GDPR: Same, Same But Different…


On 25 May this year, the General Data Protection Regulation (GDPR) came into force. This moment has been the focus of a large amount of attention, especially in terms of its scope and comprehensive obligations, which overstrain small businesses in particular.

However, after thousands of data protection declarations from different companies have been put online, it still does not seem clear which obligations the GDPR exactly provides and if there are other regulations that still need to be observed.

I. Interaction of different regulations

People and companies in France are confronted with a combination of different regulations whose application and interaction is not easy to understand.

The new data protection law consists of a European Directive (Directive EU 2016/680), a Regulation and a national French law. To apply only one of these, the European texts as “superior rule of law” law or the French law as “more specific”, would be a mistake.

In fact, the new data protection law is a good example of the articulation between national and European law and the legislation of the European Union within its competences. The European Union can legislate if the competences in this matter have been transferred to it by the member states. Depending on the competence concerned, it can enact a directive or a regulation.

A regulation is directly applicable in the Member States without an act of transposition and can only be enacted on the basis of an absolute competence of the EU. A directive requires a state transposing act. Here, the EU has a significantly weaker competence and can only enact framework rules that are individually specified by the Member States.

Therefore, the European Data Protection Directive only concerns the “processing of personal data by competent authorities”, whereas the Regulation generally concerns the “processing of personal data” and the “free movement of such data” and is therefore directly applicable to anyone who processes the data of an EU citizen.

It is complicated at the point where the Regulation accords a margin of discretion to Member States, in which they can take alternative regulations on their own.

The purpose of French law now is to reconcile the various existing regulations. However, the French legislator chose a very complicated way of adapting the old law to the new legal situation instead of repealing it.

II. Decision of the French Constitutional Court (Conseil Constitutionnel) and implementation of the law: First revision of the data protection declarations required?

Before the GDPR took effect, the directive also had to be transposed into national law. In France, this was supposed to happen with the adaptation of the “Loi n° 78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés”.The Parliament drafted a law on May 14th. However,  it was challenged in front of the Constitutional Court. After its decision, the law came into force one month late on June 20th 2018.

In contrast to the plans of the EU and the French legislator, the new data protection law did entirely come into force on May 25th. The French law, especially the part that incorporates the specific aspects and derogations of the French legislator, since it transposes both the Directive and the discretionary powers accorded by the GDPR into French law, has therefore only recently entered into force. Does this mean that companies will have to change their data protection declarations for the first time and adapt them to the new law?

As far as the directive is concerned, this is not the case. The Directive refers exclusively to data processing by the competent authorities, not by private individuals.

Concerning the Regulation, it is a little more complicated. Initially, the French legislator promised to make as little use as possible of the discretionary powers granted by the GDPR in order not to jeopardize uniform application within the EU. He mostly kept that promise.

There was a use of discretion in the age rule: whilst the German DSGVO provides a basic age limit of 16 years, French law has reduced it to 15 years (Art. 7-1). Particularly in the healthcare sector, specific rules apply and the French principle of prior authorization of data processing has been maintained.

However, these special features have in common that they must be observed by the persons concerned, but do not affect the rights to information and disclosure to be obtained from companies, so that they don’t affect the data protection declarations.

III. General changes in data protection policy

Probably the most significant change in data protection policy has been the commitment to transparency. Any company or private individual processing data must inform the users of its services in advance of the type of data collected and processed, the purposes of the processing, the duration of the storage and the legal basis of all this.

This happens via the data protection declarations, which, similar to the General Terms and Conditions or Terms of Use, are implicitly accepted by users of Internet pages by using them or by explicit acceptance at the time of conclusion of the contract.

This privacy policy must satisfy various minimum requirements.

This includes, first of all, giving the users of a website a contact person who they can contact to assert their rights. The name of the company is sufficient; it is not necessary to mention the name of the data protection officer within the company.

For any possible action on the website – be it an e-mail-form or a plug-in-button – the purpose of this data processing and the legal basis mentioned in Art. 6 GDPR must be stated in the data protection declaration.

Furthermore, the data protection declaration should also clarify the duration of data storage and the rights of the user, as well as the possibility of lodging a complaint to one of the national complaints authorities.

Data processing nowadays also has a cross-border dimension. The question therefore arises, in which languages the data protection declarations must be offered. In principle, the law and thus the language of the country in which the company is located applies. However, if the company offers a multilingual website, it is very likely that foreign users will also visit this site. Therefore, a corresponding data protection declaration must be available for each language version of the website.

IV. Conclusion

With its wide scope of application, the GDPD has not only turned data protection laws upside down, but has also reached every data processor. Individual rights have been strengthened, but also a completely new field of legal debate has been established.

Even if the European legislator tried to unify data protection law, it is still very complicated due to the many different European and national texts.

The new data protection law is “Same, same, but different” and it remains to be seen how some ambiguities will ultimately be resolved.