Why so much demand for our personal data?

The EU Gen­er­al Data Pro­tec­tion Reg­u­la­tion (GDPR) turned three on 25 May 2021. After twelve months of dig­i­tal tools being rolled out on a mas­sive scale due to Covid-19, this anniver­sary is shed­ding new light on the stakes con­nect­ed to pri­va­cy and Euro­pean dig­i­tal sov­er­eign­ty. For France’s Nation­al Com­mis­sion on Infor­mat­ics and Lib­er­ty (CNIL), it’s the per­fect occa­sion to go back over what con­sti­tutes this reg­u­la­to­ry frame­work, what it pro­tects and what pre­cise­ly is in so much demand.

The oil of the 21^st century

First of all, what is “per­son­al data”? It’s not like oth­er data – it con­tains infor­ma­tion that can iden­ti­fy a per­son, like their name, a num­ber con­nect­ed to them, or their dig­i­tal fin­ger­print. It’s often said that per­son­al data is the oil of the 21^st cen­tu­ry but com­par­ing it to “seeds” seems more apt, as this kind of infor­ma­tion is only made valu­able when it’s used in cer­tain ways.

A clas­sic exam­ple is the foot­print left online by inter­net users, which is gath­ered through cook­ies when users nav­i­gate online, or from con­nect­ed objects. Hav­ing accu­rate knowl­edge of numer­ous details (such as the age, loca­tion, taste, pur­chas­ing behav­iour, health con­di­tion, or even ide­o­log­i­cal beliefs) of poten­tial con­sumers is extreme­ly valu­able for com­pa­nies, as it allows them to seg­ment their mar­ket bet­ter. In just a few years, per­son­al data has become a strate­gic finan­cial asset, one that’s par­tic­u­lar­ly entic­ing for GAFAM, as shown by rev­enue from the first quar­ter of 2021 – $23.6bn net prof­it for Apple vs $11.2bn in the same peri­od last year; $17.93bn (vs $6.8bn) for Alpha­bet, Google’s par­ent com­pa­ny; and $9.5bn (vs $4.9bn) for Facebook.

A tool to improve pub­lic pol­i­cy and cri­sis management

How­ev­er, far from only serv­ing com­mer­cial inter­ests, per­son­al data has also proven to be very use­ful for cre­at­ing effi­cient pub­lic pol­i­cy, espe­cial­ly dur­ing the pan­dem­ic. For exam­ple, since the Covid-19 vac­ci­na­tion cam­paign was launched, region­al health agen­cies have had access to infor­ma­tion to track its progress across France. Since Jan­u­ary, the “Vac­cin-Covid” infor­ma­tion sys­tem (devel­oped by France’s pub­lic health­care body, “Assur­ance Mal­adie”) ensures that vac­cines and stages of vac­ci­na­tion are trace­able at a nation­al lev­el, from pre-vac­cine con­sul­ta­tion to injection.

Access to data is a real issue for the EU, which is aware of their depen­den­cy on for­eign sys­tems. They have made con­trol­ling this access a pil­lar of their dig­i­tal sov­er­eign­ty strat­e­gy. Sev­er­al major events in 2020 stand out in this area – the Schrems II judg­ment, hand­ed down by the Court of Jus­tice of the Euro­pean Union last July, which inval­i­dat­ed the Pri­va­cy Shield, under which data could be sent to the US; the com­mit­ment to trans­fer the Health Data Hub to a host that would pre­vent that sen­si­tive data from poten­tial­ly being exposed to access requests that are ille­gal under GDPR; and, final­ly, the Dig­i­tal Gov­er­nance Act, Dig­i­tal Ser­vices Act, Dig­i­tal Mar­kets Act and, in the near future, the Data Act (leg­isla­tive pro­pos­als spear­head­ed by Thier­ry Bre­ton), which aim to update the legal foun­da­tion of the future Euro­pean data economy.

Pro­tect­ing data from cyber-crime

Unsur­pris­ing­ly, access to data is an enor­mous tar­get for cyber­crim­i­nals. Dur­ing the year of lock­down, the French Nation­al Agency for the Secu­ri­ty of Infor­ma­tion Sys­tems (ANSSI) saw a four-fold increase in the num­ber of attacks. While bank­ing and health data are most typ­i­cal­ly tar­get­ed, all data is now vul­ner­a­ble to attack, whether to sim­ply cause trou­ble or as black­mail mate­r­i­al. As for the CNIL, it received near­ly 3,000 noti­fi­ca­tions of data vio­la­tions from com­pa­nies in 2020 under the GDPR, com­pared to 2,300 in 2019.

The role of the GDPR and CNIL in data protection

So, what role should the GDPR and CNIL play in this con­text? GDPR can be seen as part of the EU’s human­ist approach, pro­vid­ing a reg­u­la­to­ry frame­work for per­son­al data on its ter­ri­to­ry with cit­i­zen rights at its heart. It also stan­dard­is­es the oblig­a­tions imposed on pro­fes­sion­als and allows them to devel­op their dig­i­tal activ­i­ty, which is based on the trust of their users. In this way, it is also a cyber­se­cu­ri­ty tool, inex­tri­ca­bly linked to data protection.

As a reg­u­la­tor, the CNIL has four mis­sions: inform­ing peo­ple of their rights and sup­port­ing organ­isms in upgrad­ing their com­pli­ance, and, on the flip­side, auditing/sanctioning them, and mon­i­tor­ing the sec­tor, which allows it to have dis­cus­sions with all parts of the dig­i­tal inno­va­tion ecosys­tem, from researchers to start-ups.

One case study that demon­strates this role is that of online adver­tis­ing. Since 2018, this has been a major sec­tor for com­pli­ance upgrade, with more than 20% of year­ly com­plaints con­nect­ed to mar­ket­ing. With­out wait­ing for the adop­tion of ePri­va­cy reg­u­la­tion [which pro­tects Euro­pean cit­i­zens’ pri­vate com­mu­ni­ca­tions from any inter­fer­ence], the CNIL adopt­ed a prag­mat­ic, mul­ti-stage reg­u­la­to­ry process, in con­sul­ta­tion with the par­ties con­cerned. This result­ed in two fun­da­men­tal reg­u­la­tions regard­ing the use of cook­ies: clar­i­ty of infor­ma­tion and equal ease of accept­ing or refusing.

Anoth­er afore­men­tioned pri­or­i­ty area is cyber­se­cu­ri­ty. Along­side the ini­tia­tives of oth­er play­ers such as ANSSI, the CNIL pro­vides dai­ly sup­port to com­pa­nies for best IT secu­ri­ty prac­tices, which – beyond being manda­to­ry – have become a con­sid­er­able strate­gic asset. On its web­site, many ped­a­gog­i­cal resources are avail­able, such as good remote work­ing habits for indi­vid­u­als and pro­fes­sion­als, in the aim of set­ting up a dig­i­tal cul­ture that’s com­mon to all.

The last exam­ple is that of arti­fi­cial intel­li­gence (AI). The CNIL is very active in this area, on both the legal, IT side of things and the eth­i­cal, for­ward-plan­ning side of things. Every year, it holds the “Avenirs, Inno­va­tions, Rev­o­lu­tions” (Futures, Inno­va­tions, Rev­o­lu­tions) event to dis­cuss soci­etal ques­tions raised by new tech­nolo­gies. This, in turn, gave rise to the report “AI and algo­rithms: allow­ing humans to main­tain con­trol”. It demon­strat­ed the wide range of ques­tions evoked by AI and put for­ward a num­ber of rec­om­men­da­tions, includ­ing the prin­ci­ples of loy­al­ty and vig­i­lance, which are part of a new gen­er­a­tion of guar­an­tees and fun­da­men­tal rights in the dig­i­tal age. The CNIL also pub­lished a method­olog­i­cal con­tri­bu­tion to the com­plex debate around facial recog­ni­tion, as well as its reg­u­lar “Inno­va­tion & Prospec­tive” book­lets, and its new col­lec­tion of offi­cial reports, with the first focus­ing on voice com­mand devices.

In any case, dig­i­tal advances have not only pro­found­ly changed our econ­o­my, but also the organ­i­sa­tion of our soci­eties and polit­i­cal insti­tu­tions. The inter­net is not a place but rather a con­nec­tion, through which data is processed and trans­ferred inter­na­tion­al­ly on a pre­vi­ous­ly unimag­in­able scale. In the end, what’s at stake is the abil­i­ty of coun­tries to enforce com­pli­ance with their laws and rights. In the face of this chal­lenge, the CNIL needs to con­tribute to a com­pre­hen­sive strat­e­gy that affirms dig­i­tal sov­er­eign­ty, both at a nation­al and a Euro­pean level.