DATA PROTECTION, DATA CONTROL AND DATA COMMODIFICATION: A RATHER OLD CONUNDRUM

Adopted in 2016, the General Data Protection Regulation (GDPR) recast the Data Protection Directive of 1995. This famous Regulation applies, in principle, to any processing of personal data across the EU, namely any processing of data that allows for the identification of (an) individual(s). Any personal data processing shall comply with a list of principles, namely lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation and integrity and confidentiality. Lawfulness implies that data processing be based on at least one of the listed legal bases, of which the consent of data subjects for one or more specific purposes is the most referred to when it comes to data transactions. Specific – i.e. more stringent – conditions are applicable in case of ‘sensitive data‘ such as health data.

The GDPR provides data subjects with rights (data subjects ‘ rights) the list of which has been broadened compared to the Data Protection Directive: Rights to transparency, information and data access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object, right not to be subject to automated processing.

Compared to the Data Protection Directive, the GDPR also reinforces security obligations and creates a new obligation to conduct a ‘data protection impact assessment‘ prior to any personal data processing that is likely to result in a high risk to the fundamental rights of individuals.