The Facebook - Cambridge Analytica affair has just raised awareness among the broader public worldwide to the risks related to the improper use of anyone's personal.
At a time when computers and the internet are everywhere in our daily lives, both at work and in private, the protection of personal data becomes particularly apposite. The governing legal framework clearly needs to be modernised in the light of new technologies and new means of communication, and the uses of personal data that they make possible.
GDPR: a highly directive regulation
On 25 May, the European regulation of 27 April 2016 concerning the protection of natural persons with regard to the processing of personal data and the free circulation of those data (the GDPR) will come into effect. The regulation will be directly enforceable in the member states of the European Union. Although it a European regulation, two considerations of a general nature should be kept in mind. The first concerns the fact that it is de facto a “quasi-directive”, with a good deal of latitude being left to the discretion of legislators in the member states to take additional measures in certain fields such as medical research. The second consideration concerns the extra-territorial reach of the GDPR, whose directive nature will inevitably encroach upon the applicable legislation in this field in the Principality.
This will be the case in the following scenarios (non-exhaustive list):
- A Monegasque entity owns an establishment in a member state,
- A Monegasque entity processes personal data – even occasionally – in a member state,
- A Monegasque entity offers goods or services through an internet site targeting a market in the European Union,
- A Monegasque entity carries out profiling of natural persons within a member state for the purpose of taking decisions about them, analysing or predicting their attitudes, behaviour and preferences, and
- The Monegasque entity processes personal data on behalf of a third party that itself falls under the scope of application of the GDPR.
A new approach to the protection of personal data
The GDPR embraces the notion that personal data should be considered from a legal point of view as an attribute of personality, and under no circumstances as an object that could potentially be subject to any property rights. Furthermore, the GDPR also states, for all parties that may have knowledge of, process or retain personal data, the principle of informational self-determination to, on the one hand, reinforce the fundamental rights of citizens as we enter the digital era and, on the other, to move towards the setting up of a single digital market.
New rights
The GDPR also includes the revival of certain rights such as the reinforcement of the right to information, the right of access to information, the right to delete data, the right to oppose further processing, the right to rectify personal data and the proportionality of processing. In addition to these rights, new rights are included, such as the portability of data, limitation of data, recourse against the regulatory authority, group actions and the right to “digital oblivion”.
New ethics
However, the philosophy underlying the GDPR is a move towards a form of self-regulation that would replace the previous formalities. Within this framework, new obligations will have to be fulfilled such as the setting up of Privacy by design or Privacy by default, the appointment of a data protection representative, the declaration, where appropriate, of a security breach and joint liability.
The scope and reach of the guiding principles that frame the GDPR will be analysed as we work with it in the European Union and the Principality.