On May 25, 2018, the General Data Protection Regulation (GDPR) will come into force. The text aims at strengthening trust in the European market by reinforcing the rights of citizens and the obligations of companies.
Adopted on April 27, 2016, the General Data Protection Regulation (GDPR)[1] provides the framework within which personal data, whether they relate to customers, prospects, employees or constituents, are collected and used inside the European Union (EU). The text will come into force on 25 May 2018. The current European directive (95/46/CE Data Protection) adopted in 1995 will then be repealed.
The main purpose of the reform is to increase trust, which is essential for innovation and economic development. As the European Commission points out: "Lack of trust makes consumers hesitate to buy online and adopt new services. This risks slowing down the development of innovative uses of new technologies"[2]. The aim is thus to consolidate the Digital Single Market by ensuring the free circulation of personal data while at the same time strengthening the effectiveness of the fundamental right to personal data protection, especially as recognised in the Charter of Fundamental Rights of the European Union. With this in mind, the GDPR extends the harmonisation of the legal rules adopted in 1995: it will be directly applicable in the Member States without the need for the enactment of laws or legal acts at national level. In France, much of the Information Technology and Liberties Law (Loi Informatique et Libertés) will be repealed, and only those provisions that are not covered by the scope of the GDPR will remain in force.
At the same time, the regulation is to strengthen the effective application of the rules it establishes. In this respect, its scope is different from that of the Directive 95/46/CE. The criterion is that of the establishment, in the sense of the place of "the effective and real exercise of activity through stable arrangements", while the legal form adopted (branch, subsidiary, etc.) is not the determining factor. The GDPR applies as soon as the controller[3] or the processor[4] are established in the EU, whether or not the processing takes place inside the EU (e.g. the case of a company established in France that processes the personal data of a U.S. citizen). If the controller or processor is not established in the EU, the regulation applies if the data subject is inside the EU, and if the processing activities are linked to:
- The offering of goods or services to the data subject, whether or not payment has taken place,
- Or the monitoring of the data subject's behaviour.
The objective here is to regulate the activities of multinationals such as Google and Facebook, which explains why the European approach has been subject to international attention, as well as the unprecedented lobbying campaign around the regulation itself.
Essentially, the 99 articles of the regulation are in line with the key principles of personal data protection, as enshrined in particular in France's IT and Liberties Law of 1978, although they do include a number of changes.
Continuity
As far as personal data are concerned, there is no change in definition: the term is defined as "any information concerning an identified or identifiable natural person". The text refers in particular to identifiers (name, identification number), location data, and one or more elements specific to physical, physiological, genetic, mental, economic, cultural or social identity. In this context, account should be taken of "all the means reasonably likely to be used" to enable identification, including both the means used by the entity directly processing the personal data and those used by anyone else. Accordingly, any information that can be related, however tenuously, to an individual even if this does not amount to knowing his or her identity, constitutes personal data.
The GDPR also embodies well-known key principles[5]. Accordingly, before the entity even collects any personal data, it must determine the purposes (i.e. objectives) of the processing, and minimise the number of data, while making sure that the only data processed are those that are adequate, relevant and not excessive in view of these purposes. The entity must also set a data conservation time span which does not exceed the time span necessary for the objectives to be achieved. Once this time has elapsed, the data must be deleted or rendered irreversibly anonymous, which is no easy task[6].
The entity must then ensure that the processing is lawful. The entity can either seek to obtain the consent of the person, which is now defined as a "freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her" (which rules out pre-ticked boxes!), or comply with other principles of lawfulness: for example, check that the processing is necessary to comply with a legal obligation or the performance of a contract.
In accordance with the usual approach, data confidentiality and security must be ensured. The same applies to respect for the rights of the data subject, who must be informed "in a concise, transparent and easily intelligible form, using clear and plain language," that his or her data are being collected. The data subject may then exercise his or her right of access to the data, and if necessary have the data corrected or erased. He or she also has the right to object to the processing of his or her data.
As regards personal data which are, by their nature, particularly sensitive, that is data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or data concerning a person's sex life, identifiers of general scope such as a social security number and now genetic data and biometric data, their processing is in principle prohibited, unless it is authorised in specific cases (particularly in the execution of employment law or when the data have clearly been made public by the data subject).
If the data leave the European Union, their onward transfer can only take place to a country that offers an "adequate" level of data protection. If this is not the case (few countries meet this criterion), the body has the possibility of using contractual clauses, binding corporate rules, and, in the case of the United States, the specific Privacy Shield system. The body can also opt for two new possibilities: certification mechanisms/labels, and approved codes of conduct.
Finally, the right "not to be subject to a decision based solely on automated processing (...) which produces legal effects" concerning or "significantly affecting" the data subject is reasserted. This applies in particular to profiling, whose purpose is to analyse or predict the data subject's behaviour, economic situation, health, personal preferences, interests or movements.
Furthermore, the GDPR establishes new obligations that were not included either in the Directive of 1995, or in France's IT and Liberties Law.
Change
The GDPR thus establishes for the first time a right to removal of links to personal data and a right to personal data portability. These new rights should be seen in the light of the publication, on 7 October 2016, of France's Law for a Digital Republic (Loi pour une République numérique)[7] which is more advanced than the GDPR in certain aspects. In particular, it grants each person the right to freely dispose of his/her digital data in the form of a right to data removal (for minors), and the possibility in certain cases of obtaining all of one’s personal data under an open standard that can be easily utilised.
Furthermore, France's Law for a Digital Republic lays down new rights, which have no equivalent at European level: a right to digital death (the possibility for a data subject of expressing wishes during his or her lifetime by giving directives about the conservation, deletion and communication of his or her personal data after death) and a right to transparency of algorithms used by government (the person must now be systematically notified by an information message that an algorithm has been used to take a decision concerning him or her).
The GDPR, for its part, sets out to strengthen the protection of children. If the children are under 16 years of age – or under 13 in certain states – the processing of personal data is only lawful if consent is obtained from the person holding parental responsibility. The GDPR also reforms the division of responsibilities between the controller and the processor, creating new obligations for the latter. In particular, any person who has suffered a loss as a result of an infringement of the regulation can obtain compensation from the processor. As for data security, two obligations are created: the body must notify any personal data breach to the supervisory authority (in France, the CNIL) within 72 hours, and inform the data subject "without undue delay" where the breach is "likely to result in a high risk" to his or her rights and freedoms. In another significant new development, the entity is required to protect data from the design stage of a product or a service ("Data protection by design") and by default, in particular by means of pseudonymisation of personal data at the earliest possible stage.
Finally, the new obligation of accountability (stemming from the "accountability" principle in Anglo-Saxon law) means that the entity processing personal data must be able to demonstrate at all times that it is complying with its obligations. In addition to the compulsory record-keeping, it must apply appropriate policies via overall governance. After analysis, it can point to the factors of demonstration of compliance it judges to be the most appropriate:
- Designation of a data protection officer,
- The conducting of audit s, the application of a code of conduct or a certification mechanism approved by the CNIL or by the European Data Protection Board,
- Carrying-out of a data-protection impact assessment for processing operations that are "likely to result in a high risk to the rights and freedoms of natural persons".
Compliance with this more stringent accountability requirement will be ensured by the supervisory authority of the state where the entity is established (the CNIL for a company established in France). By derogation, another supervisory authority may have jurisdiction to handle a complaint lodged with it or a possible infringement of the Regulation, if data subjects in its Member State are affected.
Managing compliance
The GDPR is therefore a complex text, which implications are not easy to grasp for either companies or citizens. This makes it absolutely essential to begin planning ahead for when it comes into force, particularly as many questions about its application are still not settled. In practical terms, complying with the GDPR means continuously managing compliance, which involves setting up fully-fledged personal data governance, taking into account the guidelines published or currently being drawn up by the European Data Protection Committee (which is set to supersede the existing Article 29 Working Party)[8]. While major companies have already launched their projects for adapting internal processes[9] and best practices, so as to be ready for May 2018, SMEs are only just starting to consider the question.
It is also important to encourage a risk-based approach: to include all data processing in the mandatory register, to list current and potential risks, such as those linked to connected objects and algorithms, to rank them on the basis of their probability and seriousness, to establish a schedule of actions to be taken, to make sure these measures are in fact applied, and to manage any residual risks. In other words, the concept of risk is becoming increasingly prevalent, not only for the entity that processes the data, but also, in a novel development, for the data subject's fundamental rights and interests.
The need to plan ahead is all the more important in that the supervisory authorities, such as the CNIL in France, will be empowered to impose administrative fines of up to 20 million euros, or, for a company, up to 4% of its annual turnover worldwide. We are no longer talking about the maximum fine of 3 million euros that the CNIL can impose as things stand today.
Author biography:
Claire Levallois-Barth, Director of the Personal Data Values and Policies Chair at Institut Mines-Télécom, Associate Professor in Law at Télécom ParisTech, Associate Editor of Annals of Telecommunications, Member of the Board of the French Association of Data Protection Officers (AFCDP) and Member of AXA's Data Privacy Advisory Panel.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJEU L 119/1 of 4.05.2016.
[2] Proposal for a Regulation (GDPR), COM(2012)11 final, Brussels, 25.01.2012.
[3] The controller is defined as the "natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing".
[4] The processor is the "natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller".
[5] See Levallois-Barth, C. (2013), "Big data et protection des données personnelles : un défi (quasi) impossible ?", in Revue TELECOM, n° 169.
[6] See Levallois-Barth, C., Laurent, M. (2015), "La difficile anonymisation des données personnelles", in Revue TELECOM, n° 177.
[7] "Loi n° 2016-1321 pour une République numérique" of 7 October 2016, Official Journal of the French Republic dated 8 October 2016.
[8] See: https://www.cnil.fr/fr/reglement-europeen/lignes-directrices.
[9] Processing of requests from data subjects, revision of contracts with subcontractors, setting up of a data security breach notification procedure, methods of integrating the "Personal data" dimension in a product from the design stage.