COMPRENSION LECTORA

ANEXO N° 03 FICHAS DE TRABAJO

Considering that the processing of personal data forms a source of risks for data subjects and society, the GDPR can be seen as a policy response to these risks.82

Presumably, this response is based on an assessment of the threat and an appropriate solution that is testable to a reasonable degree, to allow for meaningful evaluation of the legislation and to promote coherence in judicial decisions. However, the extent of

78 _{European Commission, ‘Amended Proposal for a Council Directive on the Protection of}

Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data’ (European Commission 1992) COM (92) 422 fnal.

79 _{European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection}

of individuals with regard to the processing of personal data and on the free movement of such data, [1995] OJ L 281/31, p. 31–50 (Data Protection Directive).

80 _{Treaty of Lisbon amending the Treaty on European Union and the Treaty establishing the}

European Community, signed at Lisbon, 13 December 2007, OJ C 306, p. 1–271

81 _{European Commission, ‘Safeguarding Privacy in a Connected World. A European Data}

Protection Framework for the 21st Century’ (European Commission 2012) Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions COM(2012) 9 fnal 3 <http://eur- lex.europa.eu/LexUriServ/LexUriServ.do?uridCOM:2012:0009:FIN:EN:PDF> accessed 20 March 2019; European Commission, ‘Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation) COM(2012) 11 (FINAL)’ (European Commission 2012) <https://eur-

lex.europa.eu/legal-content/EN/TXT/?uridCELEX:52012PC0011> accessed 19 March 2019.

82 _{‘Regulation can be seen as being inherently about the control of risks, whether these relate}

to illnesses caused by the exposure to carcinogens, inadequate utility services, or losses caused by incompetent fnancial advice.’ Robert Baldwin, Martin Cave and Martin Lodge, Understanding Regulation: Theory, Strategy, and Practice (2nd edition, Oxford University Press 2013) 83; TNS Opinion and Social, ‘Special Eurobarometer 359: Attitudes on Data Protection and Electronic Identity in the European Union’ (European Commission 2011) Survey s 1.4.1.

the risks of big data is not yet fully clear.83_{For-proft surveillance of a large part of the}

populace has no precedent in modern history. Government surveillance at the scale of entire populations used to be expensive and labor-intensive, and was therefore practiced only by the most totalitarian or authoritarian of regimes. But it is now becoming a viable option for almost any government, especially if governments dominate large areas of a society’s economic and social life, or if private companies can be convinced or coerced to cooperate in surveillance eforts.84

Even though the development of big data applications is relatively recent, societies have some experience dealing with power diferentials and unknown risks of new technologies through legislation. The interplay between risk perception, power relations, fairness and legislation has been described and modelled, mainly in economics and the social sciences. Competition law and consumer protection law have the preservation of fairness and the moderation of the efects of power diferentials as their focus. Similarly, questions surrounding the regulation of technological risks have also raised matters of fairness and power diferentials, and models have been developed to better understand the interplay between relevant actors. These models have also been used in legislation, e.g. in environmental protection law. This provides a number of points of reference to compare data protection legislation with legislative eforts in other areas.

The GDPR aims to regulate several types of risks. A number of examples from the recitals:

• risks against the “rights and freedoms” of natural persons (Recitals 3 and 9), sometimes focused on sensitive data (recital 51);

83 _{Nadezhda Purtova, ‘Who Decides on the Future of Data Protection? Role of Law Firms in}

Shaping European Data Protection Regime’ (2014) 28 International Review of Law, Computers & Technology 204, 209 <http://dx.doi.org/10.1080/13600869.2013.801591> accessed 20 March 2019.

84 _{Maya Wang, ‘China’s Chilling “Social Credit” Blacklist’ Wall Street Journal (11 December}

2017) <https://www.wsj.com/articles/chinas-chilling-social-credit-blacklist-1513036054> accessed 21 May 2019; Sharon Weinberger, ‘Son of TIA: Pentagon Surveillance System Is Reborn in Asia’ (WIRED, 22 March 2007) <https://www.wired.com/2007/03/son-of-tia- pentagon-surveillance-system-is-reborn-in-asia/> accessed 21 March 2019; See also the now-defunct Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public

communications networks and amending Directive 2002/58/EC, [2006] OJ L 105/54 (Data Retention Directive).

• the risk that children are not fully aware of the risks involved by the processing of their data at the moment they consent to processing (recital 65);

• more generally, “risks to the interests and rights of the data subject” or “risks inherent in the processing” of personal data, including the risk of discriminatory efects (recitals 71, 83, 122).

This focus on risk management justifes an exploration into the degree to which the GDPR employs current theories on risk identifcation, evaluation and management. Such an exploration seems especially justifed when considering, as will become clear in subsequent chapters, that several other felds of EU legislation have indeed incorporated testable models developed and verifed in a scientifc context.

In this research, the GDPR is evaluated using a limited number or models regarding distribution of power and technological risk. These models have originated in the social and the exact sciences. They are briefly mentioned here; their relevance and application in this book will be discussed in section 1.8 below (Methodology):

• Neil Komesar’s method of comparative institutional analysis from the feld of law and economics is used to evaluate or model the results of choosing a large-scale decision-making process to which a class of decisions is (to be) assigned. In this research, this method is applied to compare several options of decision-making where the processing of personal data is part of a consumer contract;

• Michael Barnett and Raymond Duvall’s theory of power in social relations from the social sciences is used to compare the GDPR with EU consumer protection law to assess the GDPR’s protection against unfair contract terms and unfair commercial practices where the processing of personal data is part of a consumer contract;

• Ulrich Beck’s theory of the risk society, Charles Perrow’s theory of normal accidents, and Andreas Klinke and Ortwin Renn’s approach to risk evaluation and management, also stemming from the social sciences but partly based in the exact sciences, are used to compare how the GDPR and various EU legal instruments of environmental protection law acknowledge and deal with technological risks; • The science of complex systems is used to evaluate the expected efectiveness of

two articles relating to the processing of sensitive personal data as defned in article 9(1) of the GDPR.

European Data protection law has shown periods of relative stability punctuated by moments of substantial change. The development of new iterations of regulation can take over a decade and is likely to involve fnding acceptable compromises between conflicting interests and viewpoints. The GDPR, for example, replaces a directive that came into force 23 years earlier; the directive from 1995 succeeded a Council of Europe treaty from 1981. The European Commission hopes that the GDPR will be future proof for decades to come.85

But long periods of legislative standstill increase the risk that data protection law becomes less efective due to technological progress. The years between subsequent iterations could therefore be used to increase our understanding of the efects of both innovation and legislation on risks and power relations, and to build a body of jurisprudence where the assumptions of legislators are tested against the outcomes of real-life disputes before the courts. The aim of gaining these insights is to systematically improve the efcacy of the law. Still, we must recognise, as Coase did, that both the presence and the absence of regulation will rarely result in any sort of optimal solution.86

In document Programa de intervención psicopedagógico recuperativo en Comprension Lectora dirigido a 12 estudiantes de 4º grado “C” de educación secundaria de la Institución Educativa “Cristo Rey Cutervo, Cajamarca 2016 (página 167-172)