Webinars
MLOH Data Security & RGPD
18 views
View transcript
Good morning, Counsellor. Thank you for your time in taking part in this interview on data security and the GDPR. Can you tell us about the Iteanu firm? Hello, Sylvain. My name is Alexandra Iteanu. I am a lawyer at the law firm Iteanu Avocats and head of the Data and GDPR department for almost five years now. We have a niche practice specialising in new technologies for over 20 years. And within that scope, we support companies and especially their IT needs, from cybersecurity contracts to personal data, but also branding, e-commerce and e-reputation. Great, and you're working with one of our clients, Marketo, that's how we met. The GDPR came into effect in May 2018. Can you remind us how it has changed the life of companies and citizens? So, the GDPR came into effect on 25 May 2018, yes. What should be pointed out is that before it came into effect, there was already a directive that was applied and a French national law called the Loi informatique et libertés, which dates from January 6, 1978. This is one of the oldest laws on personal data protection that exist in Europe. So, actually, the GDPR, the main principles of the GDPR already existed before the GDPR. This is something that needs to be reminded because sometimes we tend to forget it. What has changed is that it is a directly applicable text, that is, there is no need for transposition. And it's a text that applies uniformly throughout Europe and to any company that targets European citizens, so e-commerce companies that are, for example, in the United States, in China, etc. As soon as products and services are sold to European citizens, these companies are subjected to the GDPR. All right. Indeed, for the last four years... all of my clients have taken steps to comply with the GDPR, which has often resulted in the implementation of consent forms and usually the creation of a large form for managing communication preferences. I still saw a few contentious litigations, more on the B2C side, I think. Have there been any high-profile fines recently or not? So, actually, what has changed with the GDPR is that, today, it has dramatically increased the caps of approved fines. You should know that it can go up to 4% of a company's turnover or 20 million euros. So these are pretty big figures. We can think of the recent sentencing of Google who had to pay millions of euros to the CNIL. It should be noted that the CNIL, since the GDPR came into force, has increased the number of sanctions as well as the amount of the fines and that's what's causing a stir. And that's what helps a bit, shall we say, in forcing companies to comply quite quickly. Yes, indeed. So, this also applies to American companies, for example, Adobe or Marketo that operate in Europe, or a Chinese company operating in Europe and of course European companies. I guess there is no such thing as European companies that wouldn't cater to the European market. - It's unlikely. - It would be a shame. We are affected. What does that cover in short, to be quite brief? What does the GDPR cover? So, the GDPR covers any processing, any manipulation... It's broader than manipulation, because processing can be a simple consultation of data. It covers any processing of personal data. As soon as you are dealing with personal data, which can be defined as any information that will identify a natural person directly or indirectly, in that case, you're within the scope of the GDPR. So, we can see that the GDPR actually applies to many situations, much more than you might think, because personal data is information that directly identifies you, but also indirectly. So, we can think of a license plate, an IP address for example, in the case of marketing, or a lot of information about visitors on a website, those are actually personal data because they identify these individuals. OK. We, in the case of B2B, because we're more in that case, the IP addresses we collect, quite often, are the IP addresses of the companies that come to us. So, behind this aspect, there are many people. Of course. But we will still consider that the IP is enough to identify a person sometimes? If it is possible to identify a particular person, yes. But that's what's quite complex about the GDPR, because the definition of personal data, in itself, is quite contextual. That's exactly what you just said. It's going to depend, ultimately, on the context. If behind an IP address, there is a company, it will not be considered as personal data. If behind an IP address, there is a natural person, on the other hand, it will be considered as personal data. It's all about context. So, if I have an IP address, the IP address of Iteanu's office, for example, in which there are several lawyers, but I also have a digital path which allows me to see that the person has seen this page or that, it gets tricky. Totally. If you do what is called cross-referencing or combining data, two pieces of data that are not personal data, cross-referenced or combined, that can actually become personal data. Right. So, what I wrote on my little notepad about the GDPR framework is - tell me if I'm talking nonsense or not -, you need to get clear and fair consent on the processing of personal data. You should have the right to be forgotten. That is, I should be able to say to a company: forget me. It should really work. We need to be informed in case of a hacking and data breach. My son is into video games, I see this a lot. It's often Nintendo, Sony and others who get their huge database hacked and then other games are offered to the players. Purpose limitation. So we need to define what a purpose is and in marketing, it's not totally obvious. And there is a safety component: you have to protect the data you collect. So, yes, you listed some of the GDPR measures. In fact, there are a lot of them and they are, let's say, applicable on a case by case basis. You mentioned consent. You should know that in the GDPR, there are other legal bases which will let you, for example, process personal data without the consent of the individual. For example, if you have a contract with that person, you don't need their consent, or if you have what's called a legitimate interest. So, the GDPR is still broad enough to apply to a number of different cases and the GDPR measures will be applicable on a case by case basis. And you talked about the right to be forgotten. It is true that the GDPR will list a number of rights that are granted to the individuals concerned, it's articles 15 and following of the GDPR. So, there is indeed the right to be forgotten which is also called the right to erasure. But there is also what we call the right to object or the right of access, the right to restrict processing. So there's a whole series of rights that the GDPR grants and which are listed under articles 15 and following. And you talked about security measures. It's true that this is a very important point in the GDPR. Article 32 defines the fact that the controller must, on a case by case basis again, and according to the risks inherent in processing, implement safety measures that are appropriate. So it's actually going to depend on the processing, etc. And in case of a personal data breach, as you said yourself, you have to notify the CNIL, for example, within 72 hours and also the persons concerned when this may present a risk to their rights and freedom. There are a whole series of recommendations, measures that are in the GDPR, that will apply depending on the context and depending on the processing. Yes. OK. If we go back to the subject of personal data, you clearly defined what it was. If I try to apply that to what we do in marketing, the goal quite often of B2B marketing departments is to get emails, to identify the people who go on the website. Then collect more information fairly quickly: last name, first name, company. Cross-referencing that with a digital trail, we will try to define the person's preferences to be able to suggest education flows on the subjects that interest them in the company. But what I understand is that you only have to collect data if you're going to use it. Indeed, in the GDPR, this is a principle called the principle of data minimisation. This is the principle that states that we can collect data only for a purpose that has been pre-established. You can't collect data by telling yourself: "I'll see what I'll do with it later." You have to predefine a purpose. And you shouldn't collect more data than is necessary and strictly necessary for processing. This is what the GDPR actually mandates. At the beginning of my career, I often saw the date of birth in forms or "do you like golf?" There were often things like that. Unless you want to offer your clients golfing holidays, these are things that we don't do anymore. A little clarification: you should know that you can, in a form, this is also a recommendation of the CNIL, put a small asterisk to indicate what information must be filled out and those that are optional. So that's one thing that can be set up. Indeed. In our Marketo forms, we indicate the mandatory fields and those that are optional. How much time are we allowed to keep this data, this marketing data, usually? So, obviously, if the data is used, that the person comes to us regularly or that it is a client with a contract, you can easily imagine that in this case, we'll keep the data as long as the person stays with us. But we often have people who come to our websites for the first time, download a white paper or an infographic and then disappear and never come back. What does the GDPR or the CNIL tell us about the retention period of this data? So the GDPR, you have to know that it doesn't give any fixed retention period. The only thing that the GDPR states is that you don't have to keep the data for a longer period than is strictly necessary to achieve your purpose. So, again, it's a case by case basis. It's up to you to judge and justify the retention periods. The important thing is that you have to have, internally, what is called a record of processing activities. This is a mandatory document in which you have to record the different purposes that you have, but also the different categories of data and the retention periods that are linked to these data categories. So, depending on the data that you're going to keep and the purpose that is linked to this data, you're going to keep this data for a longer or shorter period. You should know that the CNIL also gives recommendations with fixed durations. For example, for customer data, you can store it in a database up to three years after the end of the commercial management. This is a recommendation of the CNIL. And quite often for prospects, so people who aren't clients yet, I'm thinking more like two years. Yes, the CNIL also states three years for prospects from the last contact with the prospect. But still, these are recommendations. That's not the law. It's better to actually put shorter durations. It's better of course. Or you can also put in longer durations, but in this case, you have to justify it. Yes, it's true that contacting someone who hasn't had any interaction with us for two years, marketing-wise, it's a bit suicidal. For Marketo, it's a good practice, we have a little programme that detects the last time we contacted a person, what kind of contact they were, and two years later, 18 months or 12 months later, it suggests a deletion. What about cookies? It's a special kind of data. Yes, you have to distinguish different types of cookies. There are cookies that are necessary for the website to function. These in particular do not need to have the visitor's consent. And then there are the cookies that are, for example, analysis tools, statistics, etc. And in this case, the CNIL requires explicit consent - I'm insisting on that - for each of these cookies. You are not allowed to get a general consent for all these cookies. You really need to highlight the information for visitors, telling them: "This is the list of cookies we have. This is the purpose." And the visitor has to be able to consent, or not, to each of these cookies. For the retention period of these cookies, the CNIL recommends a maximum of 13 months. But you should obviously try to reduce this period as much as possible. On the little cookie banners that you see, which are... generalised and quite intrusive quite often, can't we just have "accept" or "reject all"? Normally, it refers to what we call today a cookie manager with different purposes and the possibility to consent or not to each of these cookies. Right. I've actually tested quite a few of them, quite often what you get are blocks. We have mandatory cookies, we have marketing cookies, we have functional cookies and we can... play on the... Because in real life, I don't think anyone wants to accept cookies one by one before you enter the... Yes, you have to at least give them the opportunity to do it. But we agree that it's not the most practical thing. OK, right. So actually on Marketo, we're more on the marketing side, we are not at all... We cannot pretend that Marketo is a compulsory solution for the website to work. Cookies of people who visit the website, but are not known, they are kept for 90 days and after 90 days, it's deleted. We're on schedule. Let's talk about data security. What are we supposed to do in terms of security? So, once again, the GDPR is very vague on these issues and it says quite broadly under article 32: the controller shall implement measures in accordance with the processing of the risks inherent to such processing. There is no real security measure imposed by the GDPR. The GDPR will give examples of measures. It talks about encryption, pseudonymisation, and a system that will allow you to test the system to make sure that there are no loopholes, etc., without really giving a binding obligation on a particular measure. What is certain is that you have to set up security measures. The more there are, the better and the more you show that you tried to measure the risks and set up appropriate safety measures, the better it is for the controller. OK. So, we, on the Marketo side, we can set some security parameters for log in management, password renewal and so on, which enable risk reduction. A good practice is to limit the number of people who have access to the admin part, because actually, we can manage and export everything. So, I think that's the most important measure. And teaching the users - I'm seeing this less and less - not to export the data in an Excel file and then send them to the agency by email. Yes, of course. That's the worst one can do. So, don't transfer personal data by email. No. We avoid transferring data, but if you have to transfer it, do it with secure systems. There are two rights that are quite complicated to set up in marketing and we often wonder about them, it's the right to erasure and the right to information. Can you tell us a little bit more about these two rights? Yes, these are rights that are clearly laid down in the GDPR. So every concerned individual has the right to ask the data controller to erase his or her data. The controller must respond to this request within a month. And indeed, you have the obligation to respond to this request. If you don't, the person can complain to the CNIL, normally, and you're liable to the penalties we talked about earlier. Erasure is not just about masking from processing the personal data of a person, it's really erasure. So a right to be forgotten, as we call it. It should not be possible to retrieve the data in the controller's system. And the second right you were talking about, I'm sorry, it was the... The right to information. The right to information, that too, is a right that is often difficult to put in place. And yet, it's one of the most important rights and the CNIL is very insistent on that. It states that before any processing, you have to inform the people concerned of a certain amount of information listed in the GDPR, under article 13 of the GDPR. It lists all the information that you have to bring to the attention of the person concerned before starting to process or collecting his or her data. This includes the name of the data controller, the purpose of the processing, how long the data will be kept. The person concerned must be reminded of their rights, so they have a right to erasure, to be forgotten, to have access, etc. But also that they have the right to complain to the CNIL. There is a whole series of information to be included which is specific to each processing operation and it's very important to put it forward before collecting personal data. OK. But once we've collected... It's true that I didn't have in mind that interpretation of that right. For me, it was: "Show me the information that you have in your database about me." That's called the right of access. The right of access, OK. This right of access, yes, when you are the person concerned, you have the right to ask the data controller to access the information the controller holds on you. And the controller has, again, a month to answer your request. And we agree, this is in all systems, not just the marketing system? No, of course not. It's a nice cross-functional IT project to go and get it all quickly. It's not easy. The GDPR doesn't state, though, how the person should make the request. That is to say, you are free to... it can be on having a button on the preference centre, or you can send a letter with a copy of the ID and I don't know what... Totally. The format is loose. All right. OK. I'll show, after this video, a few examples of preference centres to illustrate how to put into practice the different consents, the different rights on our preferences. I'm not going to take up your time on this. I suggest we move on to something that's been in the news a bit recently: rulings. I think it was the Netherlands that started it, and then the CNIL, on Google Analytics, and it... makes my clients think. What about Google Analytics today? So, you have to know that this is not a surprising decision, at least not in the world of personal data. Because you have to know that since July 2020, there's been what's called an invalidation of the Privacy Shield by the Court of Justice of the European Union. It was an agreement that allowed the sending of data to the United States, personal data from Europe to the United States. And this Privacy Shield agreement made these transfers to the United States legal. The Privacy Shield has been invalidated as of July 2020. And since this invalidation, we know that any transfer to the United States must be accompanied by guarantees and that there is a need for additional formalism, and that the Privacy Shield no longer exists. So, in reality, the CNIL's decision which condemns a company that uses Google Analytics, we were expecting it. Why? Because Google is an American company and by using its services, it collects the data of European citizens and it is sent to the United States. And it is in fact this transfer to the United States that the CNIL is condemning today. All right. Is it the fact thatGoogle servers are in the United States or is it the fact that Google is American? So, for the CNIL's decision, it's the fact that Google servers are in the United States. But in reality, the problem would be the same even if the servers were in France, since we know that today American legislation, and especially the Cloud Act, allows any U.S. investigative control authority to access personal data of a US entity, even if those servers are not in the United States. So, even if Google's servers are not in the United States tomorrow, the problem persists as long as there is no equivalent Privacy Shield or change in the American legislation. So this means any American software company is actually subject to this? Completely. All American software companies are now at risk. OK. What can we legitimately expect? Is this a solution that can be solved or are we at risk? Well, there is a new Privacy Shield, basically, which is supposed to be enacted, maybe in the next few weeks or months. Anyway, we're talking about it. This would make all these transfers to the United States legal again and that would be a relief for everyone and would allow the use of American providers. To date, today, what we recommend, actually, is to use European providers or even French, when possible. Yeah, because unfortunately in the sales and marketing departments, there are a lot of American software companies. - If you have to change everything, it's... - It's complicated. - We agree. - ...it's complicated. The speech of these software companies is often to tell us, Marketo in particular: "Don't worry, we've put servers in the Netherlands, in Germany, so everything is fine." Nevertheless, well, we know very well that it's usually quite complicated. You can't change Adobe contracts for example, we are forced to accept the contracts as they are. And there are often conflicts with French clients who would like to apply their safety rules versus Adobe who says: "The contract is like that for everyone. If you don't like it, go elsewhere." Yes, that's the problem with these big American providers who offer what are called adhesion contracts, that is, contracts that are non negotiable and which often cause difficulties for their clients. So, I understand that it's still risky as long as we don't have a new negotiation at the European level. As I understand it, the Privacy Shield is an agreement to ensure that the data that was sent to the United States is not going to be looked at by the CIA, the NSA. It didn't guarantee that, but it did make the processing legal. OK. It didn't protect the data that much, but it made it legal, in any case, the transfer. Today, it's official that this kind of transfer no longer meets the requirements of the GDPR. OK, but on the face of it, we are still allies in today's world. We're on the side of the United States and Europe... If it were Russia that would be different. We're still on the side of the Allies. I guess we should be able to find a... find an arrangement. That's what everyone's hoping for anyway. OK. A slightly more open-ended question to finish, Counsellor. Obviously, Tech Giants use our data and for them, it's a real gold mine because it allows them to... to personalise it a lot, to really personalise the ads and resell this data to other third parties who then have control over it. In the same way, the GDPR was a bit of a reaction to that, is that... I imagine a world, one day, where I, Sylvain, will have complete control over my data. And I, Sylvain, could eventually decide exactly who to give my data to and how I monetise it eventually. Do you imagine that we could have a world like that? That's a serious question. The monetisation of personal data is a serious question, but you have to know that today that's not the case. It's a right that is very personal and you can't even exercise it, we, as lawyers for our clients, it's really what we call a personal right, personal data. And monetising that personal data would, in a way, take away certain rights of individuals who would be willing to sell their data, lose some kind of control over that data. When you see the quality of consents, which is almost equivalent to zero, we can ask ourselves: will it be done in a completely lucid way by natural persons? Shouldn't we protect them a little bit in spite of themselves by not allowing the data to be monetised? That's kind of the question I'm asking myself today, anyway. At the individual and therefore consumer level, rather B2C industries, I understand because I'm nothing compared to a big brand. On the other hand, if you're in a B2B setting, if I look in particular at the evolution of CRM systems, 20 years ago, we were installing machines. Then the cloud came along. We don't install machines anymore, though we're still developing systems. Now, we have CRMs that are almost ready to use once you pay the license. And for me, the next step, is to have the CRMs already full with data. And I see that a tool contains almost all the data, provided that the LinkedIn data is accurate. This is a big assumption. But I'm thinking, me, as a company, I could decide to sell the B2B data of my company and my employees, with their name, their position, their phone number, their email. And in return, it would automatically populate my CRM with other people's data. And that would be a huge step in the quality of the data that we would have because, for example, me, the boss of Merlin, I would actually control the data that I give and the data I receive. And I might even get rewarded for it. So, for me, that's really the next step that I'm waiting for because I've been filling in databases for 20 years while I see that all my clients are the same, they're all doing the same thing, whereas the data, we naturally put it into a tool, in your Microsoft Teams, in all the systems. I don't understand why we don't share them today. It's in that sense that I saw the future. OK, but that would be completely contrary to the GDPR and what we were saying about a defined purpose. I'm giving you a lawyer's answer. I'm sorry, but I have my bias. I think there are people thinking about it at Microsoft today. I can see why you would ask that question. Especially since we have the tools, the tech and you think, "why not?" I get it. I think it's good. I may be playing devil's advocate, but I think it's good, that there are texts that also protect a bit to counterbalance tech which is evolving very quickly. And that's very good to try and nuance it a little bit and bring some safeguards around this whole technology. OK. Look, I think we've had a good look at the current state of the system. Thank you very much for your time, Counsellor. And see you next time. Thank you very much.
