Author: Natia Gelashvili
This essay was originally published in the collection of essays prepared within the scope of the project funded by the Internet Society.
1. Introduction
According
to the opinion expressed in the literature, in the Internet space, people do
not appear as consumers, but as products.[1]
Such an assertion is based on the fact that any online activity, such as the
use of social networks, the marketing activities of companies or the use of
various types of services, is completely based on the processing of
individuals' data. In reality, it is vital to have such a legislative and
practical lever that will frame the exchange of personal data of individuals
and ensure that this process does not become excessive, illegitimate and
degrading. For this purpose in 2016, the European Union authorities developed a
legal document of a mandatory nature for the member states to comply with,
known as the General Data Protection Regulation, also known as GDPR.[2]
It is noteworthy that the latter is not the first legal act in the European
Union aimed at personal data protection, however, compared to its predecessors,
the GDPR strengthened data protection guarantees and subjects' rights,
increased the transparency of the data processing process, created a new
management system and equipped the relevant authorities with broad powers of
enforcement and supervision.[3]
The aim of this essay is to review the general aspects and features of the mentioned regulation, to determine its role in terms of personal data protection. In this publication, we will also analyze the impact of GDPR on Georgia, as a state involved in the European integration process.
2. The essence of the General Data Protection Regulation
As mentioned above, the development of the text of the General Data Protection
Regulation was completed in April 2016, although it acquired legal force in May
2018. From the beginning, it should be emphasized that, unlike the previous
directive 95/46/EC[4],
GDPR is characterized by direct effect, i.e. its requirements apply directly to
member states. In general, the regulation, as a source of a specific type of EU
law, does not require additional implementation in local legislation and takes
its place among the legal norms of the member states, while the directive is
mandatory for implementation at the level of the main principles embedded in
it.[5]
The GDPR only concerns the protection of the fundamental rights of living humans in the processing of their personal data.[6] Besides, for the purposes of the Regulation, such processing may be carried out by automated or semi-automated means, as well as by non-automated means in relation to personal data that are part of the filing system or are intended to form part of it.[7] It should be noted that the requirements of the GDPR do not apply to the processing of data in the course of a purely personal or household activity.[8] Among such actions, we can consider the production of personal records and diaries that reflect the personal information of other persons, as well as family albums, existing photos and videos, correspondence, activities of the data subject through social networks (in this case, the obligations still remain in force towards the provider company) and others. The regulation clarifies that activities that contain commercial or professional goals, despite the small scale, should not be considered personal and household activities.[9] Cases of personal data collection for criminal and national security protection purposes are also outside the scope of the general data protection regulation.[10]
As for the
concept of personal data itself, the regulation interprets it similarly to the
95/46/EC Directive and includes any information related to an identified or
identifiable person. The processing of these data (i.e., any action performed
on them, such as collection, recording, organization, distribution, erasure,
etc.) must be carried out in the presence of relevant prerequisites and in
compliance with special principles.
The GDPR
comprehensively lists the principles of data processing.[11]
These are:
Lawfulness, fairness and transparency of data processing - It is worth emphasizing that transparency as a principle of data processing was not known in the previous document and it is an innovation in the EU data protection law. This principle requires that any information related to personal data processing is easily accessible, understandable and conveyed in simple language to the relevant subject. This obligation exists even when the addressee is a wider group of society (e.g., information on the manner and conditions of data processing posted on individual websites, which the user must confirm with the appropriate marking, is a manifestation of the principle of transparency).
Purpose
limitation - data must be processed only for a specific, clearly defined
purpose and cannot be deviated from the original purpose.
Data minimization requires
that personal data must be processed only to the extent necessary to achieve
the intended purpose. Information should be adequate and relevant.
Storage limitation - it is not allowed to store personal identification data
for longer than the period necessary to achieve the intended purpose.
Accuracy - data
must be accurate and updated as necessary and erroneous information must be erased or rectified.
Integrity and confidentiality - this principle is also a novelty of GDPR. Although the
previous document dedicated a special chapter to these issues, under which a
number of issues related to data protection were combined: the need to use
technical and organizational means for data protection, to limit unlawful access, etc. However, security and privacy as a principle is an innovation of
GDPR in EU law. It implies the obligation to take proactive measures so that
data protection is not intentionally and negligently put at risk.[12]
Accountability refers
to the responsibility of the processing person to ensure compliance with the
above-mentioned principles when performing action with respect to
the data.
Along with the principles of personal data processing, the GDPR also exhaustively lists the relevant grounds, which are identical to the prerequisites established by other legal acts. In particular, the data can be processed with the consent of the data subject; in order to fulfill a contractual relationship or legal obligation with the latter, to protect the vital or legal interests of individuals, as well as the public interest.[13]
The regulation, like previous documents, strengthens important rights of the data subject such as receiving information, access to own data, rectification and erasure of data ("right to be forgotten"), blocking, right to data portability, etc.[14] However, the GDPR has devoted a special chapter to the regulation of these issues, detailing the scope and manner of exercising these rights.
3. GDPR as a novation
As
outlined in the previous chapter, the regulation continued the original path of
personal data protection, however, it also introduced a number of innovations
that improved the culture of data protection. Among the issues discussed above, it is worth
noting the direct nature of the operation of the GDPR itself, which no longer
imposes an additional burden on member states to develop local data protection
legislation and thus insures the risks of different interpretations of the
spirit of the European Union. On the other hand, the changes made in the
chapter on principles and the legal empowerment of the data subjects are
progressive. In addition to the above, GDPR has introduced a number of
innovative visions. Let us discuss each one:
Consent of a minor
As
mentioned above, one of the grounds for personal data processing is the data
subject's consent. The regulation established a special rule for cases where
the issue concerns the personal space of a minor. When this or that offer is
addressed directly to a minor, data processing is permitted with his/her consent
only if he/she has reached the age of 16. Processing of data of adolescents under 16
requires the consent or permission of a person with parental rights. It is also
possible for states to set a lower age limit, but not less than 13 years.[15]
Such a solution to the issue stems from the spirit of special protection of
children, as they are less informed about the risks and consequences of data
protection.[16]
Data security
GDPR
introduced requirements for pseudonymization and encryption to protect data
security. This implies the obligation to process personal data in such a way
that without additional information it would be impossible to connect/identify
them with a specific entity. This additional information, so-called “the key”
is stored separately and protected from unauthorized access. Pseudonymization
and encryption should be done taking into account the purpose, scope and nature
of data processing. The introduction of these measures to protect security is
explained by the fact that organizations are obliged to assess the risks posed
to data and minimize them, although no organization can accurately foresee all
possible threats, the pseudonymization-encryption mechanism remains a kind of
guarantee for the prevention of real risks.[17]
Supervision
Chapters 6
and 7 of the General Data Protection Regulation deal with data processing
supervision issues. Each member state is obliged to ensure the creation and
functioning of an independent supervisory body that will control the
fulfillment of the requirements established by this regulation: will consider complaints about violation of data subject's rights, conduct inspections, give consultations, etc. The requirement to introduce an independent supervisory
body is not new to the EU personal data protection law, and the previous
directive also recognized such an obligation.[18]
Despite this, the regulation lists in detail and exhaustively the functions of
the supervisory authority, establishes obligations of cooperation between them
and, most importantly, defines a new body - the European Data Protection Board. The
latter is composed of the heads of supervisory authorities of the Member States
and data protection supervisors of the European Union. Its function includes
the introduction of guidelines and best practices across the EU for the correct
implementation of the requirements established by the regulation; also resolving disputes between supervisory authorities on issues related to
competencies or conflicting opinions. As we see, the specificity of the GDPR is
also seen in the fact that it defined a body that serves to create a consistent
and uniform legal framework in the EU countries in order to minimize the risks
of interpreting the regulation differently and deciding the fate of personal
data differently outside the borders of individual countries.
Sanction
It should
be considered a peculiarity of the regulation that the latter directly
determines the maximum limit of the applicable financial sanction for
individual violations. For instance, if a person authorized to process data in
a member state of the European Union violates the obligation to record data,
according to the GDPR, they will be subject to an administrative fine of up to 10,000 euros (in the case of an enterprise, up to 2% of the financial
turnover of the last year). Disregarding the principles or grounds of data
processing may be the basis for imposing a fine of up to 20,000 euros (in the
case of an enterprise, up to 4% of the financial turnover of the last year),
etc.[19]
The preamble of the GDPR does not exclude the possibility of member states to
establish criminal sanctions for violation of the regulation, taking into
account the nature of the action.[20]
Territorial application
The scope of the GDPR may in some cases go beyond the EU when the data subject's information in its territory is processed by an organization providing goods/services that is not based in the territory of the EU. This is completely understandable, as the purpose of the regulation is to protect EU citizens, not abstractly the process of data processing. However, it is significant in this respect that the regulation establishes mandatory rules to be followed even for enterprises operating within the framework of those states, which are usually not bound by EU law.
4. GDPR and Georgia
Georgia
has firmly declared its desire for European integration, which is confirmed by
the recent association agreement and the active steps taken to obtain the
status of a candidate for EU membership. Improving the local legal framework
for personal data protection and bringing it into line with European values is one of the obligations that Georgia undertakes on the way to the association.[21]
It should be noted that in order to fulfill this duty, a number of legislative
reforms have been carried out in Georgia and the culture of personal data
protection has relatively increased.
The
concept of personal data recognized by the current national legislation, the
principles of their processing, the bases, and the rights of the data subject
are quite close to the requirements of the European Union, although it should
be noted that the Georgian law on Personal Data Protection is
more similar to the previous Directive 95/46/EC than with GDPR. For example, it
is familiar with the principles of lawful and fair data processing, purpose and
storage limitation, minimization and data accuracy, but it is unfamiliar
with the principles of transparency, security and confidentiality proposed by the
regulation.[22]
However, our legislation establishes the need to implement certain
organizational-technical measures to protect data security, although encryption
and pseudonymization, as a kind of finding of the GDPR to achieve these goals,
are not implemented at the local level. According to the national legislation,
the special interests of the minor are not taken into account when
determining the validity of its consent, and at this stage the prerequisites
for the consent of adults and minors are identical.
It should
be underlined that in 2019, a draft law was initiated under the authorship of
the State Inspectorate, which provides a reform of the Georgian law on data
protection. The draft law is very close to the spirit of the GDPR, as it fills
almost all the above-mentioned gaps and contains a detailed regulation of all
the issues that, unfortunately, were not given enough attention in the current
edition. For example, according to the latter, to process the data of a
teenager under the age of 14, his consent is not enough and a confirmation from
a parent or other legal representative is required; In order to protect data
security, the processor must record access to data, pseudonymize, etc.[23]
The hearing of the mentioned draft law has not yet taken place by the
Parliament, therefore, it is unclear how real and imminent the future
legislative amendments are in this regard. However, it is clear that its
consideration will be a step forward on the way to the Europeanization of the
Georgian law on personal data.
As for the supervision of personal data processing, the Personal Data Protection Service is the controlling body in Georgia, which replaced the previously existing State Inspector Service. It is independent in exercising its powers and is not subordinate to any agency or official.[24] Its activities include consultation regarding personal data processing, review of complaints and corresponding legal response, check-inspection of processing, etc. The institutional status and functions of this body can be said to be in line with the requirements of the GDPR, and the formation of this type of independent supervisory body is an important step on the way to the association. After the successful completion of European integration, the head of the Personal Data Protection Service will also become a member of the European Data Protection Board and will be involved in the process of introducing a uniform legal practice.
Regarding the territorial application, it should be noted that the Law of Georgia on Personal Data Protection applies to data processing within the borders of Georgia. Speaking about the GDPR, it was mentioned above that the latter also covers the processing of data by an organization located in the territory of a non-EU state, when it offers services to a data subject living within the EU. Therefore, in practice, a situation may arise where even before the end of the European integration process, a legal entity registered in Georgia may offer a service or product to the citizens of any member state of the European Union and process their personal data for this purpose. In such a case, the issue of determining the applicable law is problematic, as according to the national legislation, the issue should be evaluated in accordance with the Georgian Law on Personal Data Protection, while the GDPR declares itself to be a relevant legal document in the mentioned situation. For instance, it is interesting how the issue will be resolved in the event that a 15-year-old minor gives his consent to the processing of his data, because Georgian norms and the General Data Protection Regulation regulate this issue differently. In order to avoid such inconveniences, it is recommended that the Georgian legislator implement timely reforms in the personal data protection law and complete the process of harmonizing it with the EU law.
5. Conclusion
Within the
framework of the research, it was revealed that the General Data Protection
Regulation is one of the most important sources of personal data
protection law. Its aim is to create a uniform legal space across Europe so
that data subjects have a sense of protection and the possibility of predicting
the possible consequences even when their data are processed in another country,
as the modern business world and technologies, in fact, know no boundaries. In
this sense, the GDPR has really spoken a new word both within and outside the
EU, as it has proposed comprehensive, highly leveraged protection and security
and innovative approaches to enforce personal data privacy. Georgia is also
trying to keep up with European progress and strengthen the quality of personal
data protection at the local level, which, along with the desire, is also the
obligation that it undertook on the way to European integration. However,
during the research process, it became apparent that the national legislation on
certain issues is not in line with European aspirations, which has a negative
impact on both the local culture of data protection and the future prospects of
the path chosen by Georgia. I consider it expedient for the legislative body to
actively consider the new draft law on Personal Data Protection initiated in 2019 or to propose a legislative reform similar to GDPR
requirements in the near future.
[1]
D.F. Martinez-Martinez, Unification of Personal Data Protection in the European
Union: Challenges and Implications, El profesional de la información, 2018,
enero-febrero, v. 27, n. 1, p. 186.
[2]
General Data Protection Regulation (Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and on the free movement
of such data, and repealing Directive 95/46/EC).
[3]
T.L. Syroid, T.Y. Kaganovska, The Personal Data Protection Mechanism in the
European Union, International Journal of Computer Science and Network Security,
VOL.21 No.5, May 2021, p. 113.
[4]
See Directive 95/46/EC of the European Parliament and of the Council of 24
October 1995 on the protection of individuals with regard to the processing of
personal data and on the free movement of such data.
[5]
B. Jishkariani, European criminal law within the framework of the European
Union, Tbilisi, 2018, pp. 80-83.
[6] General
Data Protection Regulation (EU) 2016/679, Article 1; Clause 27 of the preamble.
[7] Ibid,
Article 2, Paragraph 1.
[8]
Ibid, Article 2, Paragraph 2.
[9]
Guide to European data protection law, (printed within the framework of the
Council of Europe project - "Strengthening Personal Data Protection in
Georgia" - which is part of the 2016-2019 action plan of the Council of
Europe for Georgia) 2018 p. 118-119.
[10]
Information Commissioner's Office (ICO), Guide to the General Data Protection
Regulation (GDPR), 2018, p. 257.
Note: Data processing for criminal purposes within the
European Union is regulated by an independent act. See Directive (EU) 2016/680
of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data by
competent authorities for the purposes of the prevention, investigation,
detection or prosecution of criminal offences or the execution of criminal
penalties, and on the free movement of such data, and repealing Council
Framework Decision 2008/977/JHA.
[11] General
Data Protection Regulation (EU) 2016/679, Article 5.
[12] Information
Commissioner’s Office (ICO), Guide to the General Data Protection Regulation
(GDPR), 2018, p. 209.
[13] General
Data Protection Regulation (EU) 2016/679, Article 6.
[14] Ibid,
Chapter III.
[15] Ibid,
Article 8.
[16]
Guide to European data protection law (printed within the framework of the
Council of Europe project - "Strengthening personal data protection in
Georgia" - which is part of the 2016-2019 action plan of the Council of
Europe for Georgia) 2018 p. 417.
[17]
I. Davvdova, S. Reznichenko, Certain aspects of personal data protection in the
social network: European experience
and legislative regulation in Ukraine, Journal Amazonia Investiga, Volume 9 -
Issue 27 / March 2020, p. 389.
[18] Directive
95/46/EC of the European Parliament and of the Council of 24 October 1995 on
the protection of individuals with regard to the processing of personal data
and on the free movement of such data.
[19] General
Data Protection Regulation (EU) 2016/679, Article 8.
[20] Ibid,
paragraph 149 of the preamble.
[21]
Association Agreement between the European Union and the European Atomic Energy
Community and their States, on the one hand, and Georgia, on the other hand,
Article 14.
[22] Law
of Georgia "On Personal Data Protection" No. 5669, December 29, 2011,
Article 4.
[23]
See Draft Law of Georgia "On Personal Data Protection", regarding the
principles, see Article 4 of the same draft law, regarding the security policy
- Article 27, on the conditions of consent of a minor - Article 7.
https://info.parliament.ge/file/1/BillReviewContent/222089
04.07.2022.
[24] Regulation
of the Personal Data Protection Service, Article 2. https://matsne.gov.ge/document/view/5398923?publication=0
04.07.2022.
No comments:
Post a Comment