Almost two years after its entry into force in the EU, the European model of data protection inspires the legislators of the whole world but remains insufficiently applied in Europe according to associations.
"2020 will be an extraordinary year for data protection", enthuses Trevor Hughes, president of the IAPP. With now 52,000 members, this international association which brings together privacy professionals has doubled in size in two and a half years, and benefits from the development of regulations.
Entered into force in May 2018 in the European Union then extended in July of the same year to the European Economic Area (which includes Iceland, Norway and Liechtenstein), the General Data Protection Regulation (GDPR) has become "a global standard," says Hughes.
Extra-territorial, the regulation regulates the level of protection and processing of personal data by European administrations, companies and associations or targeting the European market. It guarantees new rights to individuals including the right to erasure or portability of data.
It also serves as a standard meter to validate the level of protection of other countries, which allows the transfer of personal data from Europe to these territories without specific authorization. This was the case, in January 2019, by the decision of adequacy given to the Japanese regulations, but also for Argentina, Switzerland, Israel or New Zealand.
Finally, the principles of the GDPR serve as the basis for new regulations emerging elsewhere in the world. In January 2020, the "California Consumer Privacy Act" (CCPA) notably entered into force in the cradle of tech giants, the most greedy towards the personal data of their users.
Like the GDPR, this law must guarantee Californians certain rights over their data (how it is collected and used, whether for commercial purposes or not). On the other hand, it only targets commercial companies with revenues over $ 25 million and creates a framework for selling personal data, while Europe considers these as "an attribute of personality" in essence non-transferable, explains Sylvain Staub, associate lawyer at DS Avocats and founder of a GDPR compliance assistance company.
- "Do not exaggerate the virtues of the GDPR" -
In the United States, a dozen states have taken or are about to take protective measures, which increases "the chances of seeing a federal law emerge quickly", believes Trevor Hughes. "The question is no longer whether the United States will adopt such a law, but when," he said, ensuring that the political differences on the subject are only about "a few details".
In Canada, regulations are expected to change this year. In Brazil, a General Personal Data Protection Law (LGPD) is due to come into force in August. In India, the government presented in December a first version of a law supposed to give more control to the 1.3 billion inhabitants on the use of their data.
In China, the government has also announced for 2020 changes in the regulations on the use of data, motivated in particular by cybersecurity requirements, and despite the doubts of experts on its ability to respect the right to life itself deprived of its citizens.
According to the economic site Mlex, more than 120 countries now have a national law for the protection of personal data.
However, "we should not exaggerate the virtues of the GDPR", warns Arthur Messaud, lawyer with the association for the defense of Internet users La Quadrature du net: the rules "refer a lot of decisions to national judges" and remain "applied extremely loosely "in Europe.
The total of known fines imposed by European countries on behalf of the GDPR since its entry into force amounted in early January to just over 114 million euros, "which is quite low given that regulators have the power to distribute fines of up to 4% of sales, "according to a report from DLA Piper.
© 2020 AFP