The deadline of 25 May has passed. The General Data Protection Regulation is henceforth applicable in the 28 Member States of the European Union but it also applies to external players who want to comply with protective provisions. On 21 June, the Parliamentary Agora@ of the FIC (International Cybersecurity Forum) was the opportunity to discuss the implications of compliance for local authorities that collect, store and process a very large quantity of personal data and who don’t always have the material capacity to deal with these new requirements. Let’s think of the 27,000 small municipalities with less than 1,000 inhabitants who administer 9% of the French population. Municipalities of less than 10,000 inhabitants (about 35,000 of them) make up over 50% of the population in France. GDPR is not only an issue for companies, as it is often thought!
To a certain extent, the regulation has an extra-territorial dimension. European legislation is following a sovereignty approach, starting with the sovereignty of individuals on their personal data. It should be noted that the American CLOUD Act came into effect at the same time. It requires American companies that store data, including outside of the United States, to deliver them to the authorities, bypassing the Mutual Legal Assistance Treaties (MLAT), except where there is a conflict between national legislations. Europe is responding with an ‘E-evidence’ regulation it will soon legislate on. The data battle has started or, more precisely, is intensifying.
For now, in France, the law on personal data protection of 21st June 2018 has just been promulgated after it was declared in keeping with the Constitution (resolution 2018-765 DC of 12 June 2018), except for the provisions related to criminal sanctions and safety measures that do not call into question the general scope of the text. The failure of the Joint Committee and the referral to the Constitutional Council explain the delay in complying with the 25 May deadline. While this is complying with established procedures, it sends the wrong signal at a time when France aims to contribute to the development of a digital Europe. Digital transformation occurs at an accelerating pace. Our procedures should be adapted to this new dynamic. This is perhaps the lesson to be drawn. Political life and administrative proceedings should also be ‘reformatted’.