28th January 2020: “Privacy Day”: a brief review of the application of the General Data Protection Regulation (GDPR)
Today, as every year since 2006, 28 January (the date on which the ” Convention on the Protection of Personal Data of the Council of Europe ” was opened for signature) is an opportunity for the various national entities to set up actions on the rights to protection of personal data and respect for private life for the general public. Indeed, too many people still do not know how to react when their rights have been violated, nor to which national institution to turn in this case. The Stefano Rodotà Prize for innovative and original university research projects in the field of data protection is also being awarded on this day.
The legal concept of personal data has been relatively stable. In the “Loi Informatique et Libertés” of 1978, and then in the 1995 Directive, it was referred as “personal information”. With the GDPR, it becomes “personal data”, i.e. data that makes it possible to identify a natural person, directly or indirectly (cross-recording).
If the GDPR does not innovate on many elements, it is a revolution for all companies, with the introduction of the principle of accountability, and more severe penalties (4% of the annual revenue in case of non-compliance). As very few companies comply with the law of 6 January 1978, the entry into force of the European directive led to difficulties in adapting to the new legislation since they were starting from scratch.
Three years ago, companies were reluctant to protect the personal data at their disposal, as the penalties were not sufficiently dissuasive. Today, the stakes for companies are different: they are looking for advice concerning the implementation of projects with regard to the various compliance obligations (privacy by design), for a stronger business. Nevertheless, some of the obligations set out in the GDPR are difficult to implement for these companies and public authorities, as it confers new rights to natural persons that are not sufficiently defined, leading to a certain vagueness as to their implementation. This is the case for the right to data portability, or to limit treatment, to impact studies (companies must refer to the black and white lists drawn up by the CNIL), or the right for an individual to give instructions regarding the processing of his or her data after his or her death (a right contained in the Data Protection Act).
On the other hand, an internal organization and governance of personal data as understood in the european policy, implies that within a company, all departments communicate and collaborate. This is rarely the case.
Finally, the most virulent criticism of the new regulation remains that it gives the same new obligations without exceptions to both SMEs and large companies, even though their stakes, and especially their finances, are not the same. The cost of compliance is relatively high: the appointment of a data protection officer (although it is compulsory in some cases, companies that are not legally bound by it prefer to appoint one rather than incur the penalty of 4% of annual turnover), impact studies, production of documentation, the principle of accountability… These obligations are strict and not necessarily relevant in the case of SMEs. It remains to be seen whether adjustments will be made to the GDPR in the future.