ქართულენოვანი ვერსია ხელმისაწვდომია აქ.
Author: Ketevan Kukava
As
a result of rapid technological development, the scale of the collection and
sharing of personal data has significantly increased, which has posed new risks
and threats to human rights. Technology allows
both private companies and public authorities to make use of personal data on
an unprecedented scale when carrying out their activities.[1]
European
data protection law aims to create a uniform and consistent legal framework and
to ensure the free and unhindered movement of personal data. In response to the
increasing challenges in the age of technologies, the EU and the Council of
Europe legal instruments established
important mechanisms for the protection of human rights. Considering an unprecedented
scale of data processing both in the public and private sectors, providing appropriate safeguards for the protection of data subjects’ rights and interests gains crucial importance.
A data protection impact assessment is one of the important novelties
foreseen by European law, which enables data
controllers to prevent human rights violations by identifying the risks in
advance. Such assessment is mandatory when there is a high risk to the
rights and freedoms of natural persons.
A data protection impact assessment is an important tool directed towards the accountability
of the data controllers and protection of the data subjects’ rights. It can be
considered as a form of monitored self-regulation.[2]
It obliges companies to identify problems and find solutions, with internal oversight and some external input, accompanied by minimal regulatory supervision.[3]
The
General Data Protection Regulation lays down the main requirements and criteria
with regard to the data protection impact assessment. It includes only a brief
description of this process and does not specify the methodology. Therefore,
data controllers are given certain leeway and are allowed to determine the form
and structure of the DPIA. What matters most is that the outcome of this
process should be a real identification of risks.
Data
protection impact assessment should not be regarded as a compulsory exercise
but as a useful tool.[4] “The systematic identification of
risks is a valuable basis for strategic action by implicated actors for the
continuous improvement of products and services.”[5]
Georgian
legislation currently in force is not fully compliant with the requirements of
the European data protection law and does not foresee important novelties introduced
by the Council of Europe and the EU legal instruments.
The
Georgian legislation should respond to the challenges existing in the digital
age and should provide appropriate safeguards for the protection of data
subjects’ rights, freedoms and interests. Harmonization with European standards and
implementation of the novelties foreseen by the European data protection law
will be an important step forward in terms of European integration and, at the
same time, will facilitate strengthening human rights protection in Georgia.
The full
study is available here.
[1]
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27
April 2016 on the protection of natural persons with regard to the processing
of personal data and on the free movement of such data, and repealing Directive
95/46/EC (General
Data Protection Regulation),
Recital 6, available at: https://bit.ly/2vHVeNC (accessed 01.12.2022).
[2]
Kaminski M, E.,
Malgieri, G., Algorithmic impact assessments under the GDPR: producing
multi-layered explanations, International
Data Privacy Law, 2021, Vol. 11, No. 2, p. 131.
[3] Ibid.
[4] Friedewald, M., Schiering,
I., Martin, N., Hallinan, D. (2022). Data Protection Impact Assessments
in Practice. In: Computer Security. ESORICS 2021
International Workshops. ESORICS 2021. Lecture Notes in Computer Science, vol
13106. Springer, Cham. https://doi.org/10.1007/978-3-030-95484-0_25 p. 439.
[5] Ibid.
No comments:
Post a Comment