The EU General Data Protection Regulation (GDPR) turned three on 25 May 2021. After twelve months of digital tools being rolled out on a massive scale due to Covid-19, this anniversary is shedding new light on the stakes connected to privacy and European digital sovereignty. For France’s National Commission on Informatics and Liberty (CNIL), it’s the perfect occasion to go back over what constitutes this regulatory framework, what it protects and what precisely is in so much demand.
The oil of the 21st century
First of all, what is “personal data”? It’s not like other data – it contains information that can identify a person, like their name, a number connected to them, or their digital fingerprint. It’s often said that personal data is the oil of the 21st century but comparing it to “seeds” seems more apt, as this kind of information is only made valuable when it’s used in certain ways.
A classic example is the footprint left online by internet users, which is gathered through cookies when users navigate online, or from connected objects. Having accurate knowledge of numerous details (such as the age, location, taste, purchasing behaviour, health condition, or even ideological beliefs) of potential consumers is extremely valuable for companies, as it allows them to segment their market better. In just a few years, personal data has become a strategic financial asset, one that’s particularly enticing for GAFAM, as shown by revenue from the first quarter of 2021 – $23.6bn net profit for Apple vs $11.2bn in the same period last year; $17.93bn (vs $6.8bn) for Alphabet, Google’s parent company; and $9.5bn (vs $4.9bn) for Facebook.
A tool to improve public policy and crisis management
However, far from only serving commercial interests, personal data has also proven to be very useful for creating efficient public policy, especially during the pandemic. For example, since the Covid-19 vaccination campaign was launched, regional health agencies have had access to information to track its progress across France. Since January, the “Vaccin-Covid” information system (developed by France’s public healthcare body, “Assurance Maladie”) ensures that vaccines and stages of vaccination are traceable at a national level, from pre-vaccine consultation to injection.
Access to data is a real issue for the EU, which is aware of their dependency on foreign systems. They have made controlling this access a pillar of their digital sovereignty strategy. Several major events in 2020 stand out in this area – the Schrems II judgment, handed down by the Court of Justice of the European Union last July, which invalidated the Privacy Shield, under which data could be sent to the US; the commitment to transfer the Health Data Hub to a host that would prevent that sensitive data from potentially being exposed to access requests that are illegal under GDPR; and, finally, the Digital Governance Act, Digital Services Act, Digital Markets Act and, in the near future, the Data Act (legislative proposals spearheaded by Thierry Breton), which aim to update the legal foundation of the future European data economy.
Protecting data from cyber-crime
Unsurprisingly, access to data is an enormous target for cybercriminals. During the year of lockdown, the French National Agency for the Security of Information Systems (ANSSI) saw a four-fold increase in the number of attacks. While banking and health data are most typically targeted, all data is now vulnerable to attack, whether to simply cause trouble or as blackmail material. As for the CNIL, it received nearly 3,000 notifications of data violations from companies in 2020 under the GDPR, compared to 2,300 in 2019.
The role of the GDPR and CNIL in data protection
So, what role should the GDPR and CNIL play in this context? GDPR can be seen as part of the EU’s humanist approach, providing a regulatory framework for personal data on its territory with citizen rights at its heart. It also standardises the obligations imposed on professionals and allows them to develop their digital activity, which is based on the trust of their users. In this way, it is also a cybersecurity tool, inextricably linked to data protection.
As a regulator, the CNIL has four missions: informing people of their rights and supporting organisms in upgrading their compliance, and, on the flipside, auditing/sanctioning them, and monitoring the sector, which allows it to have discussions with all parts of the digital innovation ecosystem, from researchers to start-ups.
One case study that demonstrates this role is that of online advertising. Since 2018, this has been a major sector for compliance upgrade, with more than 20% of yearly complaints connected to marketing. Without waiting for the adoption of ePrivacy regulation [which protects European citizens’ private communications from any interference], the CNIL adopted a pragmatic, multi-stage regulatory process, in consultation with the parties concerned. This resulted in two fundamental regulations regarding the use of cookies: clarity of information and equal ease of accepting or refusing.
Another aforementioned priority area is cybersecurity. Alongside the initiatives of other players such as ANSSI, the CNIL provides daily support to companies for best IT security practices, which – beyond being mandatory – have become a considerable strategic asset. On its website, many pedagogical resources are available, such as good remote working habits for individuals and professionals, in the aim of setting up a digital culture that’s common to all.
The last example is that of artificial intelligence (AI). The CNIL is very active in this area, on both the legal, IT side of things and the ethical, forward-planning side of things. Every year, it holds the “Avenirs, Innovations, Revolutions” (Futures, Innovations, Revolutions) event to discuss societal questions raised by new technologies. This, in turn, gave rise to the report “AI and algorithms: allowing humans to maintain control”. It demonstrated the wide range of questions evoked by AI and put forward a number of recommendations, including the principles of loyalty and vigilance, which are part of a new generation of guarantees and fundamental rights in the digital age. The CNIL also published a methodological contribution to the complex debate around facial recognition, as well as its regular “Innovation & Prospective” booklets, and its new collection of official reports, with the first focusing on voice command devices.
In any case, digital advances have not only profoundly changed our economy, but also the organisation of our societies and political institutions. The internet is not a place but rather a connection, through which data is processed and transferred internationally on a previously unimaginable scale. In the end, what’s at stake is the ability of countries to enforce compliance with their laws and rights. In the face of this challenge, the CNIL needs to contribute to a comprehensive strategy that affirms digital sovereignty, both at a national and a European level.