Data Protection Day was celebrated on January 28 and this year also marks the 40th anniversary of Council of Europe Convention 108, a historic milestone in the construction of European data protection law.

The subject of data protection inevitably leads us to the infamous Regulation (EU) 2016/679 of the European Parliament and of the Council, commonly referred to as GDPR.

This legal instrument has profoundly changed the paradigm in matters of personal data protection and, almost five years after its entry into force, there is still a long way to go in Portugal with regard to the implementation of the diploma, both in the public than in the private. sectors in the private sector.

Indeed, by restricting the analysis to the Portuguese legal system, reality still shows us a lack of maturity and sensitivity of organizations in terms of compliance with the regulations.

The Portuguese legislator has also shown a certain inertia in approving domestic legislation, which to a certain extent has contributed to the reluctance of Portuguese organizations to ensure compliance with European legislation.

Indeed, after a complex and long legislative procedure, Law n ° 58/2019 was approved in August 2019 in order to ensure the implementation of the regulation in Portugal.

However, the degree approval did not bring, as expected, greater legal clarity and greater security to organizations. In this sense, shortly after its approval, the National Data Protection Commission decided not to apply a significant part of the rules contained therein, considering that they violate the regulation, in flagrant violation of the principle of the rule of law. of the European Union.

In addition, in comparison with the activity carried out by other supervisory authorities, we also highlight the lack of audit and inspection actions by the National Data Protection Commission, as well as the lack of promotion and availability of tools and means to help and clarify organizations on a wide range of privacy and data protection issues.

On the other hand, the reality in other Member States is significantly different. An example is the case of Spain, where, on the one hand, the Agencia Española de Protección de Datos (AEPD) made various instruments available with the aim of helping organizations to comply with the regulation. On the other hand, it is also worth mentioning the numerous supervisory actions carried out by this supervisory authority, which resulted in the imposition of heavy fines on the entities in default. For example, at the beginning of this month, the EDPS imposed a fine of six million euros on Caixabank SA, due to the lack of a legal basis for the processing of personal data.

As far as EU law is concerned, privacy, data protection and the digitization of the single market remain an urgent concern, with the proposal for a regulation of the European Parliament and of the Council on governance having been published at the end of 2020 ( Data Governance Act).

In general, this instrument aims to regulate the reuse of data in the public sector and the sharing of data between companies, by encouraging and strengthening interoperability and by creating mechanisms for sharing data in sectors such as health. and energy. It is also envisaged to regulate the use of personal data through “personal data sharing intermediaries”, which should play a facilitating role for holders in the exercise of their rights. provided for in Regulation (EU) 2016/679.

It should be noted that the legislative proposal is not limited to personal data within the meaning offered by the Regulation, defining as data “any digital representation of acts, facts or information and any compilation of such acts, facts or information, namely in the form of sound, visual or audiovisual recording ”.

Also at the end of 2020, the European Commission released a package of legislative measures – the Digital Services Act and the Digital Market Act – taking a new step forward in building and regulating the European Digital Single Market.

The law on digital markets establishes a set of obligations and limits to be observed by core platform services, that is, by companies that control essential services offered digitally (called gatekeepers), such as search engines, social networks or cloud computing service companies.

The Digital Services Act sets out obligations for intermediary service providers and for hosting service providers, of which the mandatory implementation of mechanisms for reporting illegal content to the latter stands out. It is also proposed to create a new alternative means of resolving disputes between users and platforms.

If, with regard to the digitalization of the market and the inherent concerns in terms of privacy and protection of personal data, we can conclude that the road to travel to Portugal is long and troubled, the same cannot be said in the context. of the European Union law. Indeed, the European legislator has sought to shorten this path by preparing and disseminating a set of legislative measures such as those described, in order to strengthen the right to privacy and data protection and to promote and build the digital single market.

It should not be forgotten that the transition to the digital single market, although necessary, must first and foremost ensure respect for the fundamental rights of citizens.

