The new European regulation on personal data will become officially applicable in May 2018. The regulation, which complements and strengthens a European directive from 1995, guarantees unprecedented rights for citizens, including the right to be forgotten, the right to data portability, and the right to be informed of security failures in the event of a breach involving personal data… But for these measures to be effective, companies in the data sector will have to be in agreement. However, they have little time to comply with this new legislation that, for most companies, will require major organizational changes. Failure to make these changes will expose them to the risk of heavy sanctions.
With very little media coverage, the European Union adopted the new General Data Protection Regulation (GDPR) on April 27, 2016. Yet this massive piece of legislation, featuring 99 articles, includes plenty of issues that should arouse the interest of European citizens. Because, starting on May 25, 2018, when the regulation becomes officially applicable in the Member States, users of digital services will acquire new rights: the right to be forgotten, in the form of a right to be dereferenced, an increased consideration of their consent to use or not use their personal data, increased transparency on the use of this data… And the two-year period, from the moment the regulation was adopted to the time of its application, is intended to enable companies to adapt to these new constraints.
However, despite this deferment period, Claire Levallois-Barth, coordinator of the IMT chair Values and policies of personal information (VPIP) assures us that “two years is a very short period”. The legal researcher bases this observation on the work she has carried out among the companies she interviewed. Like many stakeholders in the world of digital technology, they find themselves facing new concepts introduced by the GDPR. Starting in 2018, for example, they must ensure their customers’ right to data portability. Practically speaking, each user of a digital service will have the option of taking his or her personal data to a competitor, and vice versa.
Two years does not seem very long for establishing structures that will enable customers to exercise this right to data portability. Because, although the regulation intends to ensure this possibility, it does not set concrete procedures for accomplishing this: “therefore, it is first necessary to understand what is meant, in practical terms, by a company ensuring its customers’ right to data portability, and then define the changes that must be made, not only in technical terms, but also in organizational terms, including the revision of current procedures and even the creation of new procedures,” explains Claire Levallois-Barth.
The “privacy by design” concept, which is at the very heart of the GDPR, and symbolizes this new way of thinking about personal data protection in Europe, is just as restricting for organizations. It requires the integration of all of the principles that govern the use of personal data (principles of purpose, proportionality, duration of data storage, transparency…) in advance, beginning at the design phase for a product or service. Furthermore, the regulation is now based on the principle of responsibility, which implies that the company itself must be able to prove that it respects this legislation by keeping updated proof of its compliance. The design phases for products and services, as well as the procedures for production and use must therefore be revised in order to establish internal governance procedures for personal data. According to Claire Levallois-Barth, “for the most conscientious companies, the first components of this new governance were presented to the executive committee before the summer of 2016.”
Being informed before being ready
While some companies are in a race against time, others are facing problems that are harder to overcome. During the VPIP Chair Day held last November 25th, dedicated to the Internet of things, Yann Padova, the Commissioner specializing in personal data protection at the French Energy Regulatory Commission (CRE), warned that “certain companies do not yet know how to implement the new GDPR regulations.” Not all companies have access to the skills required for targeting the organizational levers that must be established.
For example, the GDPR mentions the requirement, in certain cases, for a company that collects or processes users’ data, to name a Data Protection Officer (DPO). This expert will have the role of advising the data controller—in other words, the company—to ensure that it respects the new European regulation. But depending on the organization of major groups, some SMEs will only play a subcontracting role in data processing: must they also be prepared to name a DPO? The companies are therefore faced with the necessity of quickly responding to many questions, and clear-cut answers do not always exist. And another reality is even more problematic: some companies are not at all informed of the contents of the GDPR.
Yann Padova points out that before they can be ready, companies must be aware of the challenges. Yet he recognizes that he “does not see many government actions in France that explain the coming regulations.” Joining him to discuss this subject on November 25, lawyer Denise Lebeau-Marianna—in charge of personal data protection matters at the law firm of Baker & McKenzie—confirmed this lack of information, and not only in France. She cited a study on companies’ readiness for the GDPR that was carried out by Dimensional Research and published in September 2016. Out of 821 IT engineers and company directors in the data sector, 31% had heard about the GDPR, but were not familiar with its contents, and 18% had never heard of it.
Without sufficient preparation, companies will face risks… and sanctions
For Claire Levallois-Barth, it seems obvious that with all of these limits, not all companies will comply with all aspects of the GDPR by 2018. So, what will happen then? “The GDPR encourages companies to implement protection measures that correspond to the risk level their personal data processing activities present. It is therefore up to companies to quantify and assess this risk. They then must eliminate, or at least reduce the risks in some areas, bearing in mind that the number of data processing operations is in the tens or even hundreds for some companies,” she explains. What will these areas be? That depends on each company, what it offers its users and its ability to adapt within two years.
And if these companies are not able to comply with the regulations in time, they will be subject to potential sanctions. One of the key points of the GDPR is an increase in fines for digital technology stakeholders that do not comply with their obligations, especially regarding user rights. In France, the CNIL could previously impose a maximum penalty of €150,000 before the Law for a Digital Republic increased this amount to €3 million. But the GDPR, a European regulation with direct application, will repeal this part of French regulation in May 2018, imposing penalties of up to €20 million euros or 4% of a company’s total annual worldwide turnover.
The new European Committee for data protection—currently called G29—will be in charge of organizing this regulation. This organization, which combines all of the European Union CNILs, has just published its first three notices on the regulation issues that require clarification, including portability and the DPO. This should remove some areas of uncertainty surrounding the GDPR, the biggest of which remains the question of the GDPR’s real, long-term effectiveness.
Because, although in theory the regulation proposed by the EU is aimed at better protecting users’ personal data in our digital environment, and at simplifying administrative procedures, many points still seem unclear. “Until the regulation has come into effect and the European Commission has published the implementing acts presenting the regulation, it will be very difficult to tell whether the protection for citizens will truly be reinforced,” Claire Levallois-Barth concludes.