The General Data Protection Regulation (GDPR) provides individuals with increased control over how their personal data is collected and used online, but more can and should be done to ensure that individuals are able to take back control of their online identities, the European Data Protection Supervisor (EDPS) said today, as he published his Opinion on Personal Information Management Systems (PIMS).
Giovanni Buttarelli, EDPS, said: “Our online lives currently operate in a provider-centric system, where privacy policies tend to serve the interests of the provider or of a third party, rather than the individual. Using the data they collect, advertising networks, social network providers and other corporate actors are able to build increasingly complete individual profiles. This makes it difficult for individuals to exercise their rights or manage their personal data online. A more human-centric approach is needed which empowers individuals to control how their personal data is collected and shared.”
The recently adopted GDPR provides for increased transparency, powerful rights of access and data portability, giving individuals more control over their data. However, it is not the final step in this process. Instead, it should be seen as the foundation for further efforts to improve how we enforce control over our online identities.
In his earlier Opinion on coherent enforcement of fundamental rights in the age of Big Data, published on 23 September 2016, the EDPS noted that current market conditions and business practices make it difficult for individuals to exercise their right to the protection of personal data and to other fundamental rights. In his Opinion on PIMS, the EDPS outlines his vision of a new reality, in which individuals, rather than online service providers, are able to manage and control their online identity.
The basic idea behind PIMS is that individuals would be able to store their personal data in secure, online storage systems and decide when and with whom to share it. As an emerging technology, a variety of designs and business models currently exist. However, they all share idea of strengthening fundamental rights in the digital world, whilst creating new business opportunities for PIMS providers, who would act as intermediaries between the individual and the online services they use.
PIMS technology may help to give individuals and consumers more control over their personal data. The EDPS encourages the Commission to support the development of innovative digital tools such as this and take policy initiatives that inspire the development of economically viable business models to facilitate their use. Effective implementation of data protection requires technological, economical and legal initiatives, which will help us to take back control of our online identities.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EC) No 45/2001. The EDPS is a relatively new but increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.
Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are the members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014.
Big data: Gigantic digital datasets held by corporations, governments and other large organisations, which are then extensively analysed using computer algorithms. See also Article 29 Working Party Opinion 03/2013 on purpose limitation p.35.
Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about him or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).