If you opened your mailbox the past two months, you are aware of it. You probably received an avalanche of emails warning you that the services and newsletters you subscribed to are changing their privacy policy and terms of use to comply to the GDPR. If they actually respect the legislation (it is far from being the case for all), these services even asked you to renew your consent for receiving emails and for your data processing. GDPR, consent, data? What are we talking about?
GDPR, what is that?
Let’s start with the basis. The GDPR is a European regulation, so it means he had a direct effect. It applies directly on all the European Union’s territory, by any citizen. If some national laws were also recently voted, it was only to adapt the applicable national legislation and precise some points of the regulation.
The main objective of the GDPR is to protect individuals regarding their personal data processing.
What are personal data?
Personal data are any information related to an identified or identifiable natural person, i.e. that can be identified, directly or indirectly, especially by referring to an ID such as a name, an identification number, localisation data, an online ID, or to one or several specific elements related to their physical, physiological, genetic, psychic, economic, cultural or social identity.
To make it simple: any information allowing to find an individual. Some information that would not be considered as personal data only can be considered as such if they can be cross-checked with other information allowing the identification. For example, an IP address (the identification number that is assigned to us when we use the Internet) can be considered as personal data when it is crossed with another data like a connection time.
Who is the regulation applying to?
The GDPR has a broad field of application. It applies to data processing made by any legal person (company, association, etc.) carrying out an activity in the EU, and to personal data processing that concerns individuals located in the EU territory. This applies to any European situated in Europe when the data are processed, but it goes even further. For example, the GDPR applies to a Chinese citizen’s data which would be stored in Facebook’s data centers in Ireland, and not in the United States. An American citizen living in Paris also benefits from the protection granted by the regulation when they use online services.
“Data processing” is defined by article 4 GDPR as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.
What’s new for the protection of our data?
The GDPR establishes several principles and rights regarding the processing of our personal data.
Lawfulness, loyalty, transparency…
The concerned persons must give their consent to the collect of their data on a free, specific, active and unambiguous way (opt-in). They can withdraw their consent at any time. The individual has to be informed first on which data will be processed, when and why. An email only informing you of a change in the service’s terms of use is thus insufficient. Concretely, you have to tick boxes after having been informed about the data that are collected on you. Likewise, the 25-page terms of use that no one reads should be prohibited in principle, because they do not comply with the obligation of clarity established by the regulation. Finally, you should be able to refuse that your data are collected if they have nothing to do with the service you subscribe to. For example, you should be able to subscribe to a music streaming service without having to communicate the three last concerts you attended.
Data safety and compensation for damages
The processing must ensure personal data’s safety. This implies confidentiality obligations and cybersecurity measures to ensure data integrity. This also implies that you can obtain redress in the event of data leak or for any other infraction to the regulation that would have harmed you. To facilitate this process, the GDPR opens the way to group actions (through certified associations) to obtain redress.
Limitation of data transfer outside of the EU
Articles 45 to 50 GDPR establish extremely restrictive conditions concerning data transfer towards EU third countries, despite an adequacy decision. Such a decision is taken by the European Commission if it notices that the third country ensures an adequate level of data protection. Adequacy decisions were taken for countries like Andorra, Argentina, Canada, Israel, New Zealand, Switzerland or Uruguay. An adequacy decision was also adopted on the basis of the Privacy Shield agreement with the United States. These decisions being taken unilaterally, they can also be revoked in the same way (except for international agreements foreseeing them).
Why will business companies respect the GDPR?
For the skeptics, the GDPR has a convincing argument: breaching on your obligations can turn out to be costly. In addition to the compensation that the individuals can legally demand, the administrative fines for failure to respect the regulation are extremely high. They can reach up to 10 million € or 4% of the company’s global turnover.
The compliance upgrade with the regulation is far from being acknowledged by the business companies. In all likelihood, an adaptation period will be necessary. Time will also be needed for the individuals to be aware of their new rights. This will probably happen through the involvement of specialised associations. But eventually, it is a unique advance for the citizens’ private life, that would not have been possible without the European Union.
Follow the comments:
|
