La protection des données en pleine effervescence

Data protection in full swing

Legal Watch No. 20 – February 10, 2020

This is what we remember from the first weeks of this new year, with numerous debates on the occasion of significant events:

  • International Data Protection Day this January 28,
  • The international data protection conference organized the previous week in Brussels by the academic sector, and
  • The International Cybersecurity Forum in Lille in the last days of January.

February will not be left out, with the "intensive data protection" conference in Paris organized by the International Association of DPOs (IAPP).

Among the many topics covered, two stand out: the intensification of debates around facial recognition, and the specific situation of VSEs and SMEs with regard to the GDPR.

Facial recognition in question

What lit the fuse at the end of January was the hypothesis, put forward in a white paper by the European Commission, of a moratorium on facial recognition in public places.

This document, at the draft stage, was not intended for distribution, and the Commission has since announced that it is abandoning the possibility of a moratorium and is prioritizing other avenues of regulation.

She will present her paper on artificial intelligence on February 19.

The idea of regulating more strictly, or even banning, the automatic recognition of people in certain places, is making its way among regulators as well as in the private and public sectors and even beyond Europe.

The European Data Protection Supervisor (EDPS) and the Data Protection Commissioner of the Council of Europe, among others, have spoken out on this subject.

The European Data Protection Board (EDPB) also addresses the issue in its latest guidelines adopted at the end of January.

More and more cities, such as San Francisco and Cambridge, have banned this technology from their public spaces.

The potential uses of data create such uncertainty that tech giants like Microsoft are also calling for greater clarity.

Among the arguments put forward, we note in particular the risks of discrimination based on ethnic origin and other biases leading to too many “false positives”.

The prospect of a public space under total surveillance also raises questions in light of current data collection possibilities: we are thinking of the Clearview database, the company that stores faces accessible on all social networks to sell them to law enforcement in the United States, and which made headlines at the beginning of this year.

The international dimension of the problem also deserves to be highlighted.

This is evidenced by the recent parliamentary question at European level concerning the "Safe City" project developed in Serbia, based on Chinese facial recognition technology. 

RESTRICTED NEWSLETTER

The situation of VSEs and SMEs

The debates that took place during the various events in January highlighted the main challenges faced by (very) small and medium-sized enterprises.

If they represent the largest part of the European economy, they are the most deprived when addressing issues of security of their IT platform, use of the cloud, outsourcing and the use of self-assessment tools (audits).

Faced with these questions, several initiatives have seen the light of day. 

ENISA (the European Union Cybersecurity Agency) launched an online platform on January 28 to help businesses, particularly SMEs, secure their data.

There are also two initiatives aimed at helping website developers: the CNIL guide and that of the EDRI organization aim to support the development of sites in compliance with the GDPR.

While choosing a secure (and ideally European) cloud remains complex, it's worth noting the efforts of European regulators in this regard. Microsoft, for example, has just modified the contractual conditions of Office 365 under pressure from the EDPS and the Netherlands, in order to bring them into compliance with the GDPR.

And also:

In France :

As announced, the CNIL published on January 14, 2020 a draft recommendation concerning theuse of cookies and other trackers.

It aims to clarify the conditions for obtaining consent and includes concrete examples of notices to Internet users. The text is open for consultation until February 25.

In Europe:

There United Kingdom's exit from the European Union will have consequences on data transfers.

There will nevertheless be no change during the year 2020, a transition year during which the European Commission will assess the level of protection offered by the United Kingdom in order to adopt a possible adequacy decision. 

The press releases from the ICO (British supervisory authority) and the CNIL specify these elements.

International :

  • UNITED STATES : Following the entry into force at the beginning of 2020 of the California Consumer Privacy Act, it is Washington State's turn to prepare a privacy bill.
  • Indonesia : a data protection law was tabled in parliament on January 28. Its latest version dated December 6, 2019, heavily inspired by the GDPR, applies to the public and private sectors.

As a reminder, the list of countries whose laws are considered adequate by the European Union, thus facilitating data transfers to these countries, is available here.

  • Andorra,
  • Argentina,
  • Canada (commercial organizations),
  • Faroe Islands,
  • Guernsey,
  • Israel,
  • Isle of Man,
  • Japan,
  • Jersey,
  • New Zealand,
  • Switzerland,
  • Uruguay and the
  • United States of America (limited to the Privacy Shield framework)

Anne Christine Lacoste

Partner at Olivier Weber Avocat, Anne Christine Lacoste is a lawyer specializing in data law; she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.

Discover Viqtor®
en_USEN
fr_FRFR de_DE_formalDE es_ESES elEL it_ITIT hrHR pt_PTPT nl_NL_formalNL de_ATDE_AT etET fiFI lvLV lt_LTLT sk_SKSK sl_SISL en_USEN