Embedding European Privacy in your Business
- What is privacy?
The most frequently discussed (and feared) piece of legislation within the European Union has been, since its application as of 25 May 2018, the General Data Protection Regulation (GDPR).
While the GDPR deals with an important part of privacy, namely the protection of personal data of private individuals, it is however, not the only piece of legislation relevant or that applies in this field.
Rather, privacy is a much wider topic. And privacy and data protection are two distinct rights within the European Union legal framework.
In the EU, human dignity is recognised as an absolute fundamental right.
In this notion of dignity, privacy or the right to a private life, to be autonomous, to be in control of information about yourself, to be left alone, plays an essential role. Privacy is not only an individual right, but also a social value.
While privacy is recognised as a universal human right, data protection is not – at least not yet.
The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention on Human Rights (ECHR) (Article 8) and the European Charter of Fundamental Rights of the EU (Article 7).
Article 8 ECHR – Right to respect for private and family life, includes:
- The right to one’s image and photographs; the publishing of photos, images and articles.
- Protection of individual reputation; defamation.
- Data protection.
- Right to access personal information.
- Information about one’s health.
- File or data gathering by security services or other organs of the State.
- Police surveillance.
- Stop and search police powers.
- Home visits, searches and seizures.
- Lawyer-client relationship.
- Privacy during detention and imprisonment.
A “little” more than you would have thought…?!
Article 8 ECHR is considered one of the Convention’s most open-ended provisions. Moreover, the ECHR applies in those countries that are Member states to the Council of Europe.
The European Union needed a much more codified, systematized and harmonized legal framework to deal with the protection of personal data, specifically with technical and organizational measures which entities need to undertake in order to protect such data, and additionally, it needed to give Member States efficient and effective enforcement powers in order to ensure the actual respect of these rules. The GDPR is directly applicable in all EU Member States, including in allowing national Data Protection Authorities to take action against international organisations based, operating or targeting their citizens, thus making it the most powerful legal tool yet.
To this end, in this article, when we refer to “privacy”, we refer specifically to the body of rules applicable within the EU, which includes the GDPR, but also other pieces of legislation, such as:
- The Charter of Fundamental Rights of the EU
- The Treaty on the Functioning of the EU
- The ePrivacy Directive
- The e-Commerce Directive
- The Digital Services Act
- The Digital Market Act
- The AI Act
- The national laws of the EU Member States
2. Why does privacy matter?
As you can see, there are many legal aspects of privacy that the European and national courts have dealt with over the years and that the EU has codified in legislation.
However, whether you are a micro, small, medium or large business based, operating and/or targeting European markets you need clarity on how the wealth of privacy laws impact your business, so that you can clearly define your legal obligations, identify any vulnerabilities and risks, design your compliance programs, and embed European privacy into your business, in such a way that you are not only compliant with applicable laws, but also so that you can:
- Accelerate time-to-market
- Streamline commercial decision-making
- Innovate faster
- Build a strong corporate brand
From this perspective, privacy becomes paramount to your business’ success.
3. When does it become relevant? When should you act towards becoming compliant?
The GDPR has introduced the concepts of data protection “by design” and “by default”. Essentially and effectively, they are more than mere concepts, they are legal obligations for controllers of personal data to, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, which are designed to implement data-protection principles, in an effective manner and to integrate the necessary safeguards into the processing, in order to meet the requirements of the GDPR and protect the rights of data subjects.
The controller of personal data has the obligation to implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.
It is our conviction that this approach should be taken by businesses not only when it comes to designing and implementing their data processing activities, but also, more generally, when it comes to designing and implementing activities, processes, products, services which have an impact on the privacy of their customers, clients, employees and team members, any stakeholder private individual with whom they are involved in the course of their business, privacy being a fundamental right and the impact of such business operations having potentially considerable privacy implications.
Privacy compliance is therefore a proactive, before-the-launch, idea-design-phase and on-going endeavour, which should be actively embedded in all business processes and day-to-day operations, from inception to scaling.
4. How do you become compliant?
The developments of the internet, the world wide web, technologies, and more recently artificial intelligence, has determined EU regulators to react more quickly to our societal realities. We understand that the wealth of rules and regulations in the field of privacy has become increasingly challenging to track and stay compliant with.
We also know that the multi-jurisdictional and cross-border legal implications are complex to understand and navigate.
We therefore design tailored compliance programs for businesses from scratch and we help you navigate this complex legal framework with done-for-you legal advice, legal support and solutions, that are unique to your business needs and growth goals.
Book a discovery call to get started today.