In today's globalised business environment, data has become a valuable asset and new currency. But are we willing to pay a high price for our newfound convenience? Data Protection Day, which is celebrated annually on 28 January by the Council of Europe, serves as a crucial reminder for businesses to prioritise the security and privacy of their customers' and employees' personal information.

Ensuring the proper protection of personal data is becoming increasingly challenging in the face of rapid advancements in information technology. The introduction of new digital solutions, such as cloud technologies, Big Data, artificial intelligence, and the widespread use of the Internet of Things (IoT), significantly increases the amount of data collected and processed. This, in turn, increases the risk of unauthorised access, leakage, manipulation, or other misuse of personal information.

Data protection day was launched in 2007, but why does it still matter in the tech area?

• Minimising risks
  

It is vital to mitigate financial, legal and operational risks associated with data breaches. Organisations face potential regulatory fines, lawsuits and operational disruptions in the aftermath of data breaches. Data insecurity can lead to privacy violations (identity theft, financial fraud, and violation of privacy rights), financial losses due to data leakage, and irreversible damage to public trust.providing custody and administration of crypto-assets on behalf of clients.

• Embracing innovative environments
  

Technological innovations are being embraced, offering benefits but also privacy concerns. AI systems process personal and sensitive data, so data protection measures are needed to prevent misuse and ensure ethical application. As technology advances, so do system vulnerabilities. Cybercriminals are expected to enhance their capabilities and perpetrate more severe offences. They will use diverse methods to gain unauthorised access to systems and data.

• Complying with new regulations
  

All organisations must comply with data protection regulations. Regulations emphasise the rights of individuals to privacy and control over their information. Fines and legal consequences may result from non-compliance, enhancing the sense of security of sensitive data by external organisations, and prevent manipulation of their online activities by adhering to these principles.

How does the data privacy regulatory framework work? 

A range of global regulations govern the processing, storage, and transfer of data.

These regulations aim to guarantee the confidentiality, integrity, and availability of personal data. Alongside this, court practices have been established to set out the basic principles for the application of the legal norms in this area. This section will review the key legislative acts and court cases that regulate data protection.

In European Union:

• The EU Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS — 108) was opened for signature in 1981. This Convention is the first international treaty dedicated to the protection of personal data and served as the basis for the development of many modern legal norms. The agreement sets out general data protection principles, such as lawfulness, purpose and data quality. The convention is not detailed but has a universal approach, ensuring data protection in a broader international context, covering non-EU countries.
  

• The General Data Protection Regulation (GDPR) is a modern legal act that takes into account new challenges of the digital age, such as Big Data, artificial intelligence, cloud technologies, and cybersecurity. It was adopted in 2016. The GDPR establishes rules for the protection of individuals regarding the processing of their data and for the free movement of such data within the European Union, with the aim of ensuring a high level of data protection that respects human rights.
  

• Modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data (Convention 108+) was adopted in 2018 to update the original Convention №108 (1981) to meet the modern challenges of the digital age. The 108+ Convention aims to establish universal standards for the protection of personal data at an international level, introducing principles of data processing such as transparency and compliance. The 108+ Convention is universal, unlike the GDPR, which is EU-only. This makes it an important tool for harmonising data protection standards globally.

In the United States of America:

• The United States does not have a single federal data protection law. Instead, there is a system of hundreds of laws enacted at both the federal and state levels. California, for example, has a long history of adopting privacy laws, with the California Consumer Privacy Act (CCPA) coming into force on 1 January 2020, becoming the first comprehensive data privacy law at the state level. In the same year, it was supplemented by the California Privacy Rights Act (CPRA), which expanded consumer rights and increased requirements for companies.
  

• Other states also subsequently passed comprehensive laws: 2021 — Virginia and Colorado adopted CDPA and Privacy Act;

  2022 — Utah and Connecticut uphold Consumer Privacy Act and Personal Data Privacy Act;

  2023 — Comprehensive consumer data privacy laws were passed in Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas;

  2024 — Consumer data privacy laws were passed in Kentucky, New Hampshire and New Jersey.
  

In case law:

• On 4 October 2024, the Court of Justice of the European Union (CJEU) delivered its judgment in case C-21/23, known as Lindenapotheke. The plaintiff in this case claimed that the defendant, a pharmacy that sold medicines through an online platform, had violated data protection rules by processing customers’ medical data without obtaining the necessary consent. The key issues before the court were whether the data collected, such as name, delivery address and medicines ordered, constituted ‘medical data’ under Article 9 of the GDPR and, if so, whether the competitor could bring a claim for any breaches of the GDPR.
  

• Uber was fined €290 million. The Dutch Data Protection Authority fined Uber for illegally transferring driver data to the US, violating GDPR requirements.
  

• LinkedIn sued. A class-action lawsuit in California accuses LinkedIn of using user messages to train AI models, violating privacy laws.
  

• Chinese companies under scrutiny. Noyb filed GDPR complaints against TikTok, Shein, and others, alleging illegal data transfers to China.
  

• Spotify fine is in progress. The Swedish regulator initially fined Spotify €5 million for GDPR violations related to user data access requests. The fine was later reduced to €2.7 million after Spotify cooperated.

Our team insights

In today's business world, it's crucial for organisations to balance advanced technology with strict data rules. Investing in cybersecurity, transparency and compliance lowers risk, builds consumer trust and improves reputation. Data protection must be a core part of any business strategy.  

• Identify and assess risks. It is vital to understand what data is processed, where it is stored, how it is used, and who has access to it.
  

• Implement Privacy by Design. nsure that privacy compliance is guaranteed at the stage when products or services are being designed.
  

• Train employees. It is essential that regular training on data protection awareness is conducted, especially in the face of increasing cyber threats.
  

• Stay compliant. It is vital to comply with all relevant regulatory requirements. Given the global nature of data protection legislation (GDPR, CCPA, CPRA, etc.), companies should check their compliance with local and international regulatory requirements.
  

• Be familiar with non-compliance consequences. Failure to comply can result in severe consequences, so businesses and professionals must be aware of the scope of liability and potential fines that may be applied to them.

Conclusion

In the current digital era, data protection is not only a legal requirement, but also a fundamental aspect of trust between businesses, society and consumers. The continuous development of technologies such as artificial intelligence, Big Data and the Internet of Things (IoT) presents both opportunities and challenges with regard to ensuring the privacy and security of personal information.

Data protection is not a challenge; it is also an opportunity for sustainable development, building consumer trust and moving forward with confidence. Embrace the journey of success and data protection with us!