Is the PGRD, which entered into force in the European Union on 25 May 2018, merely an extension of national legislation on the scale of the old continent? To find out, we spoke to Mastaneh Djazayeri, Lawyer / Compliance R.G.P.D, Doctor of Law, Data Protection Officer, certified Bureau VERITAS at Alpha Conseils Technologies.
The DPMR introduces new EU-wide rules on data protection by organisations. Previously, data protection was governed by national laws. In France, for example, the Data Protection Act has been in force since 1978..
For Mastaneh Djazayeri, a specialist in the field, the RPGD that is presented to us as a major novelty is, in a way, nothing more than an “invention”. that an extension of the LIL. In order to find out more, we went to meet him.
LeBigData.fr : According to you, the RGPD is finally only an extension (on a European scale) of the Data Protection Act already in force in France. Can you explain why?
The Data Protection Act of 6 January 1978 has been the cornerstone of personal data protection in our national legislation. It has subsequently undergone a number of legislative changes and developments in response to the evolution of the digital age and the services offered to users.
There has been a first amendment made by the law of 6 August 2004 on the protection of individuals with regard to the processing of personal data. Subsequently, we had the LEMAIRE law dated October 7, 2016 (more commonly referred to as the Digital Republic Act), which included some provisions that anticipated the DPMR, such as portability, the right to oblivion for minors, informing people about how long their data will be kept, and the possibility of organizing the fate of one’s personal data after death.
On his side, the DPGR enshrines and reinforces the key principles of of the Computer and Freedom Act and significantly increases the rights of citizens by giving them more control over their data.
We cannot strictly state that the DPMR is the Europe-wide extension of the LIL, in so far as each Member State had legislation on the protection of personal data in its national legislation.
However, this regulation takes over part of the pre-existing acquis in the field of European national legislation and added new provisions. In fact, the very essence of the Data Protection Act remains. It is in this sense that the RGPD complements our legal arsenal and is, in a certain sense, an extension of it.
The main purpose of the RGPD and its main advantage are to harmonise European data protection legislation, even if each Member State has the possibility of adapting or adding other national legislation. In addition, the EPMR provides for 54 references to national law, hence the need to keep the Computer and Freedom Law as a legal basis.
LeBigData.fr: what are the differences between the Data Protection Act and the RGPD?
Rather than differences, I would talk about new developments linked to the evolution of modern technologies. One of the fundamental differences lies in the way a controller has to demonstrate compliance.
Under the Computer and Freedom Act, the agencies were governed by the due process regime before the processing was carried out and the supervisory authority had to prove non-compliance.
There is now no prior formality except in special cases (in particular for transfers of personal data to a non-EU country). Companies now have the obligation to keep the register of processing activities as well as privacy impact assessments.
Bodies must now prove their conformity to the supervisory authority. With the DGR, it the obligation of “accountability” is imposed on itself. i.e. the obligation to put in place processes, internal procedures to demonstrate its level of compliance. In short, under the LIL, organizations were subject to an obligation of means towards the control authority, whereas under the DPGR they are now subject to an obligation of result.
Companies must also integrate in technical and organizational projects privacy by design and privacy by default. and strengthen security measures. Another novelty introduced by the DPMR is the notion of joint responsibility of the controller. This principle was not addressed in the LIL. Concretely, this is a co-responsibility between the controller and the processor which will make it possible, in the event of an administrative penalty, to distribute the amount of the penalty between the controller and the processor.
In sum, rather than talking about differences between the LIL and the RGPD, it can be said that certain provisions of the DPR have strengthened our national legislation and harmonise it on certain provisions with European legislation.
LeBigData.fr : What measures should be taken by companies that already comply with the Data Protection Act?
Since the implementation of the DMPR on May 25, 2018, companies must take several steps to better protect data. First, they must minimize data collection by collecting only the data necessary for the purpose for which it is collected. Similarly, companies may not collect the consent of the data subject. for a specific or similar purpose.
In line with this logic, companies must be lawful, fair and transparent in the collection of consent of the person whose data is going to be collected. They must also inform him/her of the rights that are vested in him/her, such as the right to erasure, opposition and rectification.
Companies must also ensure data accuracy ensuring that the data processed are up to date, and deleting or correcting those that are not. They are also responsible for ensure the security of the data collectedThe Commission will continue to work on the issue of data protection, especially sensitive data and data relating to minors and vulnerable persons.
In addition, the DPGR introduces a notion of limited data retention. Companies must now indicate the length of time they wish to retain data. If this is not possible, they must reasonably estimate it in relation to the purpose of the processing.
In addition, companies now need to put in place an data breach incident management procedure. As soon as an infringement is established, they are required to inform the supervisory authority or even the data subject within 72 hours. If they are unable to do so, they must explain the reasons.
LeBigData.fr: What’s new in the IT and Freedom 3 bill recently submitted to Parliament?
The law n°2018 – 493 dated 20 June 2018 on the protection of personal data was promulgated on 20 June 2018 and published in the Official Journal on 21 June. The purpose of this law is to adapt the law of January 6, 1978 on data processing, data files and liberties to European Union law following the entry into force of the RGPD on May 25, 2018 and Directive 2016/680 on the protection of individuals with regard to the processing of personal data by the competent authorities for the purpose of the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties.
Rather than repealing the law of 6 January 1978, the legislator chose to incorporate the provisions of the RGPD and the above-mentioned Directive into it. Nevertheless, the amendments made by this bill will have to be codified by ordinance in the law of 6 January 1978 in order to provide a legal framework that will be more readable for citizens and economic actors.
It is obviously impossible in the time allotted to address all the provisions of this act. I will confine myself to briefly outline the main additions of the new law.
Title I, relating to the provisions common to the Regulation and the Directive, deals with the missions and powers of the CNIL. It draws the consequences of the reporting system and the a priori control through a accountability logic (i.e. the principle of making economic actors accountable and placing the burden of proof for their compliance with the law and regulations on them).
Thus, section 1 of the Act proceeds to the modification and extension of the CNIL’s missions. In addition to the mandatory missions (certification, consultation by the presidents of the national assembly and senate, response to requests to exercise rights) that were assigned to the CNIL by regulation, the law authorizes the HALDE to take accompanying measures.
So, the CNIL can now adopt guidelinesThese include guidelines, recommendations, benchmarks, codes of conduct, and model regulations (to ensure the safety of treatment systems and to govern health treatments). It may also carry out the certification of persons (and thus the certification of data protection officers), products and data systems or procedures, and approve certification bodies.
The CNIL can also make representations in litigation relating to the application of the Regulation and the law before all courts, and lastly, to establish processing operations requiring a prior impact assessment to be carried out.
Another of the novelties introduced under this law is the powers granted to the CNIL. These new powers reinforce the a posteriori controls that it will be required to carry out. Thus, from now on CNIL agents may use a borrowed identity during online checks. In this way, it will not be possible for data controllers to be able to attach the agent to the CNIL. In the past, this link was easily detectable thanks to the e-mail address used.
Likewise, the enforceability of professional secrecy to CNIL agents is specified in three specific cases: the relationship between a lawyer and his client, the secrecy of sources of journalistic treatment, and, in certain situations, medical confidentiality.
Amendments have also been made to the LIL Act concerning health data. Article 9(4) of the DPMR provided for the possibility for Member States to introduce or maintain additional conditions and restrictions on the processing of health data, which are by their very nature sensitive data in certain cases. These data could not be processed, except where the Regulation provided for exceptions.
In the framework of this new law, the French legislator has devoted a chapter IV to health data. These articles replace the former provisions. Now, the new version of the law introduces a new chapter on health data. general scheme applicable to all health data as well as additional more specific provisions in the field of research.
LeBigData.fr : Doesn’t the LIL 3 law tend to be combined with the regulations?
Indeed, the new provisions applicable in France tend to cumulate with those of the Regulation. The inevitable consequence of this is that they give rise to additional specific obligations depending on the type of data processing.
This complicates the task of data controllers, as they have to will have to interpret the two texts in a cross-referenced way in order to determine the applicable provisions and thus the legal regime relating to such processing. This is a case-by-case work which will not be easy and will be a source of heaviness and confusion.
Similarly, the LIL has planned a specific regime applicable to data processing carried out in the field of research. Chapter IX now provides for the principle of prior authorization of such data processing by the CNIL, unless there are model regulations, reference frameworks or methodologies that will enable compliance with the law through a compliance undertaking.
The whole issue will be checking whether the data processing operations will have a research purpose or not, as there are variations between the two regimes. It should be noted, however, that a certain number of treatments are excluded from the scope of the new provisions of the LIL and its Chapter IX.
Also in Title I of the law, with regard to the processing of sensitive data, the legislator has introduced biometric and genetic data. In principle, these two categories of data may not be processed as provided for in the provisions of the DPMR.
However, the law created an exemption for the benefit of employers thus enabling them to continue processing this category of data for the purposes of controlling access to workplaces and to the devices and applications used in the context of the endorsements entrusted to employees.
In the field of processing so-called sensitive health data, the major difficulty arises in terms of the link between the RGPD and the LIL. It will now be it is essential to analyse each situation and each case of treatment or category of treatment in consideration of the two above-mentioned texts.
In conclusion, we have to wait for the current legal framework to be completed… by the ordinance which is announced in the next 6 months with the implementing decrees. At the same time, the CNIL will have to publish the reference frameworks and model regulations that we have mentioned and which will be particularly valuable indicators both of the level of compliance required for each category of processing and of the significant simplification of formalities incumbent on data controllers.
LeBigData.fr : This project has been strongly criticized by many members of ACSEL as it contradicts the RGPD. What do you think of it? Are these criticisms justified?
One of the main criticisms of the members of CAHLE is that the approximate and provisional nature of this legislative provisionThe draft law on the protection of personal data has been carried out under an accelerated procedure. The legislator has therefore not taken the time to reflect on how to transpose the provisions of the DPMR into our national legislation.
This is the main concern of the members of CAHLE. In many ways they feel that that this Act, which transposes the provisions of the GDGR is in contradiction with the European regulation on several points.
The Articles 2 and 3 of the current Act are in contradiction with Article 4 of the GDMP.. The latter gives a more explicit definition of personal data. As regards the definition of processing, the Regulation opts for the terms “structuring” and “limiting”, whereas the law speaks of “blocking”. Moreover, the law ignores the concept of joint controller, which is one of the major innovations of the DPMR.
Likewise, the territorial scope of application has no connection with that of article 5 of the law of 6 January 1978 which has been maintained. This article refers to the target audience principle, whereas the regulation is applicable to controllers whether or not established in the EU from the moment they offer goods or services without necessarily involving payment to persons in one of the EU member states. Finally, the bill completely disregards the principle of accountability. This is also one of the innovations of the GDMP related to corporate accountability.
In conclusion, their criticisms may be legitimate in some respects insofar as they currently have only a provisional legislative arsenal pending a forthcoming ordinance within 6 months of the enactment of the law and the ratification law itself will have to be adopted within 6 months of the adoption of the ordinance. What a long wait to reach a final law and how difficult it is for economic actors to implement it in practice.
For the time being, this the new version of the law will only have a reduced legislative lifespan of 12 months with all the implementation complications that this will generate for economic operators and the compliance obligations that the new Regulation now requires of them.
As a result, data controllers will have to make do with the provisional legal arsenal and be particularly vigilant in its day-to-day implementation. They must also ensure that they carry out a case-by-case study of the processing operations implemented and the applicable provisions. All this complicates their tasks very seriously and tends to make them time-consuming.
For advice or information on the protection of personal data and the legislation in force, you can contact Mastaneh Djazayeri of Alpha Conseils at the following address [email protected]