Celebrating Data Protection Day 2025

Some thoughts on Proportionality, too much law, and other Privacy matters on 28 January, Data Protection Day, marking the anniversary of the Council of Europe’s Convention 108
Image for Data Protection Day 28 January 2025 created by Magic Studio

Data Protection Day is always 28 January, to mark the opening for signature in 1981 of Convention 108, the first – and still only – legally binding international instrument setting out data protection rules to protect privacy and personal data.

Image for Data Protection Day 28 January 2025 created by Magic Studio

Image created by AI: Magic Studio

Many organisations use Data Protection Day to promote awareness of data protection amongst colleagues. And many regulators organise events or create materials to help.

For example, the UK ICO held an introductory webinar on Data protection for beginners:

‘Data protection experts from the ICO’s Business Services team will share easy advice and tips to help you put data protection law into practice in your small business. Starting with the data protection basics, you’ll also get practical guidance on responding to people’s requests, keeping personal information secure, personal data breaches and direct marketing to support the day-to-day running of your business.’

That’s a great initiative with free advice from the UK’s data protection authority.

Likewise, the EDPB published a video to raise awareness of why data protection matters with the opening line: ‘If someone asked you to answer 100 questions about your personal life to sell the answers, would you agree? Most likely not.‘ In just 2 minutes, they cover what personal data is, when you may unknowingly be sharing your data, why data protection matters, what GDPR is, and that you’ve rights if your data isn’t being protected.

A packed 2 minutes, well worth using in your organisation’s training program.

 

The CPDP – Data Protection Day event

The Council of Europe (CoE), CPDP Conferences and the European Data Protection Supervisor (EDPS) co-organised this one-day event on the current and future landscape of data protection. Our CEO, Robert Baugh, was an online attendee at the session ‘Beyond Privacy: Unveiling the true stakes of data protection‘, here are his personal thoughts on that insightful panel session, to mark the day.

 

Great to see a varied panel with varied opinions

GDPR and other data protection laws affect us in varied ways, whether as an individual, a business, or a regulator. So it was excellent to have panellists including representatives of  AI-driven marketing, the EU courts, and NGO campaigners.

The session was at times feisty, but I would say always respectful, and expertly chaired. It’s good to see challenge within a panel, and it was good to see emotions on all sides, as data protection is intensely personal and even more so at present with the ubiquity of AI – underlined in my mind by two recent events:

  • US Tik Tok users leaving Tik Tok and joining Chinese competitors, pushing RedNote to #1 free app on the US iOS App Store, and
  • the open-source release of Deepseek’s seemingly cheap-but-equally-powerful AI system and model disrupting the markets, literally, wiping 16.9% off Nvidia’s market cap in one day and leading to many compliance warnings on LinkedIn.

 

Responsible AI and the AI arms race

We heard a spirited defence of the responsible use of AI, within the context of immense change brought on by AI (and only accelerating) and immense competition between Europe, the US and China to win the AI arms race.

The Deepseek example shows that we’re still very early in the AI journey. We all live in our own bubble, and Deepseek certainly popped the US AI bubble. It’s quite possible that the major players in AI in 50 years are not even created yet.

European AI companies are clearly taking responsibilities in their creation and use of AI seriously – as, no doubt, will EU regulators in future. With the US executive orders on AI torn up, the EU AI Act coming online, and China’s regulatory and governmental activities in AI, we’re about to live through an interesting experiment in the effect of differing regulatory landscapes and economic conditions on technology development and implementation.

 

Proportionality

Freedom of thought and freedom from torture are absolute rights but most, including to privacy, data protection and to do business have to be balanced against each other in the context of well-understood and long-standing laws and case law.

The principle of proportionality is the key when balancing competing rights, though it’s not without its difficulties even at the highest level of tribunals.

We’re used to the legitimate interests assessment, balancing a business’s legitimate interests (ie: a desire rather than a right) against the fundamental rights and freedoms of the data subject, the individual. This is hard or easy enough at the micro level.

But what about at the macro level, when private sector organisations scrape the world’s data to push forward their own tech solution? What about IP, data protection and privacy, confidentiality and how do they compare and compete with the interests of an organisation? When and how does the public interest become engaged, not wanting to stifle domestic advances in the fact of global competition? Very hard questions to answer.

 

There’s.  Just.  So.  Much.  Law.

GDPR is a lengthy law. Then there’s the EU AI Act, all the EU D[insert initial here]A laws, the UK Online Safety laws, and guidance on all these, simply overwhelming even the professionals in the field.

Is there too much law? Where’s the balance with principles-led laws and specificity?

Several on the panel noted how hard it is to keep up with all the EU laws in the digital arena, and these are the top professionals in their fields.

Several also noted that this is overwhelming for SMEs, who need help navigating this vast ocean.

 

Data collection matters

Yesterday was the 80th anniversary of the liberation of Auschwitz, and a panellist gave a very poignant and powerful reminder that, while the vast collection of data may be put forward on a seemingly innocuous basis, that dataset can then be used for other objectives.

It’s absolutely correct, on this day, to remember that modern data protection law can trace its history to the Universal Declaration of Human Rights, the international reaction to the atrocities of the Second World War made possible by the mass processing of personal data, as the UN records:

The Universal Declaration of Human Rights, which was adopted by the UN General Assembly on 10 December 1948, was the result of the experience of the Second World War. With the end of that war, and the creation of the United Nations, the international community vowed to never again allow atrocities like those of that conflict to happen again. World leaders decided to complement the UN Charter with a road map to guarantee the rights of every individual everywhere. The document they considered, and which would later become the Universal Declaration of Human Rights, was taken up at the first session of the General Assembly in 1946.

In a fascinating echo of today’s differing views on AI regulation, the treatment of personal data and the value of human rights, the UN also records the differing underlying philosophies of China and the West when considering the draft Universal Declaration:

‘The Commission on Human Rights was made up of 18 members from various political, cultural and religious backgrounds. Eleanor Roosevelt, widow of American President Franklin D. Roosevelt, chaired the UDHR drafting committee. With her were René Cassin of France, who composed the first draft of the Declaration, the Committee Rapporteur Charles Malik of Lebanon, Vice-Chairman Peng Chung Chang of China, and John Humphrey of Canada, Director of the UN’s Human Rights Division, who prepared the Declaration’s blueprint. But Mrs. Roosevelt was recognized as the driving force for the Declaration’s adoption.

The Commission met for the first time in 1947. In her memoirs, Eleanor Roosevelt recalled [my emphasis]:

Dr. Chang was a pluralist and held forth in charming fashion on the proposition that there is more than one kind of ultimate reality. The Declaration, he said, should reflect more than simply Western ideas and Dr. Humphrey would have to be eclectic in his approach. His remark, though addressed to Dr. Humphrey, was really directed at Dr. Malik, from whom it drew a prompt retort as he expounded at some length the philosophy of Thomas Aquinas. Dr. Humphrey joined enthusiastically in the discussion, and I remember that at one point Dr. Chang suggested that the Secretariat might well spend a few months studying the fundamentals of Confucianism!’

 

Forward from here

The UN notes that ‘[t]he entire text of the UDHR was composed in less than two years. At a time when the world was divided into Eastern and Western blocks, finding a common ground on what should make the essence of the document proved to be a colossal task.’

This should gives us all hope that we can agree on these universal rights in the world of AI.

And, for even more inspiration, Hernán Santa Cruz of Chile, member of the drafting sub-Committee, wrote:

I perceived clearly that I was participating in a truly significant historic event in which a consensus had been reached as to the supreme value of the human person, a value that did not originate in the decision of a worldly power, but rather in the fact of existing—which gave rise to the inalienable right to live free from want and oppression and to fully develop one’s personality. In the Great Hall…there was an atmosphere of genuine solidarity and brotherhood among men and women from all latitudes, the like of which I have not seen again in any international setting.

 

 

 

 

 

Topics:

Related Articles