The GDPR requires companies to be more transparent about the data processing they carry out. While consumers were used to seeing information at the bottom of personal data collection forms, candidates or suppliers were not used to companies being truly transparent towards them as well. Likewise, companies were not used to being so transparent.
Companies had to identify all their suppliers and service providers in order to agree with them on the distribution of their data protection responsibilities and undertook to qualify the role of each of their suppliers (subcontractor, joint controller, separate controller) a task much more complex and time consuming than it seems.
Companies also had to determine precisely the appropriate retention periods for each personal data collected. This is one of the most complex issues: it requires a close partnership between the legal and IT teams in order to determine retention periods adapted to the company's obligations and limitation periods. Once retention periods have been determined, they must be effectively implemented in internal processes. This is not easy because the tools available to companies are not necessarily adapted to the implementation of efficient data wiping or archiving processes.
Finally, companies had to inform and educate all their teams about the challenges related to personal data protection, either through e-learning training, on-site intervention by people specialized in the subject or through written documents.
In any case, the turning point was not obvious for all companies and the transition was harder for some than for others: those who had never done anything since 1978, the date on which the Data Protection Act began to apply, were necessarily busier than the others.
Are we moving towards a global regulation?
There is indeed no uniform international regulation. However, a very interesting trend seems to be emerging. The GDPR is becoming a European soft power tool. With no digital giants, unlike China or the United States, the European Union uses the GDPR as an instrument to influence foreign legislation.
In addition, the many data breach scandals that have had a major media impact, such as Cambridge Analytica, Equifax or Uber, have made personal data protection a central issue and concern worldwide.
- In the United States, initiatives to adopt legislation to protect personal data are multiplying with the adoption of laws by many States and recently the adoption of the California Consumer Privacy Act (adopted on June 28, 2018, and effective as of January 1st, 2020).
- Brazil adopted its own data protection regulation on August 14, 2018 (effective February 1st, 2020) to prevent the misuse of personal data and to provide a higher level of confidentiality and security for data subjects.
- China adopted a law on cybersecurity on November 7, 2016 (entered into force on June 1st, 2017), 11 articles of which are devoted to data protection. It also established general principles in December 2017 (entered into force on May 1st, 2018) that appear to be similar to the European approach.
Moreover, several countries have updated their national legislation in order to facilitate discussions with the European Commission for the adoption of an adequacy decision. Indeed, such a decision is taken when the Commission finds that a third country or an international organisation ensures an adequate level of protection in accordance with European principles (Article 45 of the GDPR). For example, this is the case of Japan, for which an adequacy decision was taken on January 25, thereby making data transfers between the countries of the European Union and Japan more fluid.
This will probably not lead to the development of a harmonised global regulation but can contribute to a convergence towards common standards. This confluence will be all the more likely to occur if the GDPR is perceived as a decisive competitive advantage. Indeed, multinationals will want to take advantage of these regulations to differentiate themselves from their competitors. This is the case of Microsoft, which applies the GDPR not only within the EU but also worldwide, in order to differentiate itself from the practices of other GAFAs.
The European model could certainly be a global standard for the protection of personal data. However, at this stage, the proliferation of different laws on personal data protection at the global level is somewhat worrying because it complicates the task of companies that have to comply with different regulations, which are not always necessarily compatible.
What should be the next steps to ensure the privacy of European citizens?
The next step will be to apply existing rules. Several highly protective provisions, such as those relating to automated decisions or profiling, have never been the subject of judicial decisions. In addition, a more refined interpretation of the GDPR’s principles will be required, for instance updates of sectoral codes of conduct – such as in insurance or health – as well as ensuring their interlinking with advanced technologies (Blockchain, homomorphic encryption, anonymization, etc.). The difficulty and the paradox with self-regulation advocated by the GDPR lie within the form of legal uncertainty it induces for the most proactive and innovative groups. Indeed, in some cases, the latter cannot be certain that their approach will be validated until they are checked.