GDPR & Privacy: awareness and opportunities. The approach with the Data Protection and Privacy Relationships Model (DAPPREMO) E-Book

Cover

Introducing the book

Introducing the author

Foreword by Wojciech R. Wiewiórowski

Foreword by Giovanni Buttarelli

Start reading

eXtras

Figures

Table of Contents

Thank you for buying this ebook by Nicola FabianoGDPR & Privacy: awareness and opportunities. The approach with the Data Protection and Privacy Relationships Model (DAPPREMO)

To receive special offer and info on new titlessign up for our newsletter (Italian only)

SIGN UP

Or visit us online atwww.goware-apps.com

© 2020 goWare, Florence, first digital edition

ISBN: 978-88-3363-404-3

Editing: Chiara Nappini

Cover: Gianluca Cioni

ePub developing: Elisa Baglioni

goWare is a Florence-based start-up specialized in new publishing

Please provide your feedback at: [email protected]

Bloggers and journalists may request a sample copy from Alice Mazzoni at: [email protected]

Follow us on

facebooktwitternewsletterflipboard: gowareblog

Table of contents

Cover

Title Page

Copyright Page

Description

The author

Foreword to the second edition by Wojciech R. Wiewiórowski

Foreword to the first edition by Giovanni Buttarelli

Preface to the Second edition

Chapter 1 The GDPR: a revolution for the protection of personal data

1. Privacy and data protection are not synonyms

1.1 Principles of data protection law

1.2 The advent of Regulation (EU) 2016/679 (GDPR)

1.3 The GDPR two years after its application

2. Which starting point for data protection and privacy

2.1 The evolution of society

2.2 The human factor

2.3 Awareness and ethics

2.4 The (in)conscious giving of data to the platforms

2.5 Digital economy, e-Democracy and personal data

2.6 An unavoidable global vision

2.7 The prerequisite: the value of personal data

3. The value of personal data

4. The fulfilment and processing of personal data

5. Accountability: a novelty in our legal system

6. The “data protection by design and by default” principle

6.1 An application of the privacy by design principle: the IRMA project

6.2 What is IRMA?

7. The significance of scientific research on privacy and data protection in international contexts

8. The certification mechanisms

9. Transfers of personal data to third countries or international organisations

9.1 The adequacy decision

9.2 Transfer subject to appropriate safeguards

9.3 Binding Corporate Rules (bcr)

9.4 Derogations for specific situations

9.5 The Court of Justice declares the “Privacy Shield” invalid

10. Third country: the representative

11. Digital sovereignty between accountability and personal data value

11.1 Preamble: what do we mean by “digital sovereignty”?

11.2 Meaning of the “digital” domain

11.3 Digital Sovereignty and Cyberspace

11.4 Digital sovereignty: proposal for a definition

11.5 Digital sovereignty: the limits

11.6 Digital sovereignty and inclusion

11.7 Digital sovereignty and data protection rules

11.8 Digital sovereignty and accountability: a possible challenge

Chapter 2 Internet and the risks for personal data

1. Information security: hints

2. Security and data protection

3. Choosing the operating system

4. The mobile phenomenon: smartphones and tablets

5. Communication: messaging solutions and related risks

5.1 Internet and its risks

5.2 Electronic mail and messaging systems

6 Internet and minors

7. Cloud computing

8. Social networks and personal data protection

9. Criticality of social phenomena

Chapter 3 New phenomena and personal data

1. Internet of Things (IoT)

2. The Blockchain

2.1 Blockchain applications

2.2 Blockchain, protection of personal data and privacy

3. Big Data and data protection

4. Artificial Intelligence and Data Protection

5. Facial recognition and data protection

6. Drones and data protection

7. Robotics, Ethics and Data Protection

8. 5G and data protection: the challenge

9. Digital life and privacy: are we fighting against ourselves?

10. COVID-19 pandemic, privacy and data protection: what approach?

10.1 Chronology of events

10.2 What emerges from these institutional documents?

10.3 The neutrality of technology

10.4 Tracing apps and contact tracing

11. The COVID-19 Alert System: in the Decree-Law 28/2020 the Italian solution for a contact tracing app

11.1 Introduction

11.2 The international scenario

11.3 What is the European Commission’s recommendation, and what are the obligations for the Member States?

11.4 Why an ad hoc law?

11.5 What is the approved regulatory solution?

11.6 The alert system

11.7 The platform

11.8 Purpose of the processing

11.9 Owner and data processors

11.10 Impact assessment and organisational measures

11.11 Crucial aspects according to art. 6, paragraph 2, letter a) to f)

11.12 What about ethics?

11.13 Will you need the app to defeat covid-19?

12. The fundamental role of ethics in acquiring the right approach

Chapter 4 The model for data protection

1. The new approach to data protection according to the relational model DAPPREMO

1.1 Introduction

1.2 Application of set theory

1.3 The relationships between objects and those between subassemblies

1.4 Description of a complex multidimensional model

1.5 The model and the role of the subjects

Where are we going?

eXtra

Regulatory references. Hard law and soft law regulatory bibliography

GDPR Map

GDPR Information to be provided

Figures

Figure 1 – Outline on the adequacy decision

Figure 2 – The process of certified electronic e-mail.

Figure 3 – World internet usage and population statistics 2020 year-Q2 Estimates

Figure 4 – Diffusion of Facebook compared to other social network providers.

Figure 5 – Updated statistics about the most used social media in the world (only based on official information).

Figure 6 – IoT connected objects.

Figure 7 – Database structure.

Figure 8 – Block structure.

Figure 9 – Different types of network.

Figure 10 – Together relationship (one to one).

Figure 11 – Connection between together (one to many).

Figure 12 – Connections between individual objects in a set.

Figure 13 – Euler and Venn diagrams.

Figure 14 – Distributed System.

Figure 15 – Data Protection Relationships Model

Description

Today we hear more and more often about data protection: but what does it mean? The “protection” concerns natural persons and therefore, their data. The book takes us on a journey through the legislation on the protection of natural persons with regard to the processing of personal data provided for by the eu Regulation 2016/679 (gdpr), helping us to understand its historical evolution, the ethical and legal principles that guide it and the obligations related to the processing.

We should not overlook the issue of information security, also given the most current methods of communication and the development of new tools that offer us connection possibilities through smartphones, e-mail and social networks, however, posing severe risks, especially for minors.

The new technological frontiers (Blockchain, IoT, Big Data, Artificial Intelligence, Drones, Robotics) deserve attention mainly because of the impact on the natural persons and their data; adequate awareness is increasingly necessary also for a correct ethical approach to the issue.

The book presents a new and innovative approach to data protection according to the relational model, which we defined dappremo (acronym of Data Protection and Privacy Relationships Model) based on high mathematics as a function of reality analysis.

The author

Nicola Fabiano is an Italian lawyer, specialist in Civil law. He is President of the San Marino Data Protection Authority and national expert for the Republic of San Marino for the Consultative Committee of the Convention for the protection of individuals with regard to automatic processing of personal data (Convention 108). In 2017 he was appointed by the Congress of State of the Republic of San Marino for the drafting of specific legislation on the protection of personal data. He is a member of the Privacy Commission of the National Council Bar (in Italian Consiglio nazionale forense – cnf), of the Working Group of the Italian Foundation for Forensic Innovation (fiif) and of the Blockchain Technical Table of the Scientific Committee of San Marino Innovation. He is certified on privacy and security. He is author of several scientific papers presented at international conferences and published and he is winner of numerous awards.

Chi poco pensa molto erra(Who think little makes mistake a lot)

Leonardo da Vinci

We want to acknowledge the high-level professionals who cooperated with us in the revision of this book, supporting the project, and precisely in alphabetical order:

Nadia Arnaboldi

Filippo Bianchini

Angelo Caldarella

Antonietta Confalonieri

Giovanni De Marco

Antonietta Palmieri

Foreword to the second edition by Wojciech R. Wiewiórowski

The spread of Corona virus around the world has shown – like no other challenge we have faced over the last years – how small and connected is our world. How similar our problems are, and how important is to address them together finding strength beyond our nations. While the European Union institutions tend to think the eu (or slightly broader the European Economic Area) is the perfect place to pull resources together and to find common solutions, none of such solutions can be introduced without the dialogue with the whole European community including at least all states parties to the Council of Europe Convention 108.

The digital revolution has given us powerful tools to process information about the world we live in, about us – human beings – and about our behaviour. The “mantra” repeated again and again by data protection society is that big data means big responsibility. We have to know what are we doing, and to know that we are responsible for the results of our activity. Responsibility also means however that we should not hesitate to act when it is necessary. There is also responsibility for not using the tools we have in our hands to fight better future of European society.

The crisis has revealed, even more so, the importance of ensuring that the privacy and personal data of people are protected. Epidemiological surveillance may pave the way for participatory and “under the skin” surveillance, whose repercussions maybe long- lasting. Being preoccupied that the economic impact of the crisis will increase the pressure on organisations to maximise their efficiency in ways which may sacrifice the rights and freedoms of individuals, I am sure we must all engage in an informed debate around what shall constitute ‘public good’, whether in times of crisis, or not, since the “new normal” shall not give way to the permanent erosion of rights we have fought so long and hard to promote. Working with my friend – Nicola Fabiano, author of this book – we will be able to assure that data protection norms are solid road signs on the European road to recovery.Data protection is one of the last lines of defence for vulnerable individuals, such as migrants and asylum seekers, therefore we will make sure that their rights are preserved. Moreover, privacy and data protection are an integral part of the rule of law and should never be treated in isolation.

In the eu legal environment the right to the protection of personal data is based on Article 16 of the Treaty on the Functioning of the European Union (tfeu) and on the Charter of Fundamental Rights. Article 16 tfeu, as amended by the Lisbon Treaty, statutes the right to the protection of personal data as one of the fundamental rights of every individual, without introducing any personal restrictions. However, the second paragraph of the article, which gives the European Parliament and the Council the right to determine, in a very elaborate way, what falls within the scope of the fundamental right described in the first paragraph and what the Union legislator would like to leave out of its scope, is much more practical. According to this provision, Union legislators, acting in accordance with the ordinary legislative procedure, shall lay down rules relating to the protection of individuals with regard to the processing of personal data by Union bodies and institutions as well as by Member States. This provision is therefore the Treaty basis for the creation of secondary European Union law, developing the provisions of Article 16. The Treaty, like Council of Europe Convention 108, also requires that compliance with the rules on the protection of personal data, as well as the rules on the free movement of such data, is subject to the control of independent supervisory authorities.

At the same time, in many countries of the European Union, privacy and personal data protection law also derives from the provisions of national constitutions. This is also the case of my country of origin – Poland – where Article 47 of the Constitution statutes the right to privacy protection (“everyone has the right to protect the private life of the family of honour and good name and to decide about his or her personal life”), and Article 51 defines the basic components of the right to personal data protection.

Graham Greenleaf rightly points out that for the first time in history we have reached a point where the development of data protection law is not only taking place in Brussels and Strasbourg, and the picture of a global approach to privacy protection is certainly more multifaceted today than it was a few or more years ago. At the same time, there is no doubt that all new global legislation on privacy protection, data protection and even wider information security must refer explicitly or implicitly to the reform that has taken place in recent years in the eu. Every new piece of legislation that comes into being in the world and a large part of the jurisprudence of courts of non-eu countries is immediately confronted with gdpr.

In summer 2020 there were legal acts in 143 countries around the world covering the whole issue of personal data protection. It is true that this was not always the case from both the public and private sectors. Another 30 countries in the world have solutions concerning the protection of personal data, which are contained in acts of a lower order than the statutes or in different kinds of softlaw. Data protection law in Africa and Asia is experiencing particularly turbulent developments. While in the case of South America many countries have already passed laws that have been prepared for years or have changed the legal order that was already in force, in Asia and Africa new solutions are being developed, and the development of data protection law is being chosen by countries that do not have such law so far.

Although the topic of privacy protection has been mentioned many times during the United Nations discussions, and the un itself has appointed a special rapporteur on privacy protection, Joe Cannataci, we cannot point to any body in which the governments of countries all over the world have a global discussion about privacy or data protection. From time to time political leaders call for such a discussion. But there is no prospect of such a discussion actually taking place. The main role in the flow of information about legal changes in individual jurisdictions falls on supervisory authorities and, paradoxically, on data controllers themselves. Supervisory authorities cooperate in at least a few global – and a whole series of regional – cooperation forums, which are sometimes more structured in nature and even grant themselves the right to make recommendations to Member States. They are sometimes only an arena for the exchange of practical information on problems related to particular data processing technologies or business models used by controllers or to legal tools used by these authorities.

Having these clear goals in mind and getting to know all complicated circumstances of the international environment, I would like to invite you to the journey throughout the privacy and data protection offered by Nicola Fabiano in his book.

Brussels, July 2020

Wojciech R. Wiewiórowski

(European Data Protection Supervisor)

Foreword to the first edition by Giovanni Buttarelli

The advent of the gdpr represented a decisive evolution of the European regulatory system for the protection of personal data. The principle of accountability is the backbone of this system, together with a risk-based approach and therefore with obligations that are proportionally increasing in relation to the problematic nature of the processing. The principles of data protection by design and by default require the integration of the protection of personal data in the development of each service, application, system and to offer the highest standard of protection even in the absence of positive action by the data subject.

Nicola Fabiano highlights how the right to privacy must be conceptually distinct from the right to the protection of personal data, rights protected respectively by Articles 7 and 8 of the European Charter of Fundamental Rights. It is useful to remember how the right to privacy concerns the wider conditions of exercise and extrinsic of the human personality. It is even more useful to underline that the right to data protection, a child of the information society, is also instrumental to the enjoyment of other fundamental rights and freedoms. One thinks of its relationship with freedom of expression and the worrying implications that the Cambridge Analytica scandal has brought to light with regard to the integrity of our democratic systems and processes.

There is no time historically and socially more appropriate than the time we are living today to strongly affirm the need for protection that puts the individual at the centre of its mission. To this end, the European regulation must be brought into dialogue with the wider regulatory system, which consists, inter alia, of the rules on the confidentiality of electronic communications.

Nicola Fabiano’s analysis appropriately extends to the impact on new technologies and includes observations on blockchain and decentralization, artificial intelligence and robotics, social media and intermediation, providing important food for thought in a national and European perspective.

Brussels, May 2019

Giovanni Buttarelli

(European Data Protection Supervisor)

Preface to the Second edition

It has been just over a year since gdpr & privacy: awareness and opportunity. Distinguished speakers presented a reasoned analysis of the protection of personal data between ethics and cybersecurity in Rome at the Sala del Refettorio of Palazzo San Macuto (Chamber of Deputies) in the presence of representatives of various institutions and authorities.

On June 28, 2019, attended the book presentation event also Giovanni Buttarelli, at that time European Data Protection Supervisor (edps), with an acute and far-sighted intervention.

His words gave satisfaction to those present for his enlightening vision, so much so that today I want to share some fundamental passages with the readers of this second edition:

«I think there is unfinished business, and the challenges of the immediate future are important.

Which ones are they?

Certainly, the credibility of the data protection authority, the demonstration with a capital “i” of their true independence that this should also affect the appointment and election mechanisms, but above all in the way in which these authorities must loudly be able to say no when you need to say no or when you need a proactive approach to understand what the legislator wants to do in a certain matter but allow him to do it in a different way.

Here is if I think of the latest choices, now, on Italian biometrics in public offices, or video surveillance in schools and elderly centres, yes I see points for a necessary intervention but, it is not only the solution then and at the moment devised as the best.

However, we need to prepare for the great challenges that are currently linked to the child regulation of the gdpr, in particular e-privacy (the Finnish presidency has published its work program on this matter but I fear that we will have to wait until 2020).

And above all, we must already start preparing for the future.

The data protection authorities speak with one voice.

We have not had any positive or negative conflict of competences in a regulation that represents a difficult compromise between the principle of proximity with citizens, with the territory and the application of this regulatory complex to the rest of the world. But it is a mechanism that relies only on the proactive approach of the authorities concerned because in and of itself it is a mechanism truly born of the office for the simple business publication.

So we have to take advantage of this mechanism.

We can speak to the information giants with one voice as long as we remain united and solid. We have a new legislature, and another is already beginning which comes mainly from the usa but silently from China, according to which Europe has convinced 135 countries in the world to have legislation that is no longer just about privacy but about data protection but it will not be able to resist in the face of the new technological wave, this time based on artificial intelligence.

In conclusion, I foresee that the gdpr will remain in place for at least a decade, but that today it is necessary to prepare the foundations for a new path in which there must be the beginning of a new change.

That is, I consider that today 25/30 years after CoE started dealing with this matter with the Convention 108 of 1981, a path with the gdpr has been completed. We have definitively freed ourselves from privacy, we are talking about the protection of personal data which is a personal right that is part of the administration of every day, but it is no longer privacy although that right to be left alone in certain circumstances continues to exist.

Modern personal data protection is something completely different.

I believe that there is a gap between the fact that this path has been completed and how all this is perceived by everyone, starting with the national legislator.

While this shift has been completed, I see that another path has begun because data protection will increasingly detach itself from the issue of the protection of personal rights; moves on to the discourse of the public good, on the integrity of systems, on the importance that the protection of personal data has on the exercise of democratic, voting and information rights.

We are also really behind in our country as regards the relationship with scientific research. The support analysis that we can do to ensure that from bio-banks to high-tech we can focus on new data processing technologies that start from the idea that they are personal data, which are difficult to re-identify, but which leave more space of what is now based on the too formalistic application of the principles of consensus.

State sovereignty – Continuity of existence of Europe as such (let’s not forget the interview Putin did in 2017 in which he said that whoever gets there first to have the opportunity to “process data” will have it all – the winner will take all).

This means a choice between two schools of thought: between those who say that Europe can win if it sets aside its principles and throws itself into the technological race headlong at what it costs, and those who think that this race in the far west of new technologies it will not lead to winning who, as happened with the conquest of the Far West territories, will first arrive to plant the flag in a piece of land that will then be theirs, but who will do so by bringing a sustainable technology from the point of view of ethics in the long term; I belong to this second school».

Hence, «sustainable technology from the point of view of ethics» is precisely the expression that contains the common thread between past and future.

If we look back, we see how many changes have occurred, especially in the first months of 2020.

The appointment of the members of the collegiate body of the Italian Supervisory Authority and the European Data Protection Supervisor (edps) changed, and so also our habits, the way we work, study, move and relate with everyone else. The covid 19 pandemic has forced the whole world to a rapid transformation highlighting the value and the prevalence of some fundamental rights of the person. Technology has almost (and in some respects) become a survival tool.

So, I chose also to change a large part of the book, which however continues to be a guide for the journey into the world of rules and principles for the protection of our personal data.

Some points remain (in the three chapters and various paragraphs), while I added other themes, information, researches and ideas to keep up with the change. The proposal of dappremo (acronym of Data Protection & Privacy Relationships Model) is the novelty of 2020.

Some points remain unchanged (in the three chapters and various paragraphs) while with reference to other topics, information, research, we added proposals to keep up with the changes.

gdpr & privacy: awareness and opportunity. The new approach to the Data Protection and Privacy Relationships Model (dappremo) maintains the international style.

In this new edition, the Foreword by Wojciech R. Wiewiòrowski, European Data Protection Supervisor (edps), which brings attention to the moment of crisis we are experiencing, but:

«Since the “new normal” shall not give way to the permanent erosion of rights we have fought so long and hard to promote; privacy and data protection are an integral part of the rule of law».

Wojciech R. Wiewiòrowski’s words reveal the conviction that the protection of personal data continues to remain a challenge on which to continue working:

«Working with my friend – Nicola Fabiano, author of this book – we will be able to assure that data protection norms are solid road signs on the European road to recovery».