Digital fascinates, digital amazes, but digital also… scares many users! Feelings that must be taken into account by the CEO you are, since one can easily imagine that, from a space of freedom, the digital world may increasingly become a litigious space. A fear no doubt shared by the EU, as demonstrated by the new regulation that will apply in April 2018. So, are you clear about your practices ? Are you aware of what you will need to put in place to avoid claims from internet users / mobile users and being fined ? A reminder of the context and what you need to know!
By mastering the workings of digital too well, any CEO risks cutting themselves off from the “base” : internet users and mobile users. The limited understanding of digital among some users, of what a cookie is, not to mention the poor practices of some players and press headlines that feast on data hacking by hackers, mechanically lead to legal measures… That is, at the very least, what one is led to think when reading the new European regulation that you will have to comply with as of April 2018.
Failure to respect privacy = litigation risks ?
Admittedly, from a space originally of “complete freedom,” digital is at risk, in the short term, of tipping over and becoming a litigious space. A drift that is understandable given how significant the economic stakes are (e-commerce, m-commerce, online media, etc.) and how they sharpen appetites, including among the ill-intentioned who use every lever to make money quickly, such as legislative differences from one country to another, even within the EU, which once again opens the door to abuses (hosting a site on a server abroad makes it possible to circumvent local legislation).
To put proper order in all this, the EU has just established new rules (the previous ones had been set out in a 1995 Directive as well as through a 2008 Framework Decision on the processing of cross-border data for police and judicial cooperation), aimed at harmonizing the law of Union countries. A regulation with which companies will have to comply before May 25, 2018. A regulation that “signals the end of recess” and that should be understood in order to avoid legal trouble.
Citizens take control over digital players !
Thus, from Directives to Framework Decisions, the EU is shifting into a higher gear by enacting a Regulation (2016/679 of the European Parliament and of the Council of 27 April 2016), that is, a text that is binding on all Member States, without any need to amend national legislation. Legislation that puts citizens and their privacy in control of data… a major paradigm shift that CEOs must take on board !
Indeed, as stated on the European Parliament website, this regulation aims to ensure that “companies must design default features and products in such a way as to collect and process as little personal data as possible. The “protection of privacy by design”, and by default, becomes an essential principle and encourages companies to innovate and develop new ideas, methods and technologies for the security and protection of personal data”.
Introduction of a right to compensation for damages !
Among the new provisions directly linked to the privacy of internet users and mobile users, five major elements can be cited:
Better control over the parties holding private data (Article 7), where it is noted that “clear and explicit consent” to data processing must be given actively by the natural person (for example, by ticking a box).
More protection for children (Article 8), which specifies that children (according to an age limit ranging from 13 to 16, an age decided by each Member State) must benefit from a clearer right to be forgotten and be protected against pressure pushing them to share their personal data.
Right to be forgotten (Article 17) which stipulates that if a person asks the company to erase their data, the company must comply and send the request to any third party duplicating the data.
Right to be informed in simple and clear language (Articles 12, 13 and 14), which puts an end to the “small print” concerning the wording of your company’s privacy policy.
Clear limits on the use of profiling (Article 21), which may only be carried out after consent and must not be based solely on automated data processing, but must include an assessment carried out by a human. This is to avoid discriminatory processing.
And above all, it should be emphasized that these provisions are coupled with a right to compensation for damages (material or moral) resulting from a breach of the regulation by the controller or processor… In short, the company is directly targeted.
“Dura lex, sed lex”
In conclusion, this regulation is more restrictive ! Is it fair ? That is a matter of perspective. Must it be complied with ? Once again, it is up to you to judge, but know that failure to comply with these new legal provisions exposes the company to a fine amounting to 2% to 4% of annual global turnover… A figure that does not call for judgment, but very much for action !
Box :
To access the new text : Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
To find your way among the different article references, the Regulation in Dataviz, by the CNIL.
