The GDPR applies to all organizations (i) that process personal data related to the activities of an establishment in the territory of the European Union (EU) or (ii) that process data related to the offering of goods or services to persons located in the territory of the EU or to the monitoring of their behavior. The GDPR is based on a set of principles applicable to the processing of personal data, including the principle of data minimization, which consists in limiting the processing of personal data to that which is necessary for the purposes for which they are processed. Moreover, the “privacy by design” and “privacy by default” principles require companies to implement appropriate technical and organizational measures to protect personal data when new products and services are designed. The GDPR also creates obligations for data controllers and their sub-contractors to make businesses more accountable. These include notifying to the supervisory authorities, and in some cases, to the individuals concerned, personal data breaches that are likely to engender a risk to the rights of those concerned. Companies that process a large amount of personal data, like Publicis, are also required to maintain records of their processing activities and to appoint a data protection officer. Just as it tightened obligations incumbent on companies, the GDPR also created and reinforced the rights of individuals, in particular with regard to their right to information on how their data is processed. The regulation also lays down the framework for transfers of personal data outside the EU to ensure that individuals enjoy a sufficient and appropriate level of protection. The GDPR provides for administrative penalties including fines of up to euro 20 million or 4% of global annual revenue for the most serious breaches. European supervisory authorities are evidencing increased vigilance by using these sanctions more and more often and by imposing fines that are increasingly significant. In addition to the regulations, the recommendations of the national organizations responsible for monitoring compliance with these rules as well as case law can have a significant influence on the level of protection required and the organization to be put in place. For example, guidelines no. 2020-91 and recommendation no. 2020-92 of September 17, 2020 of the CNIL in France on the installation of cookies and the Schrems II C-3111/18 ruling of July 16, 2020 of the Court of Justice of the European Union on the transfer of data outside the European Union. In parallel, Directive 2002/58/EC, dubbed the “ePrivacy” Directive, as amended, lays down rules to guarantee protection of privacy in the electronic communications sector. Transposed into French law by Law no. 2004-575 on confidence in the digital economy, this directive imposes obligations with respect to marketing and introduces rules on how cookies are used. The e-Privacy Directive is still undergoing revision and is expected to be replaced by an e-Privacy regulation that will be directly applicable in the EU.
Since the implementation of the GDPR, an increased number of countries across the globe are adopting personal data protection regulations. In the US, as there is no federal regulation, California was the first state to adopt a regulation known as the California Consumer Privacy Act (CCPA), which came into force on January 1, 2020. In October 2020, it was supplemented by the California Privacy Rights Act (CPRA), which will come into force on January 1, 2023 and have effect from July 1, 2023. The CCPA provides for a right to opt-out, allowing users to suspend the sale of their personal data. The CPRA is an extension to the current protection scheme in place for personal data protection, which steps up the requirements in connection with how companies are authorized to use the personal data of consumers in California and with the creation of a new governmental agency in charge of ensuring CCPA compliance. In March 2021, the State of Virginia adopted the Consumer Data Protection Act, and in September 2021, Colorado also took the important step by adopting the Colorado Privacy Act. A dozen other states in the US are in the process of adopting their own personal data protection laws.
In 2021, other countries introduced new acts relating to personal data protection. In August 2021, Brazil adopted the Lei Geral de Proteção de Dados Pessoais (LGPD) and in November 2021, the People’s Republic of China adopted its own personal data protection act.
Due to Brexit and decisions by European Union regulators, additional obligations related to international data transfers have been put in place. The European Union also introduced new regulations which affect the advertising and marketing industry with the aim of turning the European Union into a single digital market and “creating a safer digital environment which protects consumers’ fundamental rights and establishes fair competition conditions for companies”. These are based on two regulations, which will be immediately applicable in the Member States of the European Union: the Digital Market Act (DMA) and the Digital Services Act (DSA). The DMA aims to regulate the behavior of platforms that have a significant impact on the European market, particularly with regard to competition law. It aims to ensure sound and fair competition between operators and thus promote innovation and the arrival of new players offering a wider choice for consumers. This text contemplates obligations relating to the use of personal data for advertising targeting. The DSA aims to regulate the operation of platforms, regardless of their size, and in particular the content published on the Internet. It aims to better protect consumers and their fundamental online rights. On March 24, 2022, the European Parliament and the Council of the European Union agreed on a final version of the DMA, the implementation of which is estimated for the end of 2022. The DSA is still under discussion, although an agreement on a final text could be reached before the end of June with an implementation estimated for the first half of 2023.