Search for a report, a publication, an expert...
Institut Montaigne features a platform of Expressions dedicated to debate and current affairs. The platform provides a space for decryption and dialogue to encourage discussion and the emergence of new voices.
31/05/2019

Happy Birthday to the GDPR?

Cross-analysis by Adrien Basdevant and Florence Chafiol

Happy Birthday to the GDPR?
 Adrien Basdevant
Founder at Basdevant avocats
 Florence Chafiol
Partner at August Debouzy

On May 25, 2018, the General Data Protection Regulation (GDPR) came into force with the aim of harmonizing the protection of European citizens' privacy. One year later, Adrien Basdevant, founding lawyer of a firm specialized in new technologies law, and Florence Chafiol, partner in August Debouzy's Technologies, Intellectual Property and Media department, share with us their first assessment and their views on the upcoming developments.

What is your first assessment of the application of the GDPR in France?

ADRIEN BASDEVANT

The first observation is the growing awareness among users and the general public of the rights they have (right of access, rectification, erasure, right to lodge a complaint, etc.). This is reflected by the increasing number of complaints filed (the CNIL recorded 11,077 complaints in 2018, an increase of 32.5% compared to the previous year). Most of these rights actually existed for more than forty years in France, but thanks to a very extensive media coverage, the GDPR has led to a better understanding of the issues raised by the processing of personal data. 
 
The main objective of the GDPR is to create a trustworthy ecosystem to reconcile the free flow of data with the protection of individuals.For this to happen, this change of management had to be seen as an opportunity rather than a risk. This seems to be the case, although the increase in the quantum of sanctions (which may go up to 4% of general turnover) has certainly encouraged the stakeholders to comply more quickly. However, this transformation is an ongoing process and not all organisations are ready.
 
After this first year of transition, regulators consider that data controllers and processors have now had time to adapt. The CNIL (French Data Protection Authority) has announced that it now wants to deal with cases firmly. Therefore, after this preparatory phase (consisting of audits, compliance programmes and contract negotiations), investigations and controls will intensify significantly in the coming months and years. In France, sanctions have already been imposed (for example against Google for 50 million euros, in January 2019). I strongly believe that litigations around data issues have only just begun.

What have been the major challenges in bringing companies into compliance (large groups, VSEs/SMEs, start-ups, etc.)?

FLORENCE CHAFIOL

The main principles of the GDPR are applicable to both large and small structures (with the exception of the obligation to keep a register of processing operations which, in principle, should not apply to structures with fewer than 250 employees but for which the CNIL has a very restrictive approach).
 
Nevertheless, I noticed that small structures have long believed that their size could exempt them from complying with the GDPR. One year after the implementation of the GDPR, the latter are now better informed, and the CNIL has published a practical guide to help them understand the obligations that apply to them in terms of compliance.
 
In practice, the implementation of the obligations arising from the GDPR varies according to (i) the technologies used and developed, (ii) the amount of data collected, and the categories of data collected (sensitive or non-sensitive data), (iii) the number of recipients, and (iv) the number of persons concerned by the operations. Therefore, the issues do not differ according to the size of the organization but according to the variants listed. Indeed, a start-up can collect more personal data than a SME and offer technologies that are much more complex from a digital point of view than larger companies.
 
One of the major challenges in bringing companies into compliance has been the implementation of a personal data protection governance system, which is often overlooked by most companies. The advantage of setting up such governance is to integrate data protection issues into each project from the design stage and throughout the life of the personal data.
 
This main challenge raises other issues such as the need to have precise and exhaustive knowledge of the various processing operations carried out by companies, in order to be able to map the different data collected and list these operations.

Companies also had to document their different data protection practices and incorporate personal data clauses into existing documents (e.g. employment contracts).

Companies also had to document their different data protection practices and incorporate personal data clauses into existing documents (e.g. employment contracts). Many companies had already adopted such clauses; however, they did not always match the reality of the personal data processing carried out. Therefore, they had to be revised to take into account the additional obligations imposed by the GDPR in addition to the 1978 Data Protection Act. Companies have hence adapted these policies according to the processing operations, the purposes sought, the categories of data collected and have had to determine the most appropriate legal basis to enable them to set up data processing operations.

The GDPR requires companies to be more transparent about the data processing they carry out. While consumers were used to seeing information at the bottom of personal data collection forms, candidates or suppliers were not used to companies being truly transparent towards them as well. Likewise, companies were not used to being so transparent.
 
Companies had to identify all their suppliers and service providers in order to agree with them on the distribution of their data protection responsibilities and undertook to qualify the role of each of their suppliers (subcontractor, joint controller, separate controller) a task much more complex and time consuming than it seems.
 
Companies also had to determine precisely the appropriate retention periods for each personal data collected. This is one of the most complex issues: it requires a close partnership between the legal and IT teams in order to determine retention periods adapted to the company's obligations and limitation periods. Once retention periods have been determined, they must be effectively implemented in internal processes. This is not easy because the tools available to companies are not necessarily adapted to the implementation of efficient data wiping or archiving processes.
 
Finally, companies had to inform and educate all their teams about the challenges related to personal data protection, either through e-learning training, on-site intervention by people specialized in the subject or through written documents.

In any case, the turning point was not obvious for all companies and the transition was harder for some than for others: those who had never done anything since 1978, the date on which the Data Protection Act began to apply, were necessarily busier than the others.

Are we moving towards a global regulation?

ADRIEN BASDEVANT

There is indeed no uniform international regulation. However, a very interesting trend seems to be emerging. The GDPR is becoming a European soft power tool. With no digital giants, unlike China or the United States, the European Union uses the GDPR as an instrument to influence foreign legislation.
 
FLORENCE CHAFIOL

In addition, the many data breach scandals that have had a major media impact, such as Cambridge Analytica, Equifax or Uber, have made personal data protection a central issue and concern worldwide.

  • In the United States, initiatives to adopt legislation to protect personal data are multiplying with the adoption of laws by many States and recently the adoption of the California Consumer Privacy Act (adopted on June 28, 2018, and effective as of January 1st, 2020).
  • Brazil adopted its own data protection regulation on August 14, 2018 (effective February 1st, 2020) to prevent the misuse of personal data and to provide a higher level of confidentiality and security for data subjects.
  • China adopted a law on cybersecurity on November 7, 2016 (entered into force on June 1st, 2017), 11 articles of which are devoted to data protection. It also established general principles in December 2017 (entered into force on May 1st, 2018) that appear to be similar to the European approach.

 
Moreover, several countries have updated their national legislation in order to facilitate discussions with the European Commission for the adoption of an adequacy decision. Indeed, such a decision is taken when the Commission finds that a third country or an international organisation ensures an adequate level of protection in accordance with European principles (Article 45 of the GDPR). For example, this is the case of Japan, for which an adequacy decision was taken on January 25, thereby making data transfers between the countries of the European Union and Japan more fluid.
 
ADRIEN BASDEVANT

This will probably not lead to the development of a harmonised global regulation but can contribute to a convergence towards common standards. This confluence will be all the more likely to occur if the GDPR is perceived as a decisive competitive advantage. Indeed, multinationals will want to take advantage of these regulations to differentiate themselves from their competitors. This is the case of Microsoft, which applies the GDPR not only within the EU but also worldwide, in order to differentiate itself from the practices of other GAFAs.
 
FLORENCE CHAFIOL

The European model could certainly be a global standard for the protection of personal data. However, at this stage, the proliferation of different laws on personal data protection at the global level is somewhat worrying because it complicates the task of companies that have to comply with different regulations, which are not always necessarily compatible.

What should be the next steps to ensure the privacy of European citizens?

ADRIEN BASDEVANT

The next step will be to apply existing rules. Several highly protective provisions, such as those relating to automated decisions or profiling, have never been the subject of judicial decisions. In addition, a more refined interpretation of the GDPR’s principles will be required, for instance updates of sectoral codes of conduct – such as in insurance or health – as well as ensuring their interlinking with advanced technologies (Blockchain, homomorphic encryption, anonymization, etc.). The difficulty and the paradox with self-regulation advocated by the GDPR lie within the form of legal uncertainty it induces for the most proactive and innovative groups. Indeed, in some cases, the latter cannot be certain that their approach will be validated until they are checked.

Finally, it is useful to start ethical discussions on the issues raised by innovative uses. Indeed, ethics make it possible to prepare in advance for future developments (for example, on the question of algorithmic discrimination, or accountability of black boxes, etc.) and for new legal rules to be adopted.

It is useful to start ethical discussions on the issues raised by innovative uses.

For example, "Privacy by design" was an ethical concept put forward in the 1990s by Ann Cavoukian (head of the Data Protection Office in Ontario) before becoming a legal obligation, thirty years later, within the GDPR. It is nonetheless essential to resist the contemporary temptation of substituting law with ethics, because we need binding rules. Relying solely on soft law to address social issues is not enough.

FLORENCE CHAFIOL

In addition, it is likely that there will be an increase in the number of actions carried out by groups of people wishing to make their voices heard through associations or organisations that can represent them. Indeed, individuals can collectively file complaints if they consider that their data protection rights under the GDPR have been violated. Few actions have been launched so far, but I would not be surprised if this practice develops.

Receive Institut Montaigne’s monthly newsletter in English
Subscribe