The GDPR: origin, rationale and key principles Between record GDPR sanctions and various legal debates around controversial legislation, it’s hard to deny that the GDPR has not, at the very least, shaken things up.
But why was the GDPR implemented and why does it seem to be so successful?
What is at stake?
In an over-connected world, in which data is multiplying at a frantic pace, the issues of personal data protection take on their full meaning. But then why the GDPR?
Outdated by the evolution of the technological standards involved in personal data, the old European directives on privacy protection are no longer sufficient.
The different ways in which they are applied in national laws and the particularly weak sanctions they carry, make it impossible for them to be heard and to ensure the proper processing of personal data.
In view of the extent to which the use of our data, their collection and transfer are becoming economically useful for companies, a clear European regulation has become essential.
Marketing, advertising, human resources, management, organization, security… big data is everywhere. The observation is simple: we no longer know what is done with our data, nor why, nor by whom. Worse, our very decisions escape us, since we are profiled in an ever more precise way. Consent, which should be the basis of most processing, is too often not respected, as well as the rights and freedoms of individuals.
GDPR, or the biggest lobbying campaign of the European Union
A single, European framework with strong sanctions became essential. The General Data Protection Regulation, or GDPR, came into force on May 25, 2018, a text that, given the economic stakes (GAFA, etc.), was the subject of the biggest lobbying campaign in the European Union.
The GDPR does not hinder innovation, quite the contrary
Why the GDPR?
The idea behind the GDPR is not to prohibit or prevent companies from implementing technological developments related to data. On the contrary, it is about making them responsible, in order to protect the rights and freedoms of individuals and interests of all.
Everything is possible, as long as the necessary measures are put in place:
- transparency towards individuals when data is processed (notably concerning their purposes, why the data is collected & processed)
- security and confidentiality of their data, analysis and documentation of the reasons for and limits of the processing implemented
- accountability of the subcontractors by the principals
This new regulation obliges companies to comply with the GDPR and to designate a personal data protection officer within their team.
Under the scrutiny of the supervisory authorities, the CNIL in France now has enhanced auditing powers and the possibility of imposing fines of up to 2 to 4% of the company’s worldwide annual turnover. One objective of the GDPR with these fines is to encourage all companies to comply.
What are the GDPR penalties?
The main reason why the GDPR is today a real success – in terms of communication and awareness by companies – is the amount of sanctions it provides. For example, under the previous French legislation, administrative sanctions for violations of the rules on personal data protection could not exceed 150,000€, doubled in case of recidivism.
The authority in question still had to have the necessary investigative power to carry out investigations.
This is a trifle for some companies whose activity is based on data, and who make colossal profits.
With the GDPR, we change universe and we come closer to the record fines imposed by the authorities in competition law. (abuse of dominant position and illicit agreements for example). The GDPR penalty adapts, since it is expressed by a maximum rate:
- 2% of the company’s worldwide annual turnover for the least serious infringements
- 4% for the most serious infringements
In reality, there are several types of GDPR sanctions.
GDPR Sanctions: Formal notice
The GDPR provides that each Member State designates a supervisory authority, responsible for its practical application on its territory. Following a complaint from a data subject to this authority or a spontaneous control, the authority may initiate a control during which it has several binding powers:
- on-the-spot and documentary audits
- production of documents
- testimony …
At the end of its investigation, this authority will have the possibility to give formal notice and to order the controlled entity to implement certain compliance measures:
- implementation of security measures
- suspension or termination of processing
- deletion of data
Administrative pecuniary sanctions under the GDPR
If a corrective measure is not sufficient and the supervisory authority deems it necessary to impose a financial penalty on the entity in question on the basis of the GDPR. In order to assess the amount of the penalty, various criteria are provided for by the GDPR and the guidelines of the European authorities.
Among these criteria are taken into account in particular:
- the number of persons concerned
- the duration of the breach
- the degree of knowledge that the entity had of the breach
- the entity’s collaboration with the supervisory authority
- the sensitivity of the data (sensitive data)
This GDPR penalty may amount, in the most serious cases, to €20,000,000 or 4% of the entity’s worldwide annual turnover, whichever is higher. There are of course remedies against these sanctions.
These sanctions are therefore very variable. For example, the french supervisitory authority could sanction Google up to 50.000.000€ or a real estate development company up to 400.000€ for failure to secure tenants’ data.
Judicial GDPR sanctions
The GDPR is a text applied and sanctioned by the administrative control authorities, but also, like any legal text, by the ordinary courts. Indeed, if an individual or a group of individuals (within the framework of a group action, specifically provided for the protection of personal data) considers himself harmed because of a breach of the GDPR, he will be able to seek redress before the courts.
When several companies have been involved in the same data processing that is harmful to an individual, either as a controller or as a processor, the GDPR protects the individual above all.
The companies will indeed bear joint and several liability towards the data subject: the latter may have his or her damage fully compensated by one or the other company, regardless of the respective degrees of participation in the damage. The final allocation of responsibilities will be made at a later stage, between the companies.