The General Data Protection Regulation (GDPR)

Applicable as of May 25, 2018, a new European regulation (the General Data Protection Regulation (GDPR) stipulates how personal data can (or cannot) be processed. It is a text that proposes several interesting provisions designed to protect our private sphere on the Internet. Lionel Maurel, a lawyer by training, public librarian at the University of Paris Lumières and a member of the association ‘Quadrature du Net’ [squaring the net], gave a lecture at UTC on this subject. He deciphers the main challenges of this new piece of European legislation.

The General Data Protection Regulation (GDPR)


How does one define 'personal data'?

Personal data refers to all and any information that enables an identification of an individual: which can be one’s name, opinions, social security matriculation, bank account N°, one’s PC IP address, eye-iris prints, finger prints or a photo … as of 1978, France pioneered information protection with its law called “EDP and freedom Act”. As public services became more and more computerized, the aim of this law was to prevent personal data files being drawn up by the State authorities. Since the 1990s, certain principles underpinning this French law have been incorporate in European directives. The GDPR unifies and reinforces these provisions.

To what extent does the GDPR regulation signal an important step forward?

Before GDPR, it was fairly easy for non-European companies to by-pass the then existing legislation. From now on, the processing of personal data appertaining to European citizens, no matter the agent doing so, must comply with this regulation. It constitutes a “first ever” on a global scale. It took over two years of debate in the European Parliament to achieve this result. The Google, Facebook… lobby put up an intense attempt to block GDPR legislation but the civilian society prevailed.

What are the main areas of progress you see, in terms of user protection?

This new legal framework contains some very important provisions such as the need to secure free and informed consent from those concerned. This means that for the collecting, analysis and exchange of personal data, the companies (or institutions) who do so must firstly (and in most cases) obtain express consent. For example, simple consultation of an Internet page can no longer be seen a tacit consent to receiving cookies. It is henceforth illegal to make use of personal data a condition to accessing a service. It must remain possible to parameter various options and levels of confidentiality. The default position here must correspond to the least accessible configuration in regard to one’s personal data. Functions such as face recognition proposed by Facebook when a profile is opened cannot be activated automatically.

What part of this domain should receive special attention and in-depth investigation?

The GDPR demands that that must be used in a clearly defined manner, justified by service needs and transparent as seen from the user’s view. Storing data with no specific finality will not be allowed. However, there may be exceptions such as “legitimate interests”. This is a measure that relates to the connection data needed to ensure security with identifiers/passwords. But nonetheless, one must remain vigilant. There is a fuzziness in the concept such that the door is ajar for abuse by market agents. Agents whose economic business model relies on advertising data files could easily raise the issue for survival of their services.

What sanctions can be taken if noncompliance is noted?

To date, the sanctions the CNIL could hand down were limited. As of now, with GDPR, the limit is up to 4% of an offender’s annual turnover, which is no symbolic value, especially for the ‘giants of the Internet”. Before this, individual legal action had to be taken against the major companies. Now, joint legal or ‘class-action’ as it is called is permissible. The association ‘Quadrature du net’ has launched several legal complaints against the GAFAMI (Google, Apple, Facebook, Amazon, Microsoft, IBM) and several thousand persons have subscribed to these actions in court. n



Lionel Maurel – lecture (in French) « Données personnelles et vie privée; ce qui va changer avec le RGPD» on