GDPR: towards values and policies

We were all expecting it.

The General Data Protection Regulation (GDPR)[1] came into force on May 25, 2018. This milestone gave rise to numerous reactions and events on the part of companies and institutions. As the Belgian Data Protection Authority put it, there is undoubtedly “a new wind coming, not a hurricane!” – which seems to have blown all the way across the Atlantic Ocean, as The Washington Post pointed out the creation of a “de-facto global standard that gives Americans new protections and the nation’s technology companies new headaches”.[2]

 Not only companies are having such “headaches”; EU Member States are also facing them as they are required to implement the regulation. France,[3] Austria, Denmark, Germany, Ireland, Italy, the Netherlands, Poland, the United Kingdom and Sweden have already updated their national general law in order to align it with the GDPR; but to this day, Belgium, the Czech Republic, Finland, Greece, Hungary and Spain are still submitting draft implementation acts.

And this is despite the provisions and timeline of the bill having been officially laid down as early as May 4, 2016.

The same actually goes for French authorities, as some of them have also asked for extra time. Indeed, shortly before GDPR took effect, local authorities notified they weren’t ready for the Regulation, even though they had been aware of the deadline since 2016, just like everyone else.

Sixty French senators further threatened to refer the matter to the Constitutional Council, and then actually did, requesting a derogation period.

In schools and universities, GDPR is getting increasingly significant, even critical, to ensure both children’s and teachers’ privacy.

The issue of social uses and practices being conditioned as early as in primary school has been studied by the Chair Values and Policies of Personal Information (CVPIP) for many years now, and is well exemplified by major use cases such as the rise of smart toys and the obvious and increasing involvement of U.S. tech giants in the education sector.

As if that wasn’t enough, the geographical and economic context of the GDPR is now also an issue. Indeed, if nothing is done to clarify the situation, GDPR credibility might soon be questioned by two major problems:

  • U.S. non-compliance with the EU-U.S. Privacy Shield agreement, which was especially exposed by the Civil Liberties Committee (LIBE) of the European Parliament;[4]
  • The signing into law on March 23, 2018 – i.e. precisely before GDPR enforcement – of the Clarifying Lawful Overseas Use of Data (CLOUD Act) by Donald Trump.

The CLOUD Act unambiguously authorises U.S. authorities to access user data stored outside the United States by U.S. companies. At first glance, this isn’t sending a positive and reassuring message as to the U.S.’s readiness to simply comply with European rules when it comes to personal data.

Besides, we obviously should not forget the Cambridge Analytica scandal, which led to multiple hearings of Mark Zuckerberg by astounded U.S. and EU institutions, despite Facebook having announced its compliance with GDPR through an update of its forms.

None Of Your Business (Noyb), the non-profit organisation founded by Austrian lawyer Max Schrems, filed four complaints against tech giants, including Facebook, over non-compliance with the notion of consent. These complaints reveal how hard it is to protect the EU model in such a global and digital economy.[5]

Such truly European model, which is related neither to surveillance capitalism nor to dictatorial surveillance, is based on compliance with the values shared by our Member States in their common pact. We should refer to Article 2 of the Treaty on European Union for as long as needed:

The Union is founded on the values of respect for human dignity, freedom, democracy, equality, the rule of law and respect for human rights, including the rights of persons belonging to minorities. These values are common to the Member States in a society in which pluralism, non-discrimination, tolerance, justice, solidarity and equality between women and men prevail”.

Furthermore, Article 7 of the Charter of Fundamental Rights of the European Union clearly and explicitly provides that “everyone has the right to respect for his or her private and family life, home and communications”.

Such core values are not only reflected by GDPR, but by the whole body of legislation under construction it is part of, which includes:

  • The Draft ePrivacy Regulation, which aims to extend the scope of current Directive 2002/58/EC to over-the-top (OTT) services such as WhatsApp and Skype as well as to metadata; [6]
  • The draft Regulation on the free flow of non-personal data,[7] which has generated heated debates over the definitions of “non-personal data” and “common data spaces” (personal and non-personal data)[8] and which, according to European MP Anna Maria Corazza Bildt, aims to establish the free flow of data as the fifth freedom in the EU’s single market.<[9]

Besides, the framework on cybersecurity is currently being reviewed in order to implement a proper EU policy that respects citizens'privacy and personal data as well as EU values. 2019 will undoubtedly be the year of the cyberAct.[10]

A proper European model, respectful of EU values, is therefore under construction.

It is already inspiring and giving food for thought to other countries and regions of the world, including the United States, land of the largest tech giants.

In California, the U.S.’s most populous state, no less than 629,000 people signed the petition that led Californian MPs to pass the California Consumer Privacy Act on June 28, 2018. [11]

The Act, which takes effect on January 1, 2020, broadens the definition of “personal information” by including tracking data and login details, and contains provisions similar to the GDPR’s on:

  • Individuals’ ability to control their personal information, with new rights regarding transparency, access, portability, objection, deletion and choice of the collected information;
  • The protection of minors, with the prohibition from selling or disclosing the personal information of a consumer under 16 years of age, “unless affirmatively authorised”;
  • The violation of personal data, with the right to institute a civil action against a company in the event of a data theft caused by the absence of appropriate security procedures.

California, the nation’s leading state in privacy protection, is setting the scene for major changes in the way companies interact with their customers. The Act, the strictest ever passed in the U.S., has inevitably been criticized by the biggest Silicon Valley tech companies, who are already asking for a relaxation of the legislation.

Let us end with an amusing twist by giving the last word to the former American president (yet not the least among them), Barack Obama. In a speech addressing the people of Europe, in Hanover, Germany, in 2016, he proclaimed:

Europeans, like Americans, cherish your privacy. And many are skeptical about governments collecting and sharing information, for good reason. That skepticism is healthy.  Germans remember their history of government surveillance - so do Americans, by the way, particularly those who were fighting on behalf of civil rights.

So it’s part of our democracies to want to make sure our governments are accountable"[12]

Claire Levallois-Barth, CVPIP Chair Coordinator and Lecturer in Law at Télécom ParisTech

Ivan Meseguer, CVPIP Co-founder, European Affairs, Research and Innovation Department of the Institut Mines-Télécom

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), EUOJ L 119 of 4.5.2016, p. 1,

[2] The Washington Post, “Europe, not the US, is now the most powerful regulator of Silicon Valley”,

[3] French Law No. 2018-493 of 20 June 2018 on the Protection of Personal Data, published in the Official Journal on 21 June 2018, (Loi n° 2018-493 du 20 juin 2018 relative à la protection des données personnelles, JORF du 21 juin 2018),;jsessionid=27A98AC45687EEBF56EDB334BA1B963E.tplgfr29s_2?cidTexte=JORFTEXT000037085952&categorieLien=id.

[4] Draft Motion For a Resolution, European Parliament resolution on the adequacy of the protection afforded by the EU-U.S. Privacy Shield, 10.04.2018,

[5] Four plaints were filed with national Data Protection Authorities: against Google in France; Instagram in Belgium; Facebook in Austria; and WhatsApp in Germany.

[6] Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), 2017/03 (COD),

[7] Proposal for a Regulation of the European Parliament and of the Council on a framework for the free flow of non-personal data in the European Union, Brussels, 13.9.2017, COM/2017/0495 final,

[8] Communication from the Commission, “Towards a common European data space”, Brussels, 25.4.2018, COM (2018) 232 final.

[9] Establishing the fifth freedom: free flow of non-personal data, 4.06.2018,

[10] The cybersecurity package includes a regulation that would give ENISA and setting up a certification system; a communication updating the EU 2013 Cybersecurity Strategy; and a directive on combating fraud and counterfeiting of non-cash means of payment. See

[11] The California Consumer Privacy Act of 2018, AB-375 Privacy: personal information: businesses. Assembly Bill No. 375, CHAPTER 55, An act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy. [Approved by Governor June 28, 2018. Filed with Secretary of State June 28, 2018.],

[12] Remarks by President Obama in Address to the People of Europe, Hannover Messe Fairgrounds, Hannover, Germany, April 25, 2016,


Comments are closed.