25 May 2018 will be remembered as the date on which the European Union launched a new era in the collection and processing of personal data. In order to confront GAFA and companies that, in exchange for increasingly personalised services, collect more and more information on individuals, the EU has equipped itself with an unprecedented arsenal and is posing as a protector of privacy.
The European Data Protection Regulation (EDPR) now makes public and private organisations responsible for the use of the data they collect and process. This regulation applies to all companies that process personal data on their own behalf or on behalf of a third party. These companies can be European companies or foreign companies processing data from European citizens.
The GDPR is based on three main principles which are:
Strengthening the rights of individuals
The empowerment of the actors of data processing in companies
Harmonisation of the legal framework at European level
As a result, companies must now take a responsible approach to the use of their data or face fines of up to €20 million or even 4% of their global turnover.
What has it changed for businesses?
Previously, the general terms and conditions of sale or use were the only documents to which users could refer to find out about their rights and how their data was collected, processed and exchanged. These documents are usually displayed on pages that are not often visited on websites and, above all, their length is not conducive to reading. As a result, the end-user does not have clear information about how his or her data is used.
From now on, companies have a duty to inform users and must explain the purposes of collection: why data is collected and for what purpose? The purposes must be related to the company's core business and, above all, be relevant. For example, one cannot ask for an individual's height in order to offer an entertainment service. Compliance with data protection rules is a process that may seem tedious and time-consuming.
However, it is part of a long-term process that brings together all the information needed to prove the bona fides of the company. Each company must now keep a register listing the processing of data, giving it an overall view of how its data is used.
For all companies that have doubts or are not fully compliant at the moment, the CNIL offers a guide to comply and avoid any inconvenience.
In addition to these technical changes, there are also changes in human resources. Indeed, one of the fundamental principles of the RGPD is the accountability of data processing in companies. This is why the data controller must appoint a Data Protection Officer (DPO). The DPO can be an employee of the company, but can also be a third party. The DPO is responsible for implementing compliance with the European Data Protection Regulation within the organisation that has appointed him/her for all processing operations carried out by that organisation.
Harmonisation at European level and the coercive nature of fines as grey areas
The implementation of the RGPD has been a great upheaval as promised by the authorities. A collective awareness is to be noted and the figures speak for themselves:
· The CNIL received more than 11,000 complaints and carried out more than 300 checks in 2018 ;
· 70% of French people say they are more sensitive to the protection of their data than in the past;
· Visits to the CNIL website recorded an 80% growth in 2018 compared to 2017;
The G29, which is the authority that brings together the 29 European CNILs, has conducted several investigations concerning data theft or non-compliance with the provisions of the RGPD: The first investigation concerns the theft of data from 57 million users of the Uber application, a fine of €400,000 was imposed. This is derisory compared to the company's turnover (€11 billion in 2018).
The second and most publicised fine was imposed on Google. Following the complaints of thousands of users themselves, relayed by the digital associations None of your business and La Quadrature du net, which criticised Google for "not having a valid legal basis for processing the personal data of users of its services, in particular for the purpose of personalising advertising", the G29 investigated and found the firm guilty of failing to comply with the RGPD, and fined it 50 million euros.
Despite all the efforts of European countries to counter the stranglehold of large companies (especially the GAFAs) on the collection and exchange of massive data, the sanctions imposed are not punitive enough to change behaviour and thus implement the promises of the GDPR. Take for example the sanctions imposed on Google by the European Competition Commission. Margrethe Vestager, who heads the Commission, has made Google her scapegoat and has imposed no less than three fines in three years. These fines have been systematically imposed for abuse of a dominant position and have shown that Europe is no longer candid when it comes to large groups.
These fines provide a new window of opportunity for the European regulator to address data protection and the enforcement of the RGPD. However, it is much more difficult to prove and sanction a breach of the GDPR because the legislative framework is still unclear on some points. Thus, the many formal notices and sanctions issued by the CNIL have a more resounding effect due to the new legislative framework, but as is always the case when it comes to harmonisation at European level, there are marked differences in viewpoints and treatment.
Since the implementation of the GDPR, foreign companies that process data of European citizens must report to the CNIL of the country where they are based. We can thus observe that companies choose countries where the regulators are much more flexible and conciliatory in order to benefit from leniency or even arrangements. Let's take the example of Ireland, which is one of the countries in Europe where the corporate tax rate is among the lowest in Europe, but also where the CNIL is one of the least demanding regarding compliance with the RGPD. We note that the GAFAs have all established their European headquarters there. This is another reason for dissatisfaction that is causing teeth to gnash in the upper echelons of the European Commission.
How do technological innovations (IoT, AI, 5G etc.) offer new sources of harvesting and challenge existing regulations?
The Internet of Things is the interconnection of various objects (telephones, refrigerators, cars, televisions, sensors etc.) using information and communication technologies (ICT). These objects are also used by companies to improve their processes and reduce their costs, but in recent years there has been a surge of interest from individuals looking for something new. It is estimated that 40% of households worldwide have at least one connected object, and this rate rises to 70% in the United States. The data collected in real time provides companies with a real treasure trove, as the data is in its raw state and can concern an entire section of an individual's private life. With the advent of 5G, the density of connected devices will increase dramatically with better throughput and reduced latency, which will encourage this movement.
However, the uses are not limited to commercial and marketing purposes. For example, advances in artificial intelligence are giving doctors new support in their diagnosis. Hospitals and cancer research centres are increasingly using deep learning and big data analytics software to refine cancer screening. AI also allows doctors to offload certain repetitive and time-consuming tasks thanks to the automation of all these processes.
Numerous scandals have tempered the excitement around all these new technological feats and once again we find a GAFA accused: Amazon. The firm led by Jeff Bezos is at the heart of a spying scandal involving users of its Alexa connected speaker. According to the company's management, conversations can be recorded to improve the efficiency of the virtual assistant. Moreover, it is not explicitly stated that the conversations can be listened to, let alone that the user can limit the use of the recordings without ever being able to prevent the transmission!
It would damage the credibility of the GDPR if small companies were penalised for minor breaches if Amazon did not face prosecution on this issue. The GDPR now provides a legal framework for the collection and processing of user data. However, as with every legal decision in Europe, differences of opinion bring with them their share of divergences between the states that apply it.
In addition, there is a general awareness among both the population and the public authorities. The echo of this regulation has reached California, the land of GAFA. The regulator took the lead following the residents' grumbling and voted to introduce a local RGPD: the California Consumer Privacy Act. It's a very light version but it bodes well for a possible harmony at the global level. To be continued...