« From now on, consumers have many resorts »
Counsel in the Corporate departement of Allen & Overy Paris, dedicated to Telecommunications, Media and Technology, Ms. Laurie-Anne Evra-Ancenys analyses the new rights and solutions which consumers now enjoy since 25 May 2018, with the enforcement of the new European regulation on data protection1.
Why has this new European data protection regulation been voted ?
The legislator wanted to implement a consistent policy regarding data protection within the European Union. This new regulation pursues three main objectives :
Is this process a consequence of abusive use of consumers’ personal data ?
We should rather talk about drifts instead of abuses. So far, penalties were quite weak and rarely fully implemented. Consequently, we could observe some drifts like abusive electronic commercial prospection and illegal sales or rentals of data files. This is why it was necessary to reinforce the consumer protection.
Thanks to the Law of 7 October 2016 for a digital Republic2, the CNIL penalties have been increased so they can reach 3 million euros. The legal framework is gradually becoming more and more coercive. Now, with the General Data Protection Regulation, penalties can reach 10 to 20 million euros, or 2 to 4% of the worldwide turnover, depending on the category of offence.
According to you, which of the new consumers’ rights can be considered as the most essential advances ?
The European regulation gives control back to citizens concerning their personal data
Data portability is one of the most important novelties, as it allows citizens to recover the personal data they had given to a professional in a structured format, commonly used and machine-readable, to transfer it if they want to another professional3.
This right can be applied, for instance when a consumer wants to change operator or electricity supplier. The European regulation anticipates other major advances for consumers: the right to oblivion has been strengthened, just like the protection of minors. Furthermore, professionals are now obliged to respond to consumers’ demands within one month.
Do you think consumers have enough information about the use of their personal data ?
The Law for a digital Republic anticipates several provisions of the General Data Protection Regulation.Consequently, professional are already obliged to inform consumers about the length of their data retention.
The European regulation also allows professionals to provide some new information like the legal basis of the treatment or legitimate interests of the processing controller if need be. It is hoped that the new regulatory framework and the information campaigns of data protection authorities contribute to sensitizing consumers to their personal data management.
In case of non-respect of their rights, which resorts can consumers use ?
The first thing to do is to get in contact with the processing controller, the Data Protection Officer, if he has been designated within the concerned company.
Standard letters to report a failure, to exercise a right, to ask for something, etc. are online on the CNIL website. Consumers also have the possibility to make a complaint to the CNIL or to the public prosecutor.
TFurthermore, consumers can join a consumer group in order to take part in collective actions. For the time being, it is still emerging. But there is a risk that it becomes commonplace in the coming years, all the more so that the law to modernise the economy of the 21st Century has already introduce the mechanism of group action concerning personal data5.
However, the European regulation should facilitate communication between the different actors. Mechanisms will be put in place by professionals in order to respond to consumers’ requests and guarantee a greater transparency in the treatment of their personal data.
In a fast-moving and complex regulatory context, the aim is to achieve a balance between legal provisions and professionals’ economic interests.
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/CE (General Data Protection Regulation).
2 Law No 2016-1321 of October 7, 2016, for a Digital Republic.
3 This right will only concern the sites where the number of user accounts who logged in during the past six months do not exceed a threshold set by decree.
4 Article 32 of the Law of 6 January 1978 relating to data processing, files and liberties.
5 Law No 2016-1547 of November 18, 2016 on the modernization of the Justice in the 21st Century, articles and seq.
« More transparency and control »
Attorney partner at Bird & Bird, Ms. Merav Griguer has an extensive data privacy practice. She is also the author of several books relating to digital communication issues, including “Le guide de la communication sans risque” (Editions Eyrolles 2012). She introduces the issues of the GDPR, the new European regulation, for the attention of consumers and explain how brands get prepared for the changeover.
Ms. Griguer, had this new European regulation become essential ?
The GDPR has been adopted to harmonise the different legislations and to provide better protection to all citizens in a fast-evolving ecosystem where Big Data has grown rapidly.
Nowadays, we live in an age of mass collection of personal data. It may give rise to abuse. But a rise of awarness happened. This European regulation is the first step towards the protection of citizens and the control of this new reality.
How do brands react to this new regulation ? Do they reject it ? Are they willing to deploy it ?
The companies have now seized the matter. Big Data is from now one, one of the three top risks the CAC 40 companies have to manage. It is also the case for start-ups which have natively integrated personal data protection to their innovations.
Brands generally demonstrate a real willingness to be in compliance with the new regulation, so they have already started to get prepared. At the same time, digital marketing sector seems to be concerned about this new regulation which will fundamentally change its practices.
However, I don’t think that these new “circumstances” can be considered as a hurdle. On the contrary, it is now important for companies, to distinguish themselves from competitors and to choose Fair Data or Ethic Data versus Big Data.
Do you think the severe sanctions have helped companies to be conscious of the importance of being in line with the GDPR ?
Obviously, those important sanctions up to 20 million euros and 4% of the annual worldwide turnover raise collective awareness on the importance of data protection.
This will set things moving; it will make companies and legal persons more responsible in the implementation of internal good practices. Without such sanctions,the protection of citizens’ fundamental rights, as well as their individual liberties would have totally declined.
Does it mean that nothing can stop the implementation of this new regulation ?
Not exactly. Nowadays, companies may not always have the means to respect the new regulation. They need to have an allocated budget to benefit from an expert council, in order to reach the required compliance. Respecting the law requires to be innovative. Everything remains to be created.
What will be the main changes in consumer’s life ?
They will benefit from more transparency, more rights, more control and greater visibility on the use of their data. They will also benefit from more effectiveness in the exercise of their rights.
The aim of the new European regulation is to make sure that consumers’ personal data is perfectly protected. One can hardly say that this will be the case.
How can consumer’s be informed about their new rights ?
It might be necessary to change the way of informing consumers to make sure they read it. It is also the time for legal actors to innovate.