights provided for by the European Charter and by the Convention 108 plus.
On May 18, 2018, the Council of Europe adopted a Protocol to amend the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. In the amended version of the Convention, we read:
“Considering that it is necessary to secure the human dignity and protection of the human rights and fundamental freedoms of every individual and, given the diversification, intensification and globalisation of data processing and personal data flows, personal autonomy based on a person’s right to control of his or her personal data and the processing of such data; Recalling that the right to protection of personal data is to be considered in respect of its role in society and that it has to be reconciled with other human rights and fundamental freedoms, including freedom of expression; Considering that this Convention permits account to be taken, in the implementation of the rules laid down therein, of the principle of the right of access to official documents; Recognising that it is necessary to promote at the global level the fundamental values of respect for privacy and protection of personal data, thereby contributing to the free flow of information between people”.
We assume that there is the needing to move the attention to higher levels concerning the qualification and application of the laws. We should attribute the right importance to the values of human dignity, the protection of human rights and the fundamental freedoms of every individual, respect for the role of the individual in society, freedom of expression, promotion of the fundamental values of respect for privacy and protection of personal data. It, therefore, emerges that we must consider values connected ontologically to the natural person, even before complying with the GDPR or national or international standards.
Awareness is, therefore, the result of a path of formation that culminates with the assimilation of the paramount values belonging to the natural person and, at the same time, it becomes the starting point for a balanced and profound knowledge of the issues concerning the protection of personal data.
Awareness, in the formation process, shapes and develops a consciousness that conforms to the principles indicated above. It is not a moral conscience because the principles are codified in the laws and this constitutes the added value for the formation of structured and broad knowledge, capable of contributing to the self-determination of the subject in the choices related to the protection of personal data.
Awareness also implies references to ethics and hence the formation of an ethical conscience, especially about the protection of personal data.
Being able to acquire awareness as described before contributes to the formation of an ethical conscience that allows being able to apply the rules on the protection of personal data correctly. The application of the laws without fundamental rights awareness and conscience, on the contrary, constitutes an unconscious and therefore sterile fulfilment regarding the values belonging to the natural person. Addressing the issue of personal data protection without having gained the value and importance of the “person” value could entail the risk of trespassing into technicality and debasing human dignity. Dealing with digital issues about personal data, we should not take the risk of considering the person (just) a sequence of bits.
Artificial Intelligence (AI), Robotics, Blockchain cannot be addressed ignoring the value of the natural person also because we always should bear in mind the principle laid down by the article 25 of the GDPR, namely Data Protection by design and by default.
Nowadays, we read about analysis of big data especially related to personal data carried out by algorithms developed probably without considering the principle “Data Protection by design and by default”. Actions and processes carried out, hence, without any basis of awareness or ethical conscience are detrimental to each natural person. In fact, in this way, the data subject does not have any control over his or her personal information, precisely contrary - for example - to what laid down by the modernised Convention 108 (where we read “based on a person’s right to control his personal data and the processing of such data”). In conclusion, we hope people adopt an approach to the GDPR much more oriented to the value of human dignity and of the natural person, considering fundamental the awareness and the path of formation of a conscience geared to data protection.