The future of data protection and how to adapt to it

Estimated reading time: 7 minutes

The recently held #bigdataweek reminds us that monitoring data processing is a critical aspect of most strategic decisions and internet business models. We are faced with the widespread use of apps in mobile devices and in contexts with a major potential for data handling, such as the big data phenomenon, the Apache Hadoop software framework, or the emerging quantum computing.

Against this backdrop, the European Commission presented its Proposal of the General Data Protection Regulation on January 25, regarding the protection of individuals with regard to the processing of personal data and the free movement of such data (henceforth “Regulation”), which will replace the current Directive 95/46/EC.

The Regulation (as opposed to the current directive that requires a transposition process to make it applicable in national law of the Member States) will be directly applicable, will be hierarchically superior to Spanish law, and undoubtedly will have a major impact on the operations of the industry in general, and more specifically, on Internet companies and start-ups.

Among the new general aspects incorporated, the Regulation includes the tightening of sanctions for non-compliance, the increase in the principle of transparency in companies, the need to reinforce the level of personal data protection, the right to data portability, and the principle of accountability.

Aspects of the Regulation applicable to data processing in Internet companies

1. On a conceptual level

The Regulation designs a security architecture that takes into account both the technological process and the solutions offered for data protection by design –focus developed successfully by the Information and Privacy Commissioner, Ontario (Canada)- and by default. This new approach to data protection means that data protection is contemplated in the technology design phase of business models and risk analysis and management methodology are enhanced, as well as including the control panel for users as a privacy interface or other security technologies.

2. At an authority level

The new regulation introduces the key figure of the “data protection officer” with a wide spectrum of functions such as supervision, implementation and application of internal policies, auditing, information of the interested parties, and applications presented in exercising their rights, and monitoring document management.

3. Regarding processes

It establishes the impact assessment that must be carried out prior to data processing and proceeds to regulate the so-called “right to be forgotten”, both in search engines and digital footprint, in line with the Spanish ARCO rights. In other words, it specifies that public personal data on the Internet, such as hyperlinks or specific data, must be canceled by the controller when they are accessible in communication services that enable or facilitate their search or access.

Similarly, it includes a contingency plan in the event of data breach, which establishes the obligation to notify a personal data security breach to the supervisory authority within a period of no greater than 24 hours and, where feasible, to the interested parties.

Finally, mention should be given to other major developments introduced by the Regulation, such as the modification of the minimum age of minors to under 13 years of age regarding the direct offer of information society and social network services. On this point, it will be more important to sufficiently highlight the data protection and privacy policy on home pages and in registration forms in HTML format.


To sum up, I suspect that the legislator has once again made an assessment of data protection dissociated from the technological context, maintaining an asymetrical exchange between the fast technological evolution and legislation. In particular, regarding the evident tensions between regulation and the dynamics of the Web 2.0 that generate bilateral business models based on the exploitation of user data.

Although aspects such as account release, privacy by design and default, and the assessment of impact encourages the IT security culture in companies and operational criteria focused on risk management and the implementation of compliance programs, it is yet to be seen how regulatory solutions will evolve and what technical innovations will be introduced in the future.

Jose Manuel Pérez Marzabal (@jmperezmarzabal) is a lawyer who specializes in Internet and e-commerce at MTNProjects. Furthermore, he is a visiting professor at BES La Salle and a teaching consultant at Universitat Oberta de Catalunya (UOC). He has a Master’s degree in International Law (LL.M) from WWU Münster and a Diploma in Advanced Studies in International Law and Economics from the University of Barcelona.