Blog

Yesterday, January 28, 2024, Data Protection Day was celebrated, established by the Council of Europe in reference to the date of signing of the first international legal instrument on data protection, Convention 108 of the Council of Europe, which took place on January 28, 1981.

While this date marks the protection of personal data - all information relating to a natural person, directly or indirectly, identified or identifiable - the digital transformation of societies demands a concerted approach to all types of data: "data”; "personal data"; "non-personal data”; "open data”; "metadata”, etc.

It even seems that this is the "concertation” that the European legislator has sought to achieve in recent years, starting with the publication, in 2016, of the General Data Protection Regulation, the Data Governance Act, in 2022, or the Data Act, at the end of 2023, just to name a few examples. On the other hand, the matter of data also substantially shapes a set of other legislation that are essential in the puzzle of European digitalization, such as the already well-known legislative proposal on the Artificial Intelligence Act, the recently published eEvidence Act, or the exhaustively discussed proposal for a Regulation on privacy and electronic communications, also known as the ePrivacy Act.

Some scholars argue that the concertation to which we have been referring is not only intended to take place in the "Old World”, but to go further and have a global impact, and they highlight this circumstance by the European Commission's clear preference to adopt legislative acts under the form of Regulations, and not Directives, whose application extends beyond the European Union, as they are applicable to all those established in this territory, but also to all those operating there, even if established in any other corner of the world. This is called the "Brussels effect” which is, for example, reflected in the influence that the General Data Protection Regulation had on the regulation of personal data protection in non-European countries (e.g. Brazilian General Data Protection Law) and what is expected to be the impact of the Artificial Intelligence Regulation on other legal systems.

But the truth is that I cannot just talk about "data concertation”. Every day, we are faced with news of computer attacks and incidents that have compromised the security of the data of hundreds of organizations and those who interact with them, data that is then illicitly sold for a never-ending set of purposes, on the basis of indiscriminate data to feed Artificial Intelligence systems or "outside the box” and "sandbox” experiences. The number of recorded personal data breaches has been gradually increasing and in 2022 the National Data Protection Authority imposed 71 fines, worth 4,802,000.00 euros. Added to this are the countless, but understandable, difficulties that the Portuguese business sector, essentially made up of SMEs, continues to reveal in being compliant with the Goliath of legal impositions with which they have to deal "alone” in terms of data protection and processing. Under this situation, it seems to me that we can identify a certain – and pardon the neologism – data disconcertation.

But let's end on a positive note by recognizing that the path must be made and that there are already many people who daily, within their organizations, public and private, work to ensure that digital transformation - so supported by data - is made in a responsible, inclusive, and secure way. Let us also be part of this group. 

Note: .PT has updated its Privacy and Personal Data Protection Policy. Learn more here.