Users of different apps, systems, or devices are not always aware of whether and to what extent someone will be collecting and using data about them. People often do not even realize that somebody has started administrating this data. Experts attribute this to the rapid development of technology, which can now store large data sets on increasingly smaller devices. Moreover, there is a lack of awareness and information campaigns about data rights. The legal system is also struggling to keep up with the changes. Although the GDPR has been in force for almost six years, it is still not functioning as intended. New regulations are constantly arising, and the government faces the challenge of implementing them into Polish law and developing national standards.
– There are more and more processes generated by ever-smaller devices related to the acquisition, storage, and sharing of data in a rapid manner for various entities. We are not always aware of what happens with our personal data. And we do have rights. Often the real risk for us, the data subjects, is a lack of awareness, lack of knowledge about how various devices, apps, and systems respect our rights and provide us with certain guarantees. This lack of knowledge often results from our approach to privacy protection but also from certain deliberate actions by administrators using new technologies, their developers and manufacturers – says Monika Krasińska, Director of the Adjudication and Legislation Department in the Office for Personal Data Protection, in an interview with the Newseria Innovation Agency.
Mobile applications are often used to capture sensitive data. Last year, cybersecurity experts frequently warned about new applications available on the Google Play store that were advertised as offering services such as photo and video editing, voice changing, customization of wallpapers and themes on the phone, or streaming images from the smartphone to TV. In practice, these applications infected smartphones with the Harly Trojan, which allows hackers to read data from the device and use it for premium services.
– Any technology can be a threat if it is used for purposes that are inconsistent with the law, if it performs certain tasks set to it by administrators, who only consider their own, particular interests, disregarding the rights of the data subjects. There are also technologies that receive a lot of attention nowadays because of their specificity, the context of personal data processing, and the many risks their use poses to users. Examples include artificial intelligence, the use of various biometric identifiers, identification using biometric features in public space, and various devices and solutions using geolocation and RFID technology. There are many solutions linked to the processing of our personal data – lists the UODO expert.
An example of technology that on the one hand facilitates the management of municipal services, and on the other hand, can theoretically pose a risk to the security of personal data, is the use of RFID communication for tagging waste containers. If the municipality responsible for providing selective collection and its subcontractor do not provide appropriate safeguards, there is a risk that, for example, information about medications in a person’s garbage can fall into the wrong hands.
Although the European Union’s General Data Protection Regulation (GDPR) has been in force for almost six years, not all the instruments it provides for are being implemented.
– Although the GDPR is technologically neutral, it has set certain guidelines for respecting the rights of the data subjects. Such instruments include designing data protection from the earliest possible stage or so-called default data protection, which is supposed to ensure, among other things, automatic deletion of certain data or automatic transmission of certain alerts sensitizing us to data processing processes. The rapid development of new technologies has also introduced numerous risks, which required the EU legislator to take a deeper look at the completeness of regulatory safeguards for data protection. Therefore, many years ago, numerous additional regulations were started and partially completed, and some are still ongoing, in the European Union. These are also supposed to protect personal data and ensure their proper management and disposal – points out Monika Krasińska.
Legal changes are supposed to lead to a situation where the rights and freedoms of the data subjects will be respected. The new government, as the expert adds, will have to meet the legislative challenges related to translating the solutions developed at the level of European law into Polish law.
– We have many regulations issued by the European Union, as well as directives awaiting the proper adjustment of national laws to these acts. We have many tasks ahead of us, for instance, adjusting national laws to the Digital Services Act, the Data Governance Act, the Open Data Act – lists the Director of the Department of Adjudication and Legislation in the Office for Personal Data Protection. – It seems that the direction of legislative changes ensures the respect for the rights and freedoms of the data subjects. However, simply creating law without proper compliance, without a culture of lawful processing, will not build the best models for future generations in terms of data protection.
She adds that it is also necessary to raise awareness among administrators and users and ensure access to information about the fact of processing personal data. The language of such messages is crucial – it is often complicated today, full of technological names and legal terms, making it incomprehensible to users.
– Data subjects must be aware of what this process involves and must receive the information in such a way that they understand what the processing of their data entails –says Monika Krasińska. – We also have solutions that are designed in such a way that their users are not aware that their data is being processed, and that too by a large number of administrators and processors. Here, indeed, we need to improve the quality of the informational message.