Related articles

No items found.
The French newsletter for Ruby on Rails developers. Find similar content for free every month in your inbox!
Register
Share:
Blog
>
1 year later, did the GDPR keep its promises?

1 year later, did the GDPR keep its promises?

May 25, 2018 will remain as the date from which the European Union launched a new era in the collection and processing of personal data. To deal with GAFA and companies that, in exchange for ever more personalized services, collect more and more information on individuals,The EU has acquired an unprecedented arsenal and poses as a protector of privacy.

The European Data Protection Regulation (RGPD) now makes public and private organizations responsible for the use of the data they collect and process. This regulation applies to all companies that process personal data on their behalf or on behalf of a third party. These companies can be European companies or foreign companies that process data from European nationals.

The RGPD is based on three essential principles Who are:

· Strengthening the rights of natural persons
· The accountability of actors involved in data processing in companies
· Harmonization of the legal framework at European level

Thus, companies must now adopt a responsible approach in the use they make of their data under penalty of be exposed to fines of up to 20 million euros or even up to 4% of their worldwide turnover.

What has this changed for businesses?

Previously, the general conditions of sale or use were the only documents that users could refer to to know their rights and how their data was collected, processed and exchanged. These documents are generally displayed on little-visited pages of websites and especially their length does not encourage reading. In fact the end user does not clearly have the information concerning the use that is made of its data.

From now on, Businesses have a duty to provide information with users and must explain the purposes of collection: why is the data collected and for what purpose? The purposes must be related to the core business of the company and above all be relevant.. For example, you cannot ask for the size of an individual to offer them an entertainment service.

Complying with data protection regulations is a process that can seem boring and time-consuming. However, it is part of a long term approach which makes it possible to gather all the information necessary to prove the good faith of the company. Every business must now maintain a register listing the processing of data allowing him to have an overview of the use of his data.

To all businesses that have doubts or are not in full compliance at the moment, the CNIL offers a guidebook to comply and avoid any inconvenience.

In addition to these technical changes, there are changes in human resources. Indeed, one of the fundamental principles of the GDPR is the accountability of data processing in companies. That is why the data controller must appoint a Data Protection Officer (DPD or DPO, for Data Protection Officer). The latter can be one of the company's employees but he can also be a third party. He is responsible for implementing compliance with the European Data Protection Regulation within the body that appointed him with regard to all the treatments implemented by this body.

Harmonization at European level and the coercive nature of fines as grey spots

The implementation of GDPR was a big upheaval as promised by the authorities. A collective awareness should be noted and the figures speak for themselves:

  • The CNIL received more than 11,000 complaints and carried out more than 300 checks in 2018;
  • 70% of French people say they are more sensitive to the protection of their data than in the past;
  • Visits to the CNIL site grew by 80% in 2018 compared to 2017;

The G29, which is the authority that brings together the 29 European CNILs, conducted several surveys concerning data theft or non-compliance with the provisions of the RGPD:

The first investigation focuses on the theft of data from 57 million users of the Uber application, a fine of €400,000 has been pronounced. This is paltry compared to the company's turnover (11 billion euros in 2018).

The second and most high-profile is The fine imposed on Google. In response to complaints from thousands of users themselves, relayed by the digital associations None of your business and La Quadrature du net, which criticized Google for “not having a valid legal basis for processing the personal data of users of its services, in particular for the purposes of customizing advertising”, the G29 investigated and declared the firm. guilty of breaching the RGPD, and inflicted on him A fine of 50 million euros.

Despite all the efforts of European countries to counter the stranglehold of large companies (especially the GAFA) on the collection and exchange of massive data, the sanctions imposed are not punitive enough to change behavior and thus implement the promises of the GDPR. Take for example The sanctions imposed on Google by the European Commission on competition. Margrethe Vestager, who is at its head, has made Google her scapegoat and imposed no less than three fines in three years. These fines have been imposed systematically for abuse of a dominant position and have shown that Europe is no longer candid in the face of large groups.

These fines offer a new shooting window to the European regulator concerning data protection and the application of the RGPD. However, it is much more difficult to prove a breach of the GDPR and to punish it because the legislative framework is still unclear on some points. Thus, the multiple warnings and sanctions of the CNIL certainly have a more resounding effect due to the new legislative framework, but as always when it comes to harmonization at the European level, the differences in points of view and treatment are marked.

Since the implementation of the RGPD, foreign companies that process the data of European nationals must report to the CNIL on the country where they have set up their headquarters. We thus observe that Businesses choose countries where regulators are much more flexible and accommodating in order to benefit from clemency or even arrangements. Take the example of Ireland, which is one of the countries in Europe where the corporate tax rate is among the lowest in Europe but also where the CNIL is one of the least vigilant regarding compliance with the RGPD. It should thus be noted that the GAFA have all established their European headquarters there. Another reason for dissatisfaction that is making people cringe in the upper echelons of the European Commission.

How do technological innovations (IoT, AI, 5G, etc.) offer new sources of harvest and undermine current regulations?

The Internet of Things represents the interconnection of various objects (telephones, refrigerators, televisions, sensors, etc.) using information and communication technologies (ICT). These objects are also used by companies to improve their processes and reduce their costs, but in recent years we have observed: Enthusiasm on the part of individuals looking for something new. It is estimated that 40% of households in the world have at least one connected object, this rate rises to 70% in the United States.

Data reported in real time allows companies to have a real treasure, in fact the data is in its raw state and can concern an entire part of an individual's private life. With the advent of 5G, the density of connected devices will increase considerably thanks to better throughput and reduced latency, which will encourage this movement.

However, uses are not limited to commercial and marketing purposes. For example, advances in artificial intelligence allow doctors to benefit from new support in their diagnosis. Hospitals and cancer research centers are increasingly using software for Deep learning And of big data analytics to refine cancer screening. AI also allows doctors to relieve themselves of certain repetitive and time-consuming tasks by automating all these processes.

Numerous scandals are tempering the enthusiasm for all these new technological feats and we once again find a GAFA as accused: Amazon. The firm run by Jeff Bezos is at the heart of a user espionage scandal of the Alexa smart speaker. Depending on company management, conversations can be recorded to improve the effectiveness of the virtual assistant. In addition, It is not explicitly said that conversations can be listened to And a fortiori the user can limit the use of recordings without ever being able to prevent transmission !

It would damage the credibility of the GDPR to see small businesses penalized for minor breaches if Amazon did not know about a lawsuit on this case.

A lot of work has been done concerning the protection of personal data. The GDPR now offers a legal framework for the collection and processing of user data. However, as with every legal decision in Europe, differences in viewpoints bring with them their share of differences. between the states that apply it.

Moreover, there is a general awareness both at the level of the population and at the level of the public authorities. The echo of this regulation has reached California, land of the GAFA. The regulator took the lead following the discontent of residents and voted to implement a local GDPR: the California Consumer Privacy Act. It is a very light version but it augurs a possible harmony at the global level. To be continued...