5 THE ITALIAN LAW JOURNAL NO. 2 (2019) The ‘User-Centric’ and ‘Tailor-Made’ Approach of the GDPR Through the Principles It Lays down by Francesco Giacomo Viterbo The European approach to online privacy and personal data concerns in the contemporary digital age appears to have embraced a ‘user-centric’ approach, inspired by values of ‘personalism’ and human dignity, regardless of the growing commercial value commonly given to personal data. DOI 10.23815/2421-2156.ITALJ ISSN 2421-2156
These two sides of the same coin have been taken into account by the GDPR. On the one hand, it seems to outline a system of protection of data subjects that presents certain similarities and connections with consumer protection directives, especially as regards the transparency principle and the aim to provide individuals with ‘effective’ protection, enforceable rights and awareness-raising activities. On the other hand, a radical shift in the data protection policies of big online companies and many other service providers is required by the implementation of the set of mandatory principles and obligations stated by chapter IV of the GDPR, while the notice-and-consent paradigm is now quite remote.
In particular, data minimisation, confidentiality, integrity, data protection by design and by default, as well as accountability and scalability principles require a model of approaching the new challenges brought about by data protection that should be ‘contextual’ and ‘tailor-made’. This means that the appropriate measures to be adopted by controllers and processors must consider the specific circumstances of each individual case, in accordance with a proportionality and reasonableness test on the extent of risks to the rights and freedoms at stake.
The new legal framework provided by the GDPR and Convention 108+ has weakened the role of national laws on personal data protection but has also posed the challenge of providing a uniform legal frame, at the European Union level, as well as of strengthening the harmonisation process among countries that are currently taking different approaches to data protection at a global level.
