The Montaigne Institute points out the imperfections of the GDPR

[ad_1]

"The objective of data protection (…) is in a regulatory balance with the economic efficiency or gains for individuals and companies, and the public interest", schematizes François Godement, editor of a short story study commissioned and published on December 12, 2019 by the Montaigne Institute on the General Data Protection Regulations (GDPR). This consultant for the Ministry of Foreign Affairs is full of praise for this European text, consisting of "88 beautifully written pages", and who has succeeded in a complex bet: find a "subtle balance between protection of individuals, commercial need for data and protection exemptions".

But even if Europe is an example on the matter which inspired many foreign legislations – California thus adopted its RGPD, baptized "California Consumer Privacy Act" (CCPA) – the Montaigne Institute considers that the GDPR is still imperfect , for several reasons.

Explicability of algorithms as law

Firstly, the study regrets that the privacy policies are still difficult to read for users. Return them "more readable and ergonomic"would allow"individuals to regain control of their personal data", which is one of the main objectives advocated by the GDPR.

With the same objective of transparency, individuals should have "an effective right to obtain an explanation"in the context of the use of an algorithm. This is not the first time that a report has argued for the intelligibility of artificial intelligence. Published in March 2018, the Villani report made it its spearhead explaining that transparency made it possible to build the confidence of citizens.

Create ex-post actions

The study also tackles the sanctions imposed in the event of a violation of the GDPR. Currently, the fines imposed are based on an ex-ante evaluation, that is to say after the design of a program. Their amount is proportional to the turnover of the company concerned. The study recommends creating sanctions based on "ex-post actions", or after the damage has occurred.

This change requires "a switch to a real assessment of the damage caused"and not the use of pre-set thresholds. This approach corresponds to the American model where a company managing personal data must take the necessary precautions if their cost is less than the damage resulting from a violation, weighted by the probability of the damage. The study admits that in practice this equation is more difficult to apply, since the harm resulting from a violation of privacy is complicated to assess.

Health data, between innovation and confidentiality

Finally, François Godement raises the issue of health data. They perfectly illustrate the case where the processing "on grounds of public interest"is authorized without the consent of the person. Indeed, the use of health data is essential for"advanced medical research, disease prevention and field medicine". At the same time, it is necessary to protect this information which is sometimes very sensitive. But how to find this right balance?

The study regrets that the pharmaceutical giants need to turn to the databases of GAFAM because the databases of public bodies are not yet well shaped. France must continue to protect health data while making it interoperable. The generalization of the Shared Medical Record (DMP) is "a step in this directionThe launch of the Health Data Hub at the beginning of December 2019 is also a step in this direction, with the aim of promoting the use and increasing the use of health data.

[ad_2]