On 27, April 2016, the European Parliament and the European Council adopted a new legal regime for the protection of personal data in the form of the General Data Protection Regulation (GDPR). The rules in question, which are particularly innovative, will become applicable on 25 May 2018.
Their transposition into French Law provokes a major overhaul of the guarantees relating to the individual information that each of us is required to provide daily for the execution of many services. This seems even more necessary and urgent as the rise of the digital economy, through the proliferation of services offered on the internet, is constantly increasing the risks of infringement on the privacy of users, that is to say ours. But what are we talking about?
The new instrument applies to “controllers” (Article 4.7), i.e. those who define the terms and purposes of the data processing they are responsible for, with the support of “processors” where appropriate (4.8), as long as they are each established in the European Union (hereinafter referred to as the EU) and / or they each process data belonging to individuals who are on the territory of the EU in the course of their activities (Article 3).
The concept of « processing » refers to operations relating to “collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” of any personal information (article 4.2).
The beneficiaries of the GDPR are all natural persons whose identity can be established directly or indirectly from the individual information they have given to a processing operator (controller or processor); information such as “a name, an identification number, location data, an online identifier or [other] factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” are among the items covered (Article 4.1).
European Law aims to improve the defense of ‘personal data’ by two complementary approaches:
removing the formal system of the prior declaration;
and creating a material device for continuous monitoring.
Inspired by Anglo-Saxon Law, the reform focuses on the permanent ‘empowerment’ of operators rather than the reiteration of specific commitments that can weaken over time. The basic idea is to oblige the responsible persons to establish permanent guarantee mechanisms, which must be not only efficient but effective in the long term. The design by default (Article 25) of the protection methods attached to the processing operations meets the so-called “privacy by design” or “privacy by default” principles a Canadian researcher formulated in the mid-1990s in order to improve the prevention against any violation of privacy.
Rights of the People Concerned
The individual consent is the cornerstone of the regulation insofar as most of the legal protection depends on the specific terms of its granting. Therefore, it is not surprising that the GDPR obliges the persons responsible to guarantee (Article 7) that the will of the persons concerned is “freely given, specific, informed and unambiguous” by means of a statement or a clearly defined affirmative action (Article 4.11).
As regards the elements intended to clarify the fact of agreeing to give another person personal information, the European Law requires the person responsible to inform the person concerned on various topics including in particular:
“the identity and the contact details of the controller”;
“the period for which the personal data will be stored”;
“the purposes of the processing”;“the recipients or categories of recipients of the personal data”.
As well as all the individual rights attached to the protection and their conditions of exercise throughout the duration of the processing (Article 13).
The individual guarantees offered by the GDPR consist, for the most part, in six major rights:
the « Right of access by the data subject » (Article 15);
the « Right to erasure » better known as the Right to be forgotten (Article 17);
the « Right to restriction of processing » (Article 18);
the « Right to object » (article 21);
the « Right to data portability » (Article 20);
and the « Right to rectification » (Article 16).
Controllers and Processors must respond to requests addressed to them in application of these individual rights within one month from the day of their receipt, a period which may be extended by two further months if necessary, « taking into account the complexity and number of the requests” (Article 12.3).
Controls, sanctions and remedies
In France, the control of the implementation of the GDPR is carried out by the Commission Nationale Informatique et Libertés (hereinafter CNIL). For the exercise of its missions of general interest, the CNIL has special prerogatives derived from the public powerness. As an Independent Administrative Authority, it can:
“order the controller and the processor […] to provide any information it requires for the performance of its tasks”;
“carry out investigations in the form of data protection audits”;
“notify the controller or the processor of an alleged infringement”;
“obtain, from the controller or the processor, access to all personal data and to all information necessary for the performance of its tasks”;
“obtain access to any premises of the controller and the processor, including to any data processing equipment and means” (Article 58.1).
Significant breaches of the Regulation give rise to the payment of administrative fines, the ceiling of which is:
20 000 000 EUR or, « in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher », for the most serious violations, those affecting the fundamental principles of processing or the individual rights of the identified persons (Article 83.5);
10 000 000 EUR or, « in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher », for offenses related to specific obligations of controllers and their processors (Article 83.4).
In addition to its ceiling, the assessment of the fine must comply with an extensive list of eleven criteria, the main one being “the nature, gravity and duration of the infringement taking into account the nature scope and purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them” (Article 83.2.a).
As regards less serious infringements of the protection of personal data, those which do not give rise to administrative fines, the GDPR gives the national supervisory authorities the freedom to resort to other penalties, provided that they remain “effective, proportionate and dissuasive” (Article 84). The CNIL is empowered in this context to issue warnings, to order injunctions to cease the illegal treatment or to impose pecuniary sanctions up to 150 000 EUR, or 300 000 EUR in case of recidivism.
GDPR breaches open three different ways of complaining. The first route is for victims and consist in lodging a complaint with the supervisory authority of the place of their habitual residence, the place of their work or the place of the alleged violation (Article 77). The second route is addressed to the persons concerned by the legally binding decisions of the supervisory authorities and consists in bringing legal proceedings against them (Article 78). In France, the controllers or processors sentenced by the CNIL have a period of two months to introduce an action for annulment, reformation or replacement in front of the administrative judges of the Conseil d’Etat.
Finally, the third route is for victims and consists in seeking a judicial remedy against a controller or processor (Article 79). The competent court will be either the place of establishment of the controller/processor, or the place of habitual residence of the victim.
The regulatory principle of ”joint responsibility” allows the victim to obtain compensation for all of his or her loss from one of the responsible persons, where the latter have “jointly determined the purposes and means” of the illicit processing (Article 26.1).
The regulation organizes the prevention of personal data infringements via three innovative devices that should be mentioned briefly.
Processings « likely to result in a high risk to the rights and freedoms of natural persons” having regard to their nature, their scope, their context and their purposes must be subject to a “data protection impact assessment” (Article 35). Prior to sensitive processings, the assessment in question deals with specific elements aimed at detailing the operations envisaged and their purposes, highlighting their necessity and proportionality, measuring the risks they pose to the individual rights of targeted persons, and explaining the answers given to these risks.
When the processing is carried out by a public authority, when it requires “regular and systematic monitoring of data subjects on a large scale” on very sensitive categories of data (criminal record, medical notes and so on…), the regulation requires the appointment of a Data Protection Officer (DPO). This person is independent and responsible for ensuring the ongoing compliance with the GDPR of actions taken under the authority of the controller or the processor (Article 37).
Finally, all the proceedings, whether involving confidential data or not, must be listed in a certain way and updated in a ‘record of processing activities’ to demonstrate continuously compliance with the obligations imposed by the GDPR (Article 30).