Data protection is a growing issue in all continents. With the new regulation GDPR, in effect since May 2018, EU has made a major step forward. The GDPR appeared to be a strong policy battle since the start of is preparation in 2012, both in Europe and externally.
New challenges are not only that we need new data governance in corporations in line with central role of data in economic models, AI, public policies; not only that we are facing major data leaks and are dealing with new security issues ; but also that there is a kind of confidence crisis from the citizens towards the digital society and its services in all our countries.
The core principle of GDPR is to reaffirm data protection as a fundamental human right including privacy protection and considering that it is not an absolute right. It has to be considered in relation to the function of data in society and be balanced against other fundamental rights, in accordance with the principle of proportionality, as mentioned in its Article 1. On the one hand, we have to meet social expectations of consumers and citizens and prevent private and public harms. On the other hand, we hope to give enough space for firms to grow and new technologies to be invented.
From GDPR side, it has four main objectives. First, it wants to create a European data market for our 500 million consumers and make sure this market obeys to the same law all over Europe. Second, it reinforces the security obligations of all the stakeholders through, for example, data breach notification, sub-contractor liability and mandatory risk analysis. Third, it aims to strengthen the rights of individuals by achieving consent, information transparency, and by defining new rights such as data portability. Fourth, it plans to sets up a real corporate data governance through accountability principle and tools, including data protection officer, PIA and data maps. Finally, it plans to make sure GDPR is respected by European and international players on the EU territory when collecting data from European citizens. This strategy includes ‘one-stop shop’ mechanism, reinforced cooperation between the 28 EU Data Protection Authorities, and extraterritorial effect, which is a natural extension of local protection.
EU regulators have played a major role in the last year with respect to GDPR. First, we had to raise awareness to ensure that GDPR is known and understood, which required tremendous efforts from multiple places, such as MOOC, social media, leaflets, workshops and conferences. Second, we wanted to assist corporations in their compliance efforts. This includes helping them to develop DPO sectorial networks, co-building with them sectorial compliance tools, and giving specific support to SMEs and start-ups in consideration of their scalability. Third, we positioned the sanctions as a deterrence arm. Though sanctions are not a goal in itself, they are necessary to deter non-compliance. In that respect, next months will be strategic to demonstrate the efficiency of the new architecture of cooperation between European regulators facing international actors. Last but not least, we hope to make contribution to EU ‘data diplomacy’ with ‘third countries’ by demonstrating that GDPR can be an efficient regulatory standard and by staying open to interoperability and dialoguing with our counterparts.
Given the new expectations from the consumers and the users, data protection appears to be a key lever for a sustainable digital environment based on trust. Though common grounds have been emerging, many variations still exist, resulting in merely a copy of GDPR not working in other places. We deeply believe that ‘Interoperability’ of regulatory regimes is key in order to limit the possible fragmentation of the digital space.
Counsellor of State of France, former CNIL chair, WP29, ICDPPC. She spoke at Luohan Academy’s 2019 Digital Economy Conference in Hangzhou.