The past bit more than one year has been in the shadow of the COVID-19 pandemic and a number of concepts that have previously been used only in scientific publications have become part of the public discussion. These include, among others, reproduction rate, flattening of the epidemic curve, and herd immunity. In addition to the emergence of some scientific concepts in our everyday conversations, another frequent side effect of the epidemic was the ongoing challenges to the practical applicability of data protection rules, making the data protection issues, which are often deemed as remote and theoretical, widely discussed and alive. On the one hand, these were issues that affected everyone, and on the other hand, they went into the depths of the private sphere, including the monitoring of people's movements, their contacts and their health. Depending on the different stages of the epidemic, there were various data protection "hot topics", ranging from contact tracing (including the use of applications for this purpose), analysis of movement/location data, applicability of various diagnostic tools (especially body temperature measurement and testing) to checking the immunity against COVID-19 (e.g. travel certificates).
Now, as we are celebrating the 3rd anniversary of the GDPR, we should consider, in light of the experiences of the past year, what is needed for a proper data protection immune system?
There is probably no universal answer to this question, but in the light of the data protection developments of recent years, we may perhaps draw some conclusions:
- An appropriate regulatory framework is needed. There are obviously many criticisms of the GDPR, and its application may leave much to be desired, but at the same time, we must admit its importance, including the fact that it has taken a major step towards a more uniform data protection regime in the EU that aims at creating an environment that helps the development of the digital economy and society in a way that respects fundamental rights, including the right to the protection of personal data. It is perhaps no coincidence that the adoption of the GDPR has given a major impetus to data protection legislation around the world and, in many respects, has also provided a model for data protection legislation.
- There is a need to enforce existing rules. Rules can only become alive and provide a real, working framework if there is a clear, transparent and effective mechanism for enforcing the existing rules. Obviously, there are some challenges in this area as well, but the GDPR is a major step forward in taking data protection rules seriously (supported by the significant amount of fines) and the application of one-stop-shop and consistency mechanism makes the enforcement more uniform on the European level. In addition, the introduction and monitored application of self-regulatory mechanisms (codes of conduct, certification) may also contribute to the application of rules in a way that takes the sector-specific characteristics into account.
- There is a need to incorporate data protection rules into everyday life. For making data protection rules really work, it is inevitable to deeply integrate them into data processing activities. This is the purpose of the principles that appear in the GDPR, such as the principles of data protection by design and data protection by default. The consistent application of such principles serves to ensure that data protection and data security prevails almost invisibly.
- There is a need for data subjects’ awareness. If we want data protection to be a truly viable and enforceable tool, it is essential that the wider public, the large number of data subjects, demand that their data be processed only with due care and only to the extent necessary. In the long run, this is perhaps the most important building block of a functioning data protection regime: it is important that it is everyone’s business, not just the whims of the few.
If the above mosaics are in place and a wide group of people requires to have transparent, fair data processing that serves the rights and interests of data subjects, a data protection herd immunity may develop against inappropriate and unfair data processing and such ways of data processing cannot spread widely and vanishes on the long run. Thanks to the vaccines available, we are also moving towards herd immunity to defeat the coronavirus. Similarly, we need to move consistently and persistently towards data protection herd immunity in order to help fair and transparent ways of data processing to overcome the inappropriate ways of data processing. The GDPR is part of this process, its role is significant, but we are still far from the end of the road (perhaps it will never end), we need to continue to work to ensure that data protection is not a matter for the few, but for the majority since its is about all of us.