The data universe revolution in underway: the General Data Protection Regulation, or GDPR, adopted on April 14th 2016 by the European Parliament and which has come into force on May 25th 2018, decrees the harmonization of the protection devices within the European Union.
Companies and consumers are all concerned by this new European regulation. It orders the first ones to adopt without delay new practices with their clients and prospects in terms of data collection and data treatments and allows the second ones to take back control on their personal data, while strengthening their private life protection.
Thanks to this new regulation, European citizens will have easier access to their personal data, while enjoying stricter rules concerning their data treatments. The implementation of the GDPR spells the end of the policy of "fine print". From now on, before each data collection, companies will have to move forward its pawns in a clear and simple language, on pain of heavy penalties.
Detail review of a law that deeply changes the digital European landscape, by upsetting companies' and consumers', we all are, habits.
New obligations for the companies
Companies have to ensure that they only collect the data that is essential to the client's needs. This data should not be conserved longer than needed. At the same time, the company should guarantee access, modification, restitution and/or erasure at the citizen request.
The consumer will have to give his consent clearly and explicitly to his private data treatment. The GDPR specifies "that there shall be no consent in case of silence, of check box selected by default or inactivity".
Furthermore, the processing controller will be responsible for the consent burden of proof within the company. The citizen will be able to withdraw his consent at any time.
Exceptions : when the treatment* is necessary for the execution of a contract accepted by the citizen, like the subscription to a magazine, in case of legal obligation or legitimate interest of the processing controller, or when it is necessary to save vital interests of the person or the execution of a public interest mission. In these precise cases, the treatment will remain illicit, even without any consent.
* Definition of "treatment" extracted from the GDPR : "Any treatment or any set of operations whether or not done with automated processes and applied to data or to a personal data set, like collection, recording, organisation, structuring, retention, adaptation or modification, extraction, consulting, use of data, disclosure by supply, dissemination or any other form of provision, reconciliation or interconnection, limitation, erasure or destruction".
Companies will have to secure personal data they have at their disposal, at all time and in all places, against risks of loss, theft, disclosure or deterioration. If such an event occurred , despite all security measures put in place, the relevant company should inform the CNIL, the protection authority and the concerned citizens, within 72 hours.
The companies will also have to insure an identical level of security concerning data treated out of European Union. A personal data treatment register, which is now mandatory, will make it possible to know if the data can leave European Union and under what conditions.
Companies will have to document all necessary measures and procedures to insure at any time the protection of stored data. A data treatment register will compulsorily be retained by processing controller and possible data processors. This register should be available to supervisory authorities at any time.
Privacy by Default and Privacy by Conception
From now on, companies which design products, services and data operating systems are mainly concerned with personal data protection.
As a matter of fact, the GDPR now inforces companies to integrate by default, from conception and whenever they use new technologies they develop, its new data protection requirements. The “Privacy by Design” principle guarantees this maximum level of data protection.
New rights for the consumers
Storage limitation was already included in Article 6 of the French Data Protection Act (Loi Informatique et Libertés) of 1978. However, it is now the company’s duty to prove that data storage limitation is respected. Thus, companies are not allowed to collect more data than needed for a treatment in a limited period of time. People's data can no longer been stored at vitam aeternam without justifying it.
Companies must inform citizens who will ask for it, about the personal data they store and the reasons why they store it.
Right to comprehension
Before each advertising campaign, companies have to justify and explain their approach in a clear and simple way, so that consumers can clearly understand the campaign purpose and decide to accept or to refuse it. .
Right to oblivion
Companies and their data processors are forced to delete all customer’s data if he asks for it. Exceptions: when data is necessary for historical or statistical purposes, scientific research, public health reasons or for the right to freedom expression. The right to oblivion applies when possessing personal data is necessary to sign a contract or when required by law.
The Scope of the law
The GDPR is applied to all European companies as well as non-European ones which have a range of activities in Europe and hence, processing European citizens' data.
15 December 2015 : The Council of the European Union, the European Parliament and the European Comission approve the final text.
8 April 2016 : The regulation is adopted by the Council of Europe after four years of negotiations.
14 April 2016 : The regulation is adopted by the European Parliament.
24 May 2016 : Entry into force.
25 May 2018 : Mandatory implementation.
What do we call "Personnal Data" ?
« Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of than person. » (Art. 4.1)
Is it the end of profiling on the web ?
The new regulation sets the limits of profiling, which is used to analyse or predict the localisation of an individual, his preferences or his behaviour thanks to his personal data automatic treatment. In accordance with the new European regulation, profiling is only allowed if the individual gives his consent for this treatment, if it is necessary to sign a contract. European deputies have specified that profiling should not lead to discrimination or rely exclusively on sensitive data, like political views, religion, sexual orientation, genetic or biometric ones. Another major change: profiling should no longer come from a simple automatic data treatment, but it should include a human assessment.
Special protection for minors
Children are most of the time less aware than adults of how dangerous it is to share their data on Internet. This is why they are subjects to particular measures in the new European regulation. Their parents’ permission is required below a certain age (between 13 and 16 years old) to access to social networks, as it is already the case in most of the European Union countries.
Data protection officer on the front line
The new European regulation compels companies, including the public sector ones, to hire a Data Protection Officer (DPO) from the moment they make large scale or sensitive data processing. The DPO plays a major role in applying the new regulation. He particularly makes sure that the treatments is GDPR compliant. He also performs risk analysis, implement security measures and make sure storage limitation is respected.
In case of failure to respect the new regulation, companies face fines representing from 2 to 4% of the company worldwide turnover. The first level of fine is €10 million.
What are the recourses for French citizens in case of a problem ?
Citizens benefit from a unique authority to make a claim against an abusive use of their data. French citizens can apply to the CNIL rather than to wrongful companies.