What is meant by the protection of personal data?
Article 18 of the Spanish Constitution protects the fundamental right to honor, personal and family privacy. In its article 18.4 it refers in a pioneer way to the fundamental right of personal data protection to limit the use of computers to gain honor and personal and family privacy and the full exercise of their rights. The constitutional court in its sentence 94/1998 pointed out that we are in front of a fundamental right of the citizen to the protection of data so it must be guaranteed the control of them, any and on their use and destiny, to avoid the illicit traffic of them or harmful and in the sentence 292/2000, it empowers the person to decide which data can be transferred to third parties being able to oppose to their possession or use.
This is developed in the Organic Law 5/1992 known as LORTAD and is replaced by the Organic Law 15/1999 on the Protection of Personal Data which transposes the directive 95/46/CE of the European Parliament and Council. On the other hand, it is also included in Article 8 of the Charter of Fundamental Rights of the EU and in Article 16.1 of the Treaty on the Functioning of the EU, thus establishing a common space to guarantee the right.
The last milestone in this development was the adoption of Regulation (EU) 2016/679 of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, as well as Directive 2016/680 of the European Parliament and the Council with regard to the processing of personal data.
The General Regulation of Data Protection (RGPD) aims on its direct effectiveness to overcome the obstacles that prevented the harmonization through Directive 95/46/EC and has its adaptation to the Spanish legal system through the Organic Law 3/2018 of Personal Data Protection and guarantee of digital rights.
Why is it so important?
The emergence of the use and life on the Internet, which in 1993 had only 100 websites, and more now after the new normality caused by the COVID19 pandemic, is a reality in our personal and professional economic and private life, both individually and collectively. The principle of Network Neutrality provides the framework for all data traffic passing through the network to be treated indiscriminately. Spain is working on the renewal of the Communications Law that includes this principle, among others, and is part of the projects included in the España Digital 2025 strategy.
With the ease of sharing data between third parties and the expansion of devices that collect information using IoT technologies (wearables, smartphones, home automation), the algorithms of Machine Learning / IA and the speed and possibilities that 5G networks provide, we find ourselves in a scenario in which if there is no effective and forceful regulation, the fundamental rights of citizens could be seriously violated and lead to serious situations of exclusion or defamation.
As was seen through the case of Cambridge Analytica, to allow the collective control of public opinion and its influence, or persecution for ideas. Such is the case of the proliferation of surveillance cameras in cities with artificial vision systems. Or the possibility of accessing the recordings that Google makes of voice fragments that it collects periodically from users' devices.
Can the devices violate my right to data protection? How can I protect myself?
Yes, they can capture personal data once the corresponding permissions have been granted and store it in the cloud for analysis, classification and internal use or later sale. There is protection through the RGPD allowing each citizen to exercise before the data controller of any entity/service their right of access, rectification, opposition, deletion, limitation of treatment, portability and not to be subject to individualized decisions. Likewise, the regulation establishes 3 layers or levels in the types of data and different responsibilities and obligations with respect to these governed by the principles of "legality, transparency and loyalty", "purpose limitation", "data minimization", "accuracy principle", "conservation period limitation" and "integrity and confidentiality" and the principle of "proactive responsibility".
The RGPD establishes a dome of protection across the countries operating in Europe. A company that markets a service in Europe must ensure compliance. With the US, this has created regulations such as Safe Harbor, Privacy Shield, but today, there is a great deal of controversy on the subject, as the Trump administration is very likely to be more lax with data protection rights than its predecessor Obama. The United States has passed the Patriot Act, which gives the state the power to monitor its citizens.
At the user level, exercising rights often requires reviewing the configuration of permissions for applications and services on the devices they usually use, or making requests to the relevant data processors.
Am I obliged to subscribe to the COVID Radar application knowing that I can
violate my rights?
Its use is not mandatory and the source code has been released to provide transparency about the use made of the information it collects. Now, in times of national emergency, is it an act of individual responsibility to install it? No. This was the origin of the Patriot Act in the USA in the wake of 9/11. The context and use of this application must be understood and limited in time as well as the data it collects.
With teleworking can you control what I do, enter my computer, etc?
Organizations that, using their digital transformation programs, enabled their employees to telework effectively, usually have VPNs (virtual private networks) and corporate accounts that manage the installation, use and management of applications on the organization's devices (assets). In turn, these agencies usually install applications on the employees' devices in order to take remote control of the devices in case of technical incidents that prevent the usual work. In the case of Google and its corporate accounts, the history of searches, navigation, visits, etc. is stored with the profile information. If the administration permissions are not correctly managed or the passwords are not private and are frequently renewed, some people within the organization who know the profiles may try to access the content of colleagues with illegitimate interests.
If the company complies with the RGPD, it should not violate, intercept, capture or harm the privacy rights of workers. Although many companies faced with the urgency of working remotely, if they had not completed their digital transformation plans or did not have business continuity plans in place, they will find themselves in situations where employees are using personal devices for teleworking. This carries a lot more risk for both the employee and the company as they normally do not have anti-virus, firewall and control policies so carefully designed to prevent attacks or undesirable actions by third parties.
And if there are several of us at home, what happens?
The problem of personal devices increases when there is a single device for several users in the house. In these cases, the recommendation would be to warn and make all family members aware of the responsibility and risks of using this device and to activate the parental controls when necessary.
Spanish Data Protection Agency (https://www.aepd.es)
Association of Internet Users (https://www.internautas.org).
Google records your voice https://www.20minutos.es/noticia/2762528/0/google-graba-almacena-tu-voz-donde-como-borrarlo/