It has been now more than two years since the new European data protection regulation (called GDPR) has been enforced, and with some hindsight, mixed results have been observed. Even if we have to acknowledge the effort to harmonize the protection and the privacy of european citizens, the concrete impact in our daily lives, at a personal and professional level, remains moderate. Yes, in almost every website you have now at least one (if not several) pop-up regarding cookies policy or tracking agreement, yes companies took initiatives to initiate their compliance journey. But is it enough, compared to the initial ambition?
Two years later, 90% of the websites are still not fully compliant to GDPR. We observed in 2019, compared to 2018, a moderate 12% increase of complaints linked to data protection topics. Mid 2019, one year after the GDPR enforcement, some European countries were still working on aligning their national laws with the new standards, and some others are still recruiting and training qualified persons to perform audits, controls etc. On a more positive note, the traditional EU locomotives (Germany, France) are already well structured, and their respective data protection national authorities (BFI and CNIL) are fully operational.
More importantly, we have seen the first visible impacts: a 50M€ fine addressed to Google by the French authority (CNIL) in early 2019, a 28M€ fine to the Italian telco operator TIM by the Italian authority (Garante)... Numbers usually speak clearer than complex legal procedures, and a majority of the European data protection authorities are now showing muscles by imposing massive fines to big companies, in Europe and overseas, basically to mark their territory. Are these companies going to pay these fines? Probably not, or at least not the full amount, but the symbol and the message are powerful.
The COVID-19 blast put data protection aside, just for a moment
Overall, even in a scattered row, EU countries are increasingly making progress in their data protection approaches. However, the sudden COVID-19 crisis that appeared earlier this year forced many actors, at every level (from governments to very small companies), to completely switch priorities and first of all face the brutal and immediate consequences: shut down in many economical activities, congestion of hospitals, unemployment, lockdowns... GDPR and data protection were not a priority for some months, which one can perfectly understand.
Nevertheless, once the initial blast has been absorbed, and countries were trying to structure their strategies to stem the pandemics, the data protection topic quickly resurfaced. The main reason why is that, in their arsenal to mitigate the virus spread, many countries decided to use data based tools to track down the evolution of cases and clusters, ultimately to be able to take quick and local actions if needed. The most visible example is tracing applications several countries deployed (or are about to deploy): Corona Warn-App in Germany, Stopcovid in France, Immuni in Italy etc.
These mobile applications, heavily promoted by governments and health representatives, are using location data and history of the users, to monitor if they were / are in close contact with a person infected by the COVID-19. It implies that, in addition of regular personal data (name, phone number, real time location), the application should have access to medical / health record information to be efficient, data considered as sensitive in the GDPR frame. And this is when voices from data protection professionals started to rise again: where are these data stored? who can access these data? for how long is it kept in a database?
Emergency, public health protection and GDPR
When the crisis erupted in Europe around March 2020, and when the first lockdown measures were announced, these applications weren’t even theoretical. In just 3 or 4 months, it was a reality in some countries. Was it a sufficient time to launch such a sensitive tool, at a national scale? Probably not, but the emergency dictated a quick response, in the name of the public health protection. The questions above, essential to debate even before designing the application frame, were put on the side to fastly deliver operational tools.
The EDPB (European Data Protection Board) made a statement in that direction at the beginning of the crisis, explaining that in order to protect public health, public institutions were authorized to process medical data without the consent of the data subjects. And indeed, the GDPR includes specific cases where the key principles (including consent, lawful and transparent processing among others) can be soften for criminal or health matters. They also mentioned location tracking data, explaining that governments were authorized to edict laws, allowing the processing of these data in an anonymized way.
Nevertheless, even if the legal frame wasn’t a fundamental issue, national authorities have been careful on the design and the deployment of these tracing tools, multiplying communications, official statements and sometimes warnings to protect the integrity of GDPR, despite the emergency. In Belgium for example, the PDA (Protection Data Authority) published on April 30 a report in which they gave their strict recommendations for the future Belgian tracing application (that should be deployed in September 2020). Overall, national authorities are playing their watchdog role, and despite the confusion and the emergency, they managed so far to keep a good control on the situation.
A good opportunity to reinforce the GDPR philosophy
When the GDPR was enforced in May 2018, it quickly became obvious that the road would be long and bumpy to reach compliance. And no one anticipated the major health crisis we are facing, and even less the probable economic crisis to come. National authorities have been quite reactive, by quickly making statements and recommendations to align, the best way possible, the fight against the pandemics and the protection of personal data. The equilibrium is fragile, and adjustments are still being made.
From that chaotic situation is emerging a lot of discussions and debates around personal data protection, and we need to acknowledge that it can (should?) be a great opportunity to communicate about it, and even reinforce the spirit of the law. If the GDPR was a distant concept for many people, COVID tracing tools will probably impact a majority of EU citizen at some point, and concrete day to day examples are the best way to demonstrate the real impact it can have on everyone. GDPR has been originally designed to protect the privacy of EU citizens, and if the legal equation is sometimes appearing difficult to align with field health emergency, a bigger awareness of our privacy rights would be a great achievement. And in these troubled days, that’s already a victory.
Autorité de Protection des Données