On International Data Privacy Day, we prepared an overview of the state of protection of digital privacy and personal data in the national and European context.

The beginning of the application of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”), on 25 May 2018, was marked by the lack of preparation of public and private entities to comply with their new legal obligations and the assumption by some regulators (such as the Portuguese one) of the inability to apply it. In addition, we recall the delay in the publication of the GDPR execution law in some legal systems, including the Portuguese one. In Portugal, the publication of the execution law was also marked by the position of the National Commission for Data Protection, which ordered the non-application of 9 of the 68 rules of Law No. 58/2019, of 8 August, as they were considered in violation of European Union law.

Having overcome this troubled initial period and marked by a considerable uncertainty and insecurity concerning to the obligations implemented, we can now say that we are at the stage of implementing and effectively controlling the GDPR. According to the report published by DLA Piper on 20 January 2020, since the beginning of the application of the GDPR, European regulators have imposed fines in the total amount of 114 million euros. The list of countries that imposed the highest fines is led by France (position to which contributed greatly the very large fine imposed by the French authorities to Google), Germany and Austria, with Portugal appearing in tenth place.

In addition, it should be noted that the innovations introduced by the GDPR implied the revision and updating of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 (“e-Privacy Directive”) and it was already been presented the proposal for a new regulation to replace that directive. In an attempt to update and modernise, the confidentiality rule for electronic communications is now applicable to operators of over the top (OTT) services, such as Skype and WhatsApp, and it is established new rules for the sending of commercial communications and the use of electronic behavior tracking mechanisms (e.g. cookies).

In this legislative context characterised by an intense strengthening of digital privacy and the protection of personal data, it is clear that citizens are becoming increasingly aware of the importance of these rights, which until then were seen as secondary. This awareness reflects the planetary scale that cases such as the Cambridge Analytica case have reached. In our view, there is now an urgent need to empower citizens to deal with and exercise their rights to electronic privacy and to personal data protection, and we are looking forward to the future developments.

Rita Gabriel Passos

Pinto Ribeiro Advogados has a team with extensive skills and practical experience in the field of personal data protection, who can help your organisation ensure compliance with the GDPR. If you have any questions please contact us by email (geral@pintoribeiro.pt)