On 28 January 2020 we celebrated the 14th Data Protection Day, which was a great opportunity to talk about our privacy. In the age of e-administration, online banking, popular online shopping and marketing creativity of companies, the information about us is becoming more and more valuable. Assoc. Prof. Mariusz Jagielski, Professor of the University of Silesia, Rector’s Plenitpotentiary for Personal Data Protection, tells us why we should not be afraid of the processing of our data.
Everyone in Poland has probably heard about GDPR. The situation when provisions entering into force so strongly affect our daily lives is rather rare. When the General Data Protection Regulation became effective in May 2018, we began to see pop-up windows on websites, requiring our consent to personal data protection. Waiting time for the connection with a consultant was extended by the information about personal data administrator. In clinics, we are no longer called by our names, but assigned numbers instead…. There are many changes.
Perhaps you will be surprised by what I’ll say. The examples that you’ve mentioned should not actually have entered into force in May 2018, together with the General Data Protection Regulation. These issues had already been included in the previous acts governing this legal area and effective for more less twenty years. GDPR is the effect of evolution of these regulations and was presented in the media as an act that enforces the application of legal regulations and provides for severe sanctions in the event of a failure to comply with them. It turns out that it was only then that many entities processing personal data took a number of actions intended e.g. to comply with the information duty and actual protection of such data.
Apart from the risk of sanctions, what are the other consequences of GDPR’s entry into force?
The previous approach of legislators was more formalisict. It was necessary to comply with certain formal requirements, however, we did not fully know whose interests were actually protected. GDPR offers a new philosophy based on the privacy by design approach. In practice, this means that personal data protection starts already at the moment of designing each activity and is carried out for people’s benefit, to make sure that nobody is hurt. Therefore, when thinking about any project, we need to ask ourselves whether we are going to process any personal data – what type, for what purpose and in what way. If I see a risk, I also have to plan the activities to minimise them. This applies to each entity: offices, universities, entrepreneurs, etc.
To process, which means…
… to perform any kind of operation on our personal data, including to collect, store, analyse or make them available.
The information duty is absolutely fundamental in this case. I should know that somebody processes my data for a specific purpose and be aware of the related benefits and risks. Therefore, I have the right to give my consent or refuse it, update my data, as well as to ask for restriction in data processing or complete data removal.
On the one hand, we should be aware that it’s worth protecting our privacy, on the other – let us also remember that personal data are processed in our interest.
So should we want our data to be processed by various entities?
There’s simply no point in rejecting such a possibility. Can we imagine nowadays the world without virtual access to our bank account, online shopping, credit card, social media or the option to resolve our issues in e-offices? These days, total opposition against personal data processing is equivalent to digital exclusion.
Once a transaction is completed, some entities continue to store our data, even if we ask for their removal…
Companies have certain obligations, for example towards the tax office, and consequently, they have to store certain information about completed transactions for five years. We have no influence on this type of data, which the entrepreneur is required by an external body to process, based on financial reporting provisions. This obviously does not apply to their marketing activities.
There are companies that offer for example a discount on subscription in return for consent to data processing for marketing purposes. Our data clearly have a specific market value…
An interesting question arises in connection with this issue. Is personal data information our right to privacy, or a measurable financial value? It turns out that companies pay a lot for databases. They also look for other solutions, such as promotions that you’ve just mentioned. We can give away our privacy for PLN 10 a month. Once people get to understand the consequences of such consents, the data price should go up. These are the market laws.
We don’t talk much about these consequences.
One of the examples is the so-called customer profiling. The apps that we can use for free often collect and analyse data about the actions we take online. In consequence, users of various mobile devices are appropriately profiled on this basis, as a result of which the prices of a single product on popular websites comparing the prices of flights, hotels, electronic equipment, etc. may be higher or lower. Computer programs know how much we are willing to pay. Let us also not forget about the risk related to hacker attacks on the databases that contain our personal data. As usual, knowledge is the basis. This issue is also governed by personal data protection regulations, including GDPR.
One of the Polish websites experienced how painful it is, when they had to inform their customers about the data leakage and got a record penalty payment imposed by the Personal Data Protection Office…
When we obtain such information, we should consider changing the password to our mailbox, or even removing it, in some cases also block our debit card or credit card in the bank, tell our friends to watch out for unusual messages received from our mailbox or social media profile. Information is the key. We can also suppose that the well-publicised story of the website will make this and other entities check and improve their security.
Finally, I would also like to ask about the absurdities that we sometimes hear about in the media, related to incorrect interpretation of GDPR regulations. Did any of these stories particularly stick in your mind?
Such absurd cases mostly result from the fear of being punished – not for breaching the law, but for our imagination of what we can be punished for.
The most publicised case concerned the closing of one of the Polish cemeteries. There were monuments with data of people who bought plots for themselves while they were still alive. The administrator decided that they would not let anybody enter the cemetery until they obtain their consent for personal data processing. This absurdity lasted for three days. Another famous case was the school that prohibited reading the students’ attendance list with the first names and surnames. What made me laugh the most was the advertising offer for a… GDPR-compliant document shredder. So the basis is knowledge and proper interpretation of the regulations. Dr. Wojciech Wiewiórowski, who is currently the European Personal Data Protection Officer, once said that GDPR had been designed so as to organise and civilise personal data processing. This statement probably reflects the meaning of the existing regulation best.
Thank you very much for the interview.