The European Union’s data privacy framework is currently under the microscope, with two significant initiatives aimed at enhancing transparency and safeguarding personal data.
First, the Italian Data Protection Authority has published a white paper advocating for improved communication of privacy information to users, leveraging the concept of legal design. The publication stems from collaboration between the Garante Privacy and Creative Commons Italy, emphasizing transparency as a foundational element of the General Data Protection Regulation (GDPR).
According to the white paper, the GDPR was established to balance the protection of individuals concerning data processing and the ability for data controllers to access and utilize this data. It outlines general principles, prominently featuring the principle of transparency. This principle underlies the obligations of data controllers, who must provide users with specific information before and during the data processing stages, as indicated by articles 12, 13, and 14 of the GDPR. Users possess the right to inquire about their personal data processing at any moment, as detailed in article 15 of the GDPR.
Crucially, the white paper highlights the often insufficient awareness on the part of individuals concerning how their data is processed. It points to two main scenarios causing users difficulties: non-compliance by data controllers or partial compliance leading to incomplete or inaccessible information.
“The lack of adequate awareness among individuals concerning personal data processing is undermining the efficacy of European and national legislation on data protection,” states Garante Privacy. This assertion reflects growing concerns about the formal compliance from data controllers acting as mere checkboxes without fostering genuine user comprehension or control of their data.
The document delves deeply onto how legal design methodologies can be applied mobilizing tools of clarity and visual communication to achieve complete adherence to the transparency principle and improve the culture of data management awareness.
On another front, the European Data Protection Board (EDPB) has made progress with its pseudonymization guidelines, currently open for public consultation until February 28. These guidelines were co-drafted by the Garante Privacy and articulate the stance on pseudonymized data as always being considered personal data, even when the information necessary to discern user identities is held separately.
The EDPB’s view is pivotal; pseudonymized data remains subject to GDPR strictures, emphasizing its definition as data from which individuals cannot be identified without additional information kept separate and secured properly. This important distinction means pseudonymization, which is intended to reduce risks and implement principles from privacy by design, still maintains all obligations of conventional personal data under the law.
“Pseudonymization facilitates the use of legitimate interest as the lawful basis for processing,” the EDPB noted, but cautioned it must align with other GDPR requirements and validation of purpose compatibility for any secondary processing.
The guidelines also delineate the technical measures and safeguards tied to pseudonymization to assure confidentiality of information and avert unauthorized identification of individuals.
With the public consultation underway, experts and stakeholders have the opportunity to influence future iterations of these guidelines before they are finalized. This consultative approach reflects the EU's commitment to incorporating diverse perspectives on privacy management.
The simultaneous focus on user transparency and data pseudonymization exemplifies the EU's strategic approach to bolster data protection amid rapidly changing technological landscapes. Both the Italian initiative and the EDPB guidelines signal proactive steps toward ensuring individuals can effectively navigate and control their digital lives under the overarching GDPR framework.
It remains to be seen how these initiatives will be implemented across member states and the extent to which they will positively impact user awareness and the safeguarding of personal data.