THE COLLECTION and storage of personal information is an essential part of life in the digital realm. But while businesses need to take advantage of the continually evolving computing and information-sharing landscape, consumers must be able to navigate safely though the digital age.
This requires proper protection of personal data and confidence that everybody’s personal data is safe from abuse. To enhance the current law and transpose European legislation, the Slovak government has prepared a new law on protection of personal data to replace the current legislation, which was last updated in 2005. The Slovak cabinet approved the draft bill on January 9 and it is now undergoing parliamentary discussion.
“The main aim of the draft of the new law on protection of personal data is to enhance its transparency and comprehensibility, which is directly related to an increase in legal certainty for all involved subjects,” Zuzana Valková, the director of the department of legal services and international relations at the Office for Personal Data Protection, which elaborated the draft bill in cooperation with the Justice Ministry, told The Slovak Spectator.
Jana Zlatohlávková, spokesperson of the Justice Ministry, specified that the new law also transposes the Directive 95/46/EC from 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Its aim is also to strengthen the independent position of the Office for Personal Data Protection.
The draft bill brings more precise definitions of terms based on implementation of needs stemming from real life, adjusts the legal arrangements within the processing of biometric data as well as cross-border transfer of personal data, Valková specified. The draft bill also fundamentally changes the legal institute of the responsible person, from which the office expects an increase in the standard of personal data protection.
Since the last, more significant amendment to the original law was adopted back in 2005, the draft bill also reflects the social developments, technological changes as well as requirements for personal data protection, which have affected how data is processed, accessed and transferred beyond borders.
Zlatohlávková specified that originally the new law should have become effective as of April 1, 2013, but due to the course of the legislative proceedings this date may be postponed to May 1 or June 1, 2013.
Due to the large variety of information that may have the characteristics of personal data, the current Slovak legislation does not specify which data is considered to be personal data, Valková explains, adding that any data that speaks of a person as an individual, and on whose basis it is possible to identify this person, is considered personal data. The draft bill on protection of personal data does not make any changes to this.
Jaroslav Oster, senior consultant at Info Consult and advisor to the zodpovedne.sk project, focusing on responsible use of the internet, mobile phones and other new technologies, welcomes the new law.
“An indisputable contribution is the creation of a new legal norm, which defines the rights and duties of all parties in the process of processing personal data in a more transparent way,” Oster told The Slovak Spectator. “Harmonisation with requirements of EU directives as well as incorporation of experiences from practice … was already an inevitable requirement of the current times.”
Among the fields requiring changes, he listed, for example, responsibility for security of personal data processing.
However, Oster noted that while the current draft bill takes into account today’s conditions, the issue of security of information systems, and thus also personal data protection, is a living process, subject to dynamic changes, and thus a legislative norm of a similar type cannot be perceived as a static element that settles over time and unambiguously defines everything, particularly the emergence of unexpected phenomena.
Pavel Nechala from law firm Nechala & Co, who is the law and regulation expert at Transparency International Slovakia, is critical of the draft bill.
“Primarily it is necessary to say that the current legal norm setting personal data protection in Slovakia is very strict on one hand, but it failed to be implemented in the expected way,” Nechala told The Slovak Spectator. “Alas, the draft of the new law deepens the formalistic approach and strengthens restrictive tools towards operators and intermediators of information systems.”
According to Nechala, margins or reserves in personal data protection should be sought in the operation of the Office for Personal Data Protection rather than in the law itself, when the office has issued only minor binding stances and has not been properly staffed and financed. Nechala also doubts whether strengthening the powers of the employees of this office would help to achieve the primary goal of the law on personal data protection, which is also the case with the 1995 Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data.
“The Directive 95/46/EC itself is assessed as insufficient and a discussion about a new regulation in this field is being held,” said Nechala.
When assessing personal data protection in Slovakia and the general public’s awareness of the need for protecting this data, Oster said that the generally low level of legal awareness is a limiting factor, but that this is not only the case of Slovakia.
“I dare say that the majority of the population does not realise, nor often even acknowledges, real threats,” said Oster. “They do not realise the existing danger of personal data abuse and not at all the context of the growing risk caused by the increasing use of internet technologies.”
In this respect he used as an example social networks and the spectrum of data that those who use them disclose without contemplating the potential consequences.
This can only be assessed as dissatisfactory and unacceptable, said Oster, adding that people should learn about personal data protection when they are learning the basics of computer technologies in school and from their families.
The most common form of personal data abuse is identity theft for various purposes.
“Personal data can be used for creation of a false profile at a social network or, within another form of electronic communication with the usage of this fictitious identity, the attacker can act on behalf of the real holder of this identity,” said Oster. “He or she can, under his or her name, defame, harass, blackmail or establish contacts.”
He added that the anonymity of the personal data abuser enables him to conduct activities of an economic character, for example ordering goods from electronic as well as brick-and-mortar shops or closing agreements of various kinds.
“From the viewpoint of the person whose personal data has been abused, this may mean a spectrum of various dangers – from harming his or her reputation up to the loss of property,” said Oster.