Message on the occasion of the 16th Data Protection Day

Strasbourg, 28 January 2022

Today, 28 January 2022, we are celebrating data protection day for the 16th year. The idea behind this special day is to raise public awareness of good practices in data protection, pointing out the rights people have and how they can exercise them. This year the context is a particularly tricky one for human rights and fundamental freedoms, especially the right to private life and dignity in the processing of personal data.

There is not a day that goes by without a cyberattack on businesses, public administrations, school establishments, hospitals or international organisations resulting in the theft of personal and more often than not sensitive data of millions of people, jeopardising not only their rights, privacy, reputation or image, but also their physical, mental, moral and digital integrity. The recent attack on the ICRC shows how extremely serious these criminal acts can be when they endanger the lives of people who are particularly vulnerable or leave them exposed to discrimination, persecution or other violations of their human rights.

The expansion of digital technology is another area of concern. The digitisation of society is raising great hopes of improved living conditions and welfare. It is often – perhaps all too often – presented as the solution to all our problems. While it is undeniable that the development of information and communication technologies has been a factor in the progress made in numerous private and public sectors, the fact is that digitisation entails risks and may prove to be a formidable tool for the surveillance and instrumentalisation of people. As our societies become increasingly digitised, one of the major challenges is to guarantee that each and every person has control over their own data and is therefore free to make their own decisions and choices in this respect. The development of artificial intelligence, the systematic profiling of people, the virtually constant monitoring and tracing of our activities, movements and behaviour and the use of facial or vocal recognition, with the danger they bring of systematically and insidiously encroaching on our private life, are some of the key issues facing us. I believe it is a matter of urgency to react before it is too late and stop this march towards a society under blanket surveillance which could spell the end of human rights and democracy. The task before us is considerable. It is imperative to ensure that technologies are developed and used for the good of humankind and respect every person's dignity and right to self-determination in the information sphere. The right to private life and data protection is a fundamental right that is vital for the proper functioning of modern and democratic societies evolving in a digital environment.

The fact that the Covid-19 pandemic is still ongoing means that there is a continuing juxtaposition of public interest in combating the illness and safeguarding the health of the population on the one hand and respect for human rights and individual freedoms on the other hand. We must avoid pitting the protection of data against the protection of public health and instead strike a fair balance between the measures necessary to fight the pandemic and the protection of rights and freedoms. Requiring people to have health certificates or vaccine passports, contact tracing, checking compliance with quarantine or isolation rules and any other measures demanding the collection and processing of personal data prompt a great deal of questions and mistrust that are justified when those measures are not strictly governed by the rule of law and democratic rules. Intrusive measures of this kind must comply with the principles of lawfulness, fairness, proportionality, explicitly specified and legitimate purpose, and data minimisation; they must be limited in time and repealed once the health crisis is over. Risks of abuse cannot be ruled out and there is potential for drifting towards increased and permanent surveillance by certain public authorities or private-sector players. The utmost vigilance is required: civil society and individuals who are affected must not hesitate to call those infringements out. Data protection authorities must be unrelenting in playing their role of adviser and supervisory authority and punish any abuses they find.

Data protection day is an opportunity for us to remind everyone to be vigilant where the use of their data is concerned and exercise the rights guaranteed by our legislations. Data controllers and subcontractors have a duty to comply with their obligations of transparency, compliance and devising processing in such a way as to minimise risks of breaching rights and fundamental freedoms. Among other things, this requires the swift introduction or reinforcing of policies for education, awareness raising and training so that we can evolve in this digital world responsibly, inclusively and safely.

This special day is also a time to call for a substantial stepping up of data security and of efforts to combat cybercrime in order to radically reduce the risks of cyberattacks. Use of robust encryption and a rethink of the globalisation of data processing and storage, as well as system and data architecture, are some of the policies needed here.

Finally, the right to data protection must be urgently strengthened in order to guarantee for every person, whatever their nationality or place of residence, respect for their human rights and fundamental freedoms in personal data processing. Accordingly, I call on the States Parties to Convention 108 to ratify its amending protocol without delay so that Convention 108+ can enter into force rapidly and the way is opened for new States or international organisations to accede to the sole treaty with universal scope in this area.

Jean-Philippe Walter

Data Protection Commissioner