GDPR, the new paradigm of privacy legislation in the EU

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union, addressing also the export of personal data outside the Union, including Switzerland therefore. Essentially, the GDPR is a harmonization of the previous individual member State laws on privacy, adapting them to the extremely liquid context of our times, where information – or rather, data – is collected, processed and distributed on the Web, often without adequate control. The GDPR, a law introduced in 2016, became fully effective on May 25, 2018, as from that date the sanctions of the Guarantor (the European Data Protection Authority) will be applied in the event of non-compliance with the Regulation - sanctions which can be rather hefty (20 million Euros or 4 percent of annual global turnover)

The primary purpose of the GDPR is to better protect the information that companies and institutions collect on EU citizens, who must be explicitly informed about the collection of their personal or sensitive data, and about the kind of processing that the owner of the data, i.e. the company or institution that collects and processes them, intends to do. The secondary intent of the Regulator, which is just as important, is to raise awareness among companies to implement concrete measures for data protection in general, in the context of increased cyber risk in recent years. 

Will the new data protection Regulation have an impact also on businesses, institutions and citizens in Switzerland? On the day of the entry into force of the GDPR, at the USI Lugano campus Aula magna there was a half-day information and discussion event organized by ated-ICT Ticino, in collaboration with USI, SUPSI, Clusis and Security Lab, with keynote speeches by experts in the field covering the three main areas of application of the new EU rules: enterprises, public administrations and institutions, and cyber security and defense. 

The event was opened by the Dean of the USI Faculty of Informatics, Prof. Antonio Carzaniga, who offered a series of considerations on a few of the main articles of the new law: The Right to erasure, the Right to rectification, the Right to data portability, the principle of ‘data minimisation’, the concept of Privacy by design and of ‘sensitive data’.

Following these opening remarks, the Head of the Department of institutions of the Canton Ticino, Norman Gobbi, gave a speech on the relevance of the GDPR for the public sector. Mr. Gobbi explained that Switzerland, though not an EU member State, intends to adapt its legislation – at least in part – to comply with the GDPR, also to avoid compromising its economic interests in terms of free movement of data and information. Mr. Gobbi added that the effects of the new EU rules in Switzerland are limited to private and public organisations dealing in the European market, affecting essentially the private sector therefore.

On the topic of Research and innovation, which concerns the higher education sector (relevance of the prestigious ERC Grants), Zoltan Székely, lawyer and Security Data Protection Officer for several European research projects, gave an overview of the Horizon 2020 guidelines for the classification of information in research projects. With the introduction of the GDPR, any information or data collected should preferably be anonymised and kept for research purposes only, according the principle of ‘data minimisation’ (collect and process only the data that is essential to the research scope).

The symposium continued with speeches concerning topics related to business and industrial enterprises, featuring presentations by: Zulay Manganaro Menotti, lawyer at the EU Consejo General de la abogacía Española and lecturer at Università Cattolica in Milan; Rocco Talleri, lawyer and member of the Information Security Society Switzerland task force for the revision procedure of the Federal data protection law; and Paolo Lezzi, CEO at InTheCyber, a leading company in cyber defense and intelligence for business entities and institutions for the control on the efficiency of defense systems.

The event was closed with a panel discussion moderated by Alessandro Trivillini, head of the Digital Forensic Service at SUPSI and representative for Switzerland in the Action "MULTI-Modal Imaging of FOREnsic SciEnce Evidence (MULTI-FORSEE) - Tools for Forensic Science”, the European intergovernmental cooperation programme for scientific and technological research (COST).