Ikonka home dla okruszków News and events
photo
27.12.2024

Comments of the President of the Polish SA on the Strategy for the Digitisation of Poland until 2035

The long-term plan for the digitisation development of Poland should also be accompanied by reflection on the development of personal data protection. The implementation of technological solutions should go hand in hand with appropriate legal solutions.

The President of the Personal Data Protection Office speaks as part of the ongoing consultations on the draft Strategy prepared by the Ministry of Digital Affairs. He addresses proposals on how to strengthen the Strategy to the Minister of Digital Affairs.

Mirosław Wróblewski, President of the Personal Data Protection Office, considers regulating issues related to the development of new technologies to be a fundamental matter. It also points out how important it is to harness the potential of new technologies for the benefit of citizens. The concept adopted in the draft Strategy – he notes – remains consistent with the ideas accompanying the current European digital transformation plans (Digital Europe Programme or the Digital Decade of Europe Programme).

The President of the Personal Data Protection Office indicates how the strategy can be strengthened:

  • Data Processing Risk Analysis

The implementation of specific legislative solutions should be preceded by an analysis indicating that the given solutions are necessary and that it is not possible to achieve the assumed goals through solutions that are less intrusive to the rights and freedoms of data subjects. Today, such analyses are often overlooked and, in the opinion of the President of the Personal Data Protection Office, this is a key problem.

In addition, the President of the Personal Data Protection Office reiterates its call to introduce a legal requirement to conduct the so-called privacy test already at the stage of the legislative process, as part of the regulatory impact assessment (RIA). Such an obligation is particularly relevant in the case of extensive state systems, public registers or data integration projects. Currently, the data protection impact assessment in practice is often overlooked, with negative consequences for everyone.

  • Education and digital safety

The strategy should take into account not only education on how to use new technologies, but also what problems related to security and the right to privacy and data protection they bring.

Education should not be limited to younger people. The digital competences of all must be enhanced, including in the field of security measures. The use of tools to protect privacy and personal data (such as data encryption or VPN services) and ways to minimise the harmful effects of technology on the mental state should be promoted.

The impact of the implemented solutions on the health care system cannot be treated superficially. Related issues, including plans to minimise screen time in the school environment, could be further developed in the Strategy.

  • Technology at the service of the individual

The strategy describes the further development of e-services. It would be better if it also referred to ensuring the application of the principles of personal data protection, which these systems should respect.

The dissemination of various forms of electronic signatures should go hand in hand with the introduction of systemic changes in the generally applicable law – especially in the perspective of the function of the European Digital Identity Wallet and the concept of an electronic signature certificate provided for in the eIDAS2 Regulation.

Particular threats to the privacy of citizens are currently related to the increasing use (including disclosure to third parties) of the PESEL (personal identification number) in the form of an identifier in electronic signatures.

The strategy does not address the problem of identification using biometric data (including behavioural data), although such mechanisms are already in place (e.g. by banks and other financial institutions). This subject needs to be regulated.

Increasing the use of the Internet of Things (IoT) and artificial intelligence (AI) in public space are inextricably linked to the increased threat of widespread use of technologies that track (and often even surveil) individuals.

The "smart cities" strategy assumes the optimisation of the management of public services, inter alia based on data collected from increasingly advanced and expanded monitoring systems.

Determining the limits of the use of new technologies by public entities obliged to act on the basis of and within the limits set for them by law (the principle of legality), in the light of the potential negative effects on the sovereignty of the individual – including in order to avoid solutions involving the use of automated decision-making that produces legal effects on the individual or significantly affects him/her in a similar way – is of key importance.

The strategy also does not develop mechanisms for citizens' consent to the processing of data in digital systems (based on the criteria of awareness, voluntariness and lack of negative effects in the event of its refusal or cancellation), which may create room for misuse of data.

  • Public registers and the mObywatel application

The development of public registers assumed in the Strategy entails the need to review the current model of their functioning. Of particular concern is the assumed interoperability of various databases, data resources, systems, which poses a significant risk of their combination.

The transfer of data from the resources of increasingly large data sets potentially hinders or even makes illusory the possibility of exercising control over filing systems and knowledge of data processing processes by data subjects, and the requirement of accountability is difficult for controllers to meet. These problems are exacerbated by the model of broad cooperation with the private sector assumed in the Strategy, which provides for the migration of data from state registers to the resources of market/private entities – on the basis of concluded agreements, and not legal provisions of statutory rank.

  • Mechanisms for the protection of individual rights

The point of reference for the introduction of detailed regulations should be the principles of: ethical development, transparency of adopted solutions, responsibility and counteracting various forms of discrimination. The application of these principles should take on a universal dimension, i.e. apply not only to the private sector, but equally also to the public sector. For example, the provision of content by a state authority should be preceded by the obligation to inform that it was generated by AI along with the publication in Public Information Bulletin about the model used and the content of the prompts. The obligation to inform users about the algorithms used and how the data are used and processed (in a formula that is accessible and understandable to the recipient) needs to be introduced.

The legislator should provide for the application of measures to control compliance with the rules for handling artificial intelligence (AI) technology and detecting system errors, through continuous and mandatory audits and reviews.

It is also necessary to introduce safeguards against covert and unlawful surveillance (e.g. using biometrics).

An extended analysis is required of the issue of the so-called artificial intelligence agents, i.e. how the representation of persons and entities should be regulated by means of software that can perform tasks on behalf of the user, make decisions and interact with other entities or people. Particular attention should be paid to the processing of special categories of data (e.g. exchange of medical records between facilities).

  • An opportunity for the administration and new requirements

Digitisation is an opportunity for public administration to be transferred to alternative channels of ongoing communication with citizens operating in the public interest, moving away from closed platforms. Unnecessary tracking scripts should disappear from public administration websites.

The solution recommended by the supervisory authority is to create an efficient, free, secure, open API platform for communication between schools and parents (e-journal), adapted to the Polish education system.

  • Digital sovereignty of the State and the responsibility of technology corporations

The legislator rightly noticed that dependence on solutions provided by external providers is a potential weakness of the digital State. A disturbing phenomenon that needs to be faced is the creation of solutions based on the infrastructure of large technology corporations whose headquarters are located outside the European Economic Area.

The strategy assumes the development of cloud computing, but does not present specific conditions for storing citizens' data, nor mechanisms for verifying the security of services.

Additional analysis should be devoted to the issue of energy and economic sovereignty. The strategy should provide for the energy resource needed to maintain the planned systems, as well as emergency plans, maintaining continuity and access to data in the event of a failure and prolonged energy loss.

Attached files

Pobierz plik DOL.401.502.2024_opinion of the President of the Personal Data Protection Office to the draft on the Strategy for the Digitisation of Poland until 2035 [PDF; 440 KB] (in Polish)
phone
Infoline (in Polish) UODO 606-950-000 Operates on weekdays from: 10:00-14:00
© UODO 2018 - 2025
Copyright.
Urząd Ochrony Danych Osobowych
map pin ul. Stawki 2, 00-193 Warszawa
envelope kancelaria@uodo.gov.pl
clock Working hours of the office: 8 a.m. – 4 p.m.
© UODO 2018 - 2025
Copyright.