Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR) will apply from 25 May 2018.
This regulation, which is directly applicable in EU member states, will enable harmonization, but the fact that it includes close to fifty references to national legislation implies that national laws will still not be identical.
Monegasque companies have rightly raised the question of its implications for Monaco.
Article 3 of the Regulation on its territorial scope defines alternative establishment and targeting criteria for both controllers and processors, giving it a clearly extraterritorial dimension.
For example the GDPR could apply to a Monegasque company which hosts personal data for a French company, in its capacity as a processor for an EU-based company.
Based on its targeting criteria, the GDPR could also apply to a Monegasque company that sells products or services to French or Italian customers through a website, since it offers goods or services to persons in the European Union.
While work on modifying Law no. 1.165 of 23 December 1993 on the protection of personal information to bring it into compliance with the GDPR is currently under way, certain companies could, until this modification takes effect, be subject to both Monegasque Law No. 1.165 and the GDPR.
There is, however, some good news for Monegasque companies.
The formalities they have already completed should provide much of the material for their “processing records” and “impact analyses” when those obligations apply.
Furthermore, in exchange for their increased responsibilities, they will enjoy a significantly lighter administrative workload.
And while the GDPR has often been presented as a nightmare due to the high sanctions it imposes (up to 4% of global sales), it does not imply a paradigm shift in terms of the approach to personal data protection.
In fact, it mainly confirms or enhances notions which were already present in Law No. 1.165 of 23 December 1993, including the principles of purpose, proportionality, licitness, and quality and security of personal data processing.
The Commission for Control of Personal Information (CCIN) plans to publish an online FAQ (frequently Asked Questions) section on its website in the near future, so that even before Law No. 1.165 is modified controllers can get to know the key principles of the GDPR and the new obligations it imposes.
This shift should therefore be seen as an opportunity to offer a healthy, competitive base for innovation rather than as a constraint.
We have ample reason to believe that any sustainable innovation model based on the data market must be designed with a high level of personal data protection.