Giuseppe BusiaSecretary General

Italian Data Protection Authority

Fundamental Rights Forum

Rights, Respect, Reality: the Europe of Values in Today's World

Wien, 21st June 2016

Protecting and Promoting Privacy

in a Data-driven Society

Problems

huge amounts of data

collected

continuous and

invisible surveillance

profiling

predicting personal

preferences

influencing decisions

Benefits

improved medical

treatments

sophisticated services

facilitated provision of

public services

encouraging sustainable

development

improving citizens’ quality

of life

1. How can regulators best serve their mission in the data-driven society?

Modern technologies:

Avoiding knowledge gaps

Traditional rules to be applied and adapted to a new

and dynamic landscape

New European rules (portability and access): must be

clarified, reinforced and reconciled with others’ rights

(trade and industrial secret, proprietary rights)

Simplify rules to disseminate the value of privacy

standards and the consequences of their breaches

The real challenge: a Forward-looking

Approach and a Well-balanced Action

1. How can regulators best serve their mission in the data-driven society?

less Bureaucracy, more Effectiveness: a Bottom-up Approach

European rules = regional applicability = influencing juridical regimes

of other countries because of:

* the new regime of applicability to all the entities that use data

coming from Europe

* the natural attitude of some rules to increase their effects

outside their boundaries, especially when they regulate the

processing of data on the web

Data protection is not a regional issue, but a global one and as such it

requires a global response:

* acting locally, to regulate globally

* protecting individuals also in other countries that have less

democratic traditions than Europe

Implementing Expansive Rules:

Promoting a “New Deal”

2. Implementing best practices

Changing Perspective: from the Single

Personal Data to the Profile

Data Protection is changed in these last years

Through algorithms and artificial intelligence, a vast amount of (automated)

decisions that affect individuals

Emerging risks of new discriminations

The real engine of the whole system is no longer the single personal data, but

the profile, i.e. the particular combination of data (collection of Big Data) that is

used to offer personalized services and products

The new EU legal framework can help regulators in this task, offering some

significant tools, in particular:

* the right to access and rectification, in order to counterbalance the

’tyranny‘ of algorithms

* the creation of the new, powerful right to data portability , which aims to

increase user’s choice of online services, due to the right to receive the

personal data concerning him or her and have such data transferred to

a different controller

Raising Awareness and Empowerment of Data Subjects

2. Looking for best practices

Responsibility vs. accountability

* data controllers must be accountable for their processing

* data subjects should be aware of the growing risks which depend

on the different types of processing and the different types of data

– biometric, sensitive – used (e.g. profiling = influencing decisions;

dissemination = losing control and identity theft; geolocation =

continuous surveillance)

Data subjects should take on a leading role in the future society:

* they can influence the market by selecting and preferring

companies and service providers that really protect their

personal data ; they should be the “masters of their data”, not just

“data sources”

The key role of transparency and its simplification: a traffic light to

immediately show the grade of risk of the treatment?

The crisis of the consent: a “sunset scheme” for some treatments?

Engaging public and private

Stakeholders

2. Looking for best practices

Respecting privacy rules should be regarded as an element to be valued

by European companies, as a competitive asset in offering better

services to their customers and users

In addition to the existing rules, companies should follow a widespread

privacy-oriented focus in their business in order to develop and improve

transparency and promote trust by data subjects

The same should apply to public institutions, which should target their

key policies at “privacy mainstreaming”

Thank you for your attention!