Le droit des données personnelles a connu une expansion rapide ces dernières années grâce à l’influence croissante de la technologie sur le commerce et la vie quotidienne. Les consommateurs sont de plus en plus conscients de la protection de leurs données et les entreprises doivent s’adapter pour éviter les amendes et les sanctions en traitant ces données conformément à la législation. En 2018, l’Union européenne a introduit le Règlement général sur la protection des données (GDPR) qui constitue la législation principale dans ce domaine.
What is personal data?
First of all, it is important to make note of the exact meaning of “personal data” (données personelles). The text of the GDPR says that this label can refer to any information which could potentially identify a person; examples include a name, an identification number, and location data. This data can be distinguished from non-personal data, which does not identify the subject and is therefore not covered by GDPR rules. Examples of non-personal data include anonymised information such as the number of clicks a link has received.
What does the ‘right to be forgotten’ entail?
The ‘right to be forgotten’ is one of the most prominent and ground-breaking features of the GDPR in terms of the level of data privacy protection it offers. It entitles any data subject (personne concernée) to oblige a data controller (le responsable du traitement des données) to erase (effacer) the subject’s data without any “undue delay” (sans retard injustifié), which generally means within one month. This right is closely linked to the data subject’s entitlement to have access to his or her own personal information. There are a number of circumstances in which the right to be forgotten can be relevant; these include, for example, where the personal data held by an organisation is no longer necessary in light of the purposes for which it was originally collected or processed (traité). There are also some limitations to the right, including circumstances in which the data is being used by an organisation in order to comply with a legal ruling or obligation and so cannot be erased.
What is encryption?
Going beyond this initial aspect, GDPR compliance (conformité) is particularly relevant in recent years as the world has adapted to teleworking. It has been highlighted that sensitive data controlled or processed by a company should be encrypted (chiffré) both in transit and at rest (en transit et à l’arrêt) in order to provide the highest level of security possible in the event of a data breach (une violation de données). Encryption can be defined as “the procedure that converts clear text into a hashed code (un code haché) using a key (une clé), where the outgoing information only becomes readable (lisible) again by using the correct key”. This has gained importance with the increased use of home offices (bureaux à domicile), where data might not be stored as securely as it is in a traditional office setting.
What is the importance of consent?
A final essential element of the GDPR is consent. In some contexts, organisations and businesses collecting and processing data must obtain the consent of the data subject. Failure to get this consent when it is necessary can lead to heavy fines (amendes), as Google discovered when it was ordered by the French data protection authority to pay €50 million not long after the GDPR entered into force (a entré en vigueur). Consent in this context must be “freely given, specific, informed and unambiguous” (libre, spécifique, éclairée et univoque). A common example of a consent practice which complies with these standards is when a website user, during the process of browsing (navigation) is invited to check a box (cocher une case) in order to consent to subscribe to a company’s newsletter. This action is an affirmative indication of the data subject’s consent for their email address to be used in this way. It can also be accompanied by a link to the company’s privacy policy (la politique de confidentialité) so that the data subject can be informed on how his or her data will be used.
What is the importance of GDPR-related vocabulary?
The lawyers of today are often required to familiarise themselves with the growing collection of vocabulary linking technology with law. Terms including personal data, data subject, data controller, data processing, data control, encryption, data breach, and privacy policy are frequently used in the wording of legislation, contracts, and other acts and agreements in the digital age. Furthermore, English tends to be the lingua franca of updates and news items in the area, possibly due to the influence of US-established ‘Big Tech’ firms on how data protection law is drafted and interpreted. For this reason and others, it is becoming increasingly important for lawyers of all backgrounds to approach their understanding of data protection law from a multilingual perspective so that they can provide clients with the most comprehensive and up-to-date advice possible on the area.
Pour plus d’informations sur nos formations en Anglais juridique : https://lfex.fr/
- Dunlea