Data protection: what's new in the RGPD

At a time when recent scandals are driving changes in privacy policies, data and its management have never been so much at the heart of the debate.

"Ideas change, data remains". This is how the CNIL, or Commission Nationale de l'Informatique et des Libertés, tends to illustrate the problem of data today, as part of its campaign to raise awareness about the protection of personal data on the Internet.

This idea refers to the fact that today, any browsing on the Internet will result in the collection of data by the sites consulted by the individual.

This data is then often stored and sometimes used or even sold without the customer's knowledge or consent.

This is where data protection on the Internet really comes into its own. It's all about protecting people's data.

But what does the law say today to protect individuals' data? What changes are foreseen by the new law, RGPD? And finally, what about the regulations and penalties provided for in the event of non-compliance with these laws?

Focus today on data protection on the Internet!

What are the current regulations?

In France, data protection on the Internet is nothing new. In fact, national authorities decided to take a stance on the subject relatively early on.

With the establishment of the French Data Protection Act of January 6, 1978, an Independent Administrative Authority (Autorité Administrative Indépendante or AAI) was set up to ensure compliance with the law, and to inform French citizens of their rights and obligations: the CNIL.

The CNIL is a privileged contact: if a third party or organization fails to respect the use of your personal data on the Internet, you can lodge a complaint directly on the CNIL website.

Following this, it will conduct an investigation to determine whether or not there has been any prejudice. The Conseil d'Etat has even granted it court status.

It's also worth noting that Article 9 of the French Civil Code aims to protect the right to privacy and thus the protection of personal data on the Internet.

At European level, the issue has also been addressed with the introduction of a directive on October 24, 1995.

Article 1 reinforces the idea that "Member States shall ensure, in accordance with this Directive, the protection of the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data".

The ECHR, or European Court of Human Rights, also monitors the protection of personal data, relying on Article 8 of the ECHR Convention through a broad interpretation of the text.

Finally, there is also cooperation at European level between national CNILs.

What changes are coming with the RGPD?

The RGPD, which will be applicable throughout Europe from May 25, blithely reinforces already protective French and European law.

First and foremost, it will also be a question of making companies aware of their responsibilities in terms of data protection.

As such :

• Firstly, they must ensure that all personal data processing is properly identified, in order to meet traceability and transparency requirements . For this reason, a data processing register must be kept at all times.
• What's more, companies will have to be leading players in the fight against risks that could impact on users' privacy. Thus, the concepts of "privacy by design", which corresponds to the establishment of the highest level of confidentiality, and "private by default", which aims to ensure the protection of users' privacy with regard to the product or service in question, will be central.
• The RGPD also requires most companies to appoint a Data Protection Officer or DPO to facilitate dialogue with the CNIL and ensure proper compliance with the text.
• Transparency and respect for people's rights are top priorities. Users must be able to choose whether or not to allow companies to use their data, and companies must ensure that users are given clear information about how their data will be used.
• Finally, in the event of a breach of privacy, it is compulsory for all companies to notify the CNIL, on pain of penalty.

For private customers, the changes will be more discreet:

• A legal age of consent to the use of data has been established. From the age of 16, a minor can consent to and use a social network without parental consent.
• The law will also enable users to port their data between two services, if and only if they so wish.
• Finally, sanctions are now possible for any user whose data is used against his or her will.

Regulations / penalties for non-compliance with the law

First of all, it is important to point out that sanctions were already provided for under the January 6, 1978 law.

However, the latter were capped at €150,000 for a first offence and €300,000 for a repeat offence.

The RGPD will already achieve a new gradation of potential sanctions, extremely dissuasive.

A fine of up to 10 million euros or 2% of a company's annual sales may be levied for non-compliance with "Privacy by Desin" or "Privacy by Default", and 20 million euros or 4% of sales for infringement of individual rights.

Sanctions that could have a real impact on business operations.

In addition to these administrative sanctions, there may also be criminal penalties, which are likely to be set in accordance with articles 226-16 and 226-24 of the French Penal Code .

In conclusion, and in light of recent scandals like Facebook - Cambridge Analytica for example, protecting personal data on the internet is becoming a real issue that it was about time was seized upon.