On May 25th, the GDPR came into effect. This new regulation requires administrations and companies in the 27 EU countries to comply with the law on the protection of personal data. Since its creation in 2013, the IMT Research Chair Values and Policies of Personal Information (CVPIP) aims to help businesses, citizens and public authorities in their reflections on the collection, use and the sharing of personal information. In this article, Claire Levallois-Barth, coordinator of the Chair, and Ivan Meseguer, co-founder, return to the geopolitical and economic context in which the GDPR is part and the obstacles that remain to its effective implementation.
The original version of this article was published on the VPIP Chair website. This Chair brings together researchers from Télécom ParisTech, Télécom SudParis and Institut Mines Télécom Business School, and is supported by the Fondation Mines-Télécom.
We were all expecting it.
The General Data Protection Regulation (GDPR)[1] came into force on May 25, 2018. This milestone gave rise to numerous reactions and events on the part of companies and institutions. As the Belgian Data Protection Authority put it, there is undoubtedly “a new wind coming, not a hurricane!” – which seems to have blown all the way across the Atlantic Ocean, as The Washington Post pointed out the creation of a “de-facto global standard that gives Americans new protections and the nation’s technology companies new headaches”.[2]
Not only companies are having such “headaches”; EU Member States are also facing them as they are required to implement the regulation. France,[3] Austria, Denmark, Germany, Ireland, Italy, the Netherlands, Poland, the United Kingdom and Sweden have already updated their national general law in order to align it with the GDPR; but to this day, Belgium, the Czech Republic, Finland, Greece, Hungary and Spain are still submitting draft implementation acts.
And this is despite the provisions and timeline of the bill having been officially laid down as early as May 4, 2016.
The same actually goes for French authorities, as some of them have also asked for extra time. Indeed, shortly before GDPR took effect, local authorities notified they weren’t ready for the Regulation, even though they had been aware of the deadline since 2016, just like everyone else.
Sixty French senators further threatened to refer the matter to the Constitutional Council, and then actually did, requesting a derogation period.
In schools and universities, GDPR is getting increasingly significant, even critical, to ensure both children’s and teachers’ privacy.
The issue of social uses and practices being conditioned as early as in primary school has been studied by the Chair Values and Policies of Personal Information (CVPIP) for many years now, and is well exemplified by major use cases such as the rise of smart toys and the obvious and increasing involvement of U.S. tech giants in the education sector.
As if that wasn’t enough, the geographical and economic context of the GDPR is now also an issue. Indeed, if nothing is done to clarify the situation, GDPR credibility might soon be questioned by two major problems:
- U.S. non-compliance with the EU-U.S. Privacy Shield agreement, which was especially exposed by the Civil Liberties Committee (LIBE) of the European Parliament;[4]
- The signing into law on March 23, 2018 – i.e. precisely before GDPR enforcement – of the Clarifying Lawful Overseas Use of Data (CLOUD Act) by Donald Trump.
The CLOUD Act unambiguously authorises U.S. authorities to access user data stored outside the United States by U.S. companies. At first glance, this isn’t sending a positive and reassuring message as to the U.S.’s readiness to simply comply with European rules when it comes to personal data.
Besides, we obviously should not forget the Cambridge Analytica scandal, which led to multiple hearings of Mark Zuckerberg by astounded U.S. and EU institutions, despite Facebook having announced its compliance with GDPR through an update of its forms.
None Of Your Business (Noyb), the non-profit organisation founded by Austrian lawyer Max Schrems, filed four complaints against tech giants, including Facebook, over non-compliance with the notion of consent. These complaints reveal how hard it is to protect the EU model in such a global and digital economy.[5]
Such truly European model, which is related neither to surveillance capitalism nor to dictatorial surveillance, is based on compliance with the values shared by our Member States in their common pact. We should refer to Article 2 of the Treaty on European Union for as long as needed:
“The Union is founded on the values of respect for human dignity, freedom, democracy, equality, the rule of law and respect for human rights, including the rights of persons belonging to minorities. These values are common to the Member States in a society in which pluralism, non-discrimination, tolerance, justice, solidarity and equality between women and men prevail”.
Furthermore, Article 7 of the Charter of Fundamental Rights of the European Union clearly and explicitly provides that “everyone has the right to respect for his or her private and family life, home and communications”.
Such core values are not only reflected by GDPR, but by the whole body of legislation under construction it is part of, which includes:
- The Draft ePrivacy Regulation, which aims to extend the scope of current Directive 2002/58/EC to over-the-top (OTT) services such as WhatsApp and Skype as well as to metadata; [6]
- The draft Regulation on the free flow of non-personal data,[7] which has generated heated debates over the definitions of “non-personal data” and “common data spaces” (personal and non-personal data)[8] and which, according to European MP Anna Maria Corazza Bildt, aims to establish the free flow of data as the fifth freedom in the EU’s single market.<[9]
Besides, the framework on cybersecurity is currently being reviewed in order to implement a proper EU policy that respects citizens’privacy and personal data as well as EU values. 2019 will undoubtedly be the year of the cyberAct.[10]
A proper European model, respectful of EU values, is therefore under construction.
It is already inspiring and giving food for thought to other countries and regions of the world, including the United States, land of the largest tech giants.
In California, the U.S.’s most populous state, no less than 629,000 people signed the petition that led Californian MPs to pass the California Consumer Privacy Act on June 28, 2018. [11]
The Act, which takes effect on January 1, 2020, broadens the definition of “personal information” by including tracking data and login details, and contains provisions similar to the GDPR’s on:
- Individuals’ ability to control their personal information, with new rights regarding transparency, access, portability, objection, deletion and choice of the collected information;
- The protection of minors, with the prohibition from selling or disclosing the personal information of a consumer under 16 years of age, “unless affirmatively authorised”;
- The violation of personal data, with the right to institute a civil action against a company in the event of a data theft caused by the absence of appropriate security procedures.
California, the nation’s leading state in privacy protection, is setting the scene for major changes in the way companies interact with their customers. The Act, the strictest ever passed in the U.S., has inevitably been criticized by the biggest Silicon Valley tech companies, who are already asking for a relaxation of the legislation.
Let us end with an amusing twist by giving the last word to the former American president (yet not the least among them), Barack Obama. In a speech addressing the people of Europe, in Hanover, Germany, in 2016, he proclaimed:
“Europeans, like Americans, cherish your privacy. And many are skeptical about governments collecting and sharing information, for good reason. That skepticism is healthy. Germans remember their history of government surveillance – so do Americans, by the way, particularly those who were fighting on behalf of civil rights.
So it’s part of our democracies to want to make sure our governments are accountable”[12]
Also read on I’MTech