Legal Magazin:
You are Doctor of Law from the “Babeș-Bolyai” University of Cluj Napoca, title you obtained with your thesis “Electronic payment”. Sensitive subject, because the interference of cyber criminals in these operations can cause financial damage to users. To what extent is the protection of personal data protected in this respect?
Attorney Dr. Raul Felix Hodoș:
I started researching electronic payment during my university years, when, under the coordination of Prof. Ioana Vasiu, I discovered the interest for interdisciplinarity in the study of such subjects. At that time, in Romania at the end of the 20th century, e-commerce was hardly making its place alongside traditional commerce, and approaching it from a legal perspective seemed, at first sight at least, exotic. The dialogues with Professors Ion Turcu and Dan Chirică and, later, with Professor Mircea N. Costin, who granted me the honour of being his doctoral student, have shown the way forward for a young lawyer at that time and whetted my appetite for knowledge.
From the study of electronic payment to the demands of personal data protection was only a step away. The year 2018, a turning point at European level in the field of data protection, given the applicability as of 25 May 2018 of Regulation (EU) No 679/2016, also meant the need to develop a new direction in the professional area, namely that of the data protection officer. From this, I can tell you that we are still at the beginning of a new era, in which the strong currency is represented by personal data, referring here not only to those of consumers, but especially to those of citizens who choose and are elected. Regulation (EU) No 679/2016 (GDPR) takes a big step forward in protecting personal data, by concretising the right to privacy in a world where the real and the virtual merge in what is now called the metaverse.
Legal Magazin:
Were people (business owners, managers, individuals) calmer in the days when everything was done in cash or through classic bank transactions, because the bad guys had fewer and less sophisticated means of action?
Attorney Dr. Raul Felix Hodoș:
The fiat currency ensured privacy precisely because payments remained largely anonymous. The classical banking system also ensured privacy by strictly enforcing banking secrecy. Its modernisation, first through computerisation and then through the opening of electronic teller machines on every phone connected to the internet, led to a universalisation of electronic payments and, by extension, an increase in the number of payment-related crimes. The security measures implemented were not only of a technical nature, but also restrictive legal rules were adopted. We can think here of the famous AML (Anti Money Laundering) Directives and the restrictive way in which they have been transposed into national legislation, particularly into Romanian legislation, with the declared aim of ensuring the traceability of payments. Under these conditions, we can no longer speak of anonymising transactions, but only of a certain confidentiality timidly ensured by banking rules, but especially by those of the GDPR and related legislation.
The answer to the question is: I think yes, people were more reassured, both in terms of the security of transactions, even if they were fewer and took longer to carry out, and especially in terms of the lack of multiple reporting obligations to various public authorities.
Legal Magazin:
How have things evolved in this respect in recent years in Romania and the European Union? What changes has the GDPR regulation adopted at EU level brought?
Attorney Dr. Raul Felix Hodoș:
Regulation (EU) No 679/2016 (GDPR) came to balance private interest with public interest in the area of privacy. The society described in George Orwell’s famous novel “1984” is every freedom-loving person’s nightmare, with freedom manifesting itself first and foremost in respect for freedom of thought and the right to privacy. Yet the natural tendency of states to exercise control over the life of the individual must be restrained so that the public interest is constantly balanced against the private interest. The regulation establishes this balancing test as a matter of principle, encouraging us to believe that a free society can develop despite technological developments that facilitate absolute control over the life of the citizen.
As far as Romania is concerned, we can say that it is in line with the trend adopted by other European countries, in the last three years being in third place, after Spain and Italy, in a ranking of fines imposed for GDPR violations according to their number. The Latin spirit is preserved in this area too, as far as we can see, but the law must be applied even if it often means taking onerous and time-consuming measures, in a word, unpopular. From this point of view, European rigour is welcome, protecting our rights sometimes even against our will.
Legal Magazin:
You support training courses addressing, from a practical perspective, the most common problems faced by data controllers in financial services. What are these problems?
Attorney Dr. Raul Felix Hodoș:
Awareness of the importance of personal data is probably the most difficult challenge for a data protection officer. As a new profession, regulated only in principle, it is all the more difficult for its members to convince representatives of personal data controllers that specific legislation not only protects data subjects, but is also beneficial to businesses, by meeting the requirements that any successful business has.
Compliance with GDPR requires not only legal or IT knowledge, but also an understanding of business, public administration and especially management concepts. The field of data protection is an inter- and multi-disciplinary area, where living bodies of the socio-economic environment need to be properly guided, without hindering their right to achieve their objectives as long as the rights of the data subject are respected. Neither the restriction of their activities nor excessive bureaucracy can be allowed, except to the extent that the law provides for the obligation of necessary measures for the protection of the data subjects. The universal use of the consent form for data processing, as long as other legal grounds exist, is such an example of unjustified use of resources. As far as financial services are concerned, the most common misapplications of the GDPR in connection with AML legislation are those relating to breaches of confidentiality of financial transactions and unwarranted exposure of personal data.
Legal Magazin:
Who are the people you contact? Can you outline a profile of the learner who is interested in improving their knowledge by drawing on your experience?
Attorney Dr. Raul Felix Hodoș:
As a professor of information technology law, including the protection of personal data, I am happy to meet people who want to develop their knowledge, whether they are students or practitioners in the field. The approach must be different, depending on the category to which the students belong. Thus, as the legal language is already familiar to 4th year law students or to lawyers and legal advisers participating in the professional training courses, the dialogue is more fluent and focuses mainly on the nuances of the application of European law in the Romanian legal area. As for data protection practitioners who do not have legal studies, the courses dedicated to them are built around the effervescence of opinions created on the basis of their fundamental training, most often in economics, IT, medicine.
Legal Magazin:
“Please note that some processing of your personal data may not require your consent, but you have the right to refuse such processing”. We are often confronted with such text when we open a website. Often we don’t even skim through it, we just click the “I agree” button in our haste to read what we are interested in. Are we doing the right thing? What should we do in such a situation? We are asking you because you are a specialist on “Consent and its conditions in data protection”.
Attorney Dr. Raul Felix Hodoș:
Indeed, as I said before, consent must be the last of the legal grounds that a personal data controller must use to justify his activity. We have to understand that some data processing, such as that required by law for the conclusion of the individual employment contract, is mandatory from both a legal and contractual perspective. In other cases, the public interest, the legitimate interest of the controller or the vital interest of the data subject may be invoked as a basis for data processing. Consent remains only as a subsidiary legal basis, which we find with excellence in marketing and advertising.
It is advisable to read the data protection notice because the respect for data protection by the controller is reflected in its text. Careless or standardised information will reveal the controller’s disinterest in protecting our personal data, which is of great economic value to him and without which his business would not prosper. In the digital world in particular, nothing is “free”, nothing is free, but everything is paid for by the hard currency we spoke about at the beginning of this discussion, personal data. Being in a contractual bargaining position when we are asked for consent, it is necessary that consent is always granted only as a result of a free decision based on fair and full prior information.
Legal Magazin:
In 2018, the Centenary Year, you gave a presentation at the conference “100 years of financial services in Romania”, which took place in Targu Mures. It was in that very year that the GDPR came into force, drafted as early as 2016. Did it find us ready, could we have done more in these 100 years to keep up with the “good world” of financial services, including in terms of technological evolution? We risk such a question although obviously the answer could stretch for tomes.
Attorney Dr. Raul Felix Hodoș:
Regulation (EU) No 679/2016 (GDPR), applicable as of 25 May 2018, has modernised and harmonised data protection legislation at European level. This does not mean that privacy and personal data were not previously protected in Romania not only by specific legislation, but also by constitutional and common law rules. The improvement of data protection legislation at European level came as a surprise to most countries, although the form of the Regulation was negotiated for several years, and two years after its publication in the Official Journal of the European Union was sufficient time to bring national legislation into line with its principles. As far as financial services are concerned, Romania is connected to the European system and, with the support of the National Bank of Romania and the Financial Supervisory Authority, the transposition of the European Union regulations at national level was done quickly and appropriately for the level of development of Romanian society. Technological developments require continuous updating of legislation from Blockchain to cryptocurrencies and from artificial intelligence to Fintech.
Legal Magazin:
To conclude, a short question: what is the main quality we must have to protect the privacy of our personal data?
Attorney Dr. Raul Felix Hodoș:
The answer is just as short: curiosity, even if it seems paradoxical.
0 Comments