Compliance by Design, a new weapon? Opinion of Facebook about Apple new technical dispositions on Personal Data protection.

Compliance Law aims to concretize Monumental Goals, which can be unified in the protection of humans in a liberal economic system. This is why the protection of economic and social systems and the protection of personal data belong to Compliance Law : it's the same purpose.

This requirement of protection is internalized in operators, because in this new branch of Law the effectiveness is required, not only the sanctions of breaches, but the absence of breaches. The efficiency of Compliance Law is not simply a wish, as for every legal rule, it is a legal rule itself.

The GDPR: Personal data protection transformed by Compliance Law

As Professor Ludovic Pailler writes in his article "Technological tools, Compliance by design and the GDPR: data protection from design", Compliance Law has changed the "paradigm" of the legal protection of personal data, by the European GDPR. He expressly cites the words used by the President of the Court of Justice of the European Union.

Ludovic Pailler, in this article to be published soon in the collective book "Compliance Tools", says : "By a “changement complet de paradigme", with regards to the directive 95/46, the General Data Protection Regulation ... has switched towards the philosophy of Compliance. In face of digital developments and of its economy which multiply risks for physical persons rights and freedoms, the European Legislator chose to transfer the load to ensure the effectivity of rules which it defines on processing managers. After having set a corpus of “principles relating to processing of personal data”, article 5.2, adds the principle of accountability. Then, the “controller shall be responsible for [the respect of principles relating to processing of personal data] and be able to demonstrate compliance with them”. More specifically, it must implement “appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with GDPR”. As such, this tool of secondary Law integrates Compliance Law. The link between these two elements is still much narrower to look at Compliance technological tools. Personal Data, because it is an information, is a Compliance tool. It is by nature a precious resource for companies which must implement a vigilance plan, prevent and detect corruption or bribery or implement a system for identifying and assessing the risks of money laundering and terrorist financing. Data processing, which includes their collection, their registering their organization, their conservation, their communication, their reconciliation or their interconnection, is then a common stone to a great variety of Compliance technological tools. The algorithm is the general form of these tools, the artificial intelligence or the blockchain are the specific forms. All optimize Compliance. Applications are various: collection, conservation, data erasure from registers; analysis of data flux in order to prevent, alert, profile, make a decision or help to decide; security default assessment, etc. The use of these tools cannot however clear debtor of its compliance obligation concerning its liability towards concerned people. Therefore, Compliance implemented by a personal data processing submit processing managers to accountability principle. The pursuit of a “monumental” goal by the implementation of technological tools, even if it is a commendable goal, cannot have the effect to unjustifiably undermine fundamental rights of people, especially those whose protection is by the way desired by Compliance Law. However, among the different obligations which are imposed to the processing manager of a compliance process, there is one which is related to compliance by design, that is an integration of compliance requirements since the design of the technological tool. The obligation to provide “appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with [GDPR] is imposed since design (data processing by design) to all Compliance technological tools which imply or consist in personal data processing.".

Indeed, the GDPR is not against free market principle, its exact title is: "Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data". The two considerations, "the protection of natural persons" and "the free movement of such data" comfort the building of the European Data Economy.

But through Compliance Law, entreprises are in charge to protect in Ex Ante the individuals, directly through the technology, "by design".

Compliance "by design" mixes Law and Algorithm.

Many would like to impose technology power on the Legislator or the Judge, on the ground that "Code is Law", that is to say that numbers would have their own "Law", a sort of "Natural Law" to be followed (see against this idea presented as a fact, Supiot, A., The governance by Numbers, 2017). On the contrary, Compliance Law "by design" imposes legal obligation to create technical tools precisely for obeying legal requirements. For instance, to protect individuals, entreprise creating technology to do so. As RGPD article 25 says about "Data Protection by default or by design": "Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.".

Compliance Law and Legal Protection of Individuals increase, especially in Europe and U.S. By courts and legislators' decisions, but also by enterprises themselves. For instance, by a new "policy" the digital entreprise Apple has adopted new technical norms for apps put in its new IOS14, blocking access to consumers' identity. This is an act of "Compliance by design".

Indeed, the "IDentifier For Advertisers -IDFA" inserted in iPhone and iPad and used for the targeted advertising will be subordinated to the consumer's consent.

It seems a sort of duplication of the RGPD. But is it really a legal obligation ? Moreover this protection goes beyond the European Law. In any case, not everyone likes it. Some say that this firm would have used this personal data protection "duty" to block this access to Consumer's personal data in order to harm the other firms and the advertising business, favoring its own advertising tool.

Advertising firms have asked for meeting.

Facebook has published an article to protest against this "policy".

The controversy between Apple and Facebook on the Consumers's identity Apple "policy".

Facebook says on its blog : "In June, Apple announced iOS 14 updates that, among other changes, require apps to ask users for permission to collect and share data using Apple’s device identifier. Given the impact the policy will have on businesses’ ability to market themselves and monetize through ads, we’re sharing how we’re addressing iOS 14 changes and providing recommendations to help our partners prepare, while developers await more details on this policy.We expect these changes will disproportionately affect Audience Network given its heavy dependence on app advertising. Like all ad networks on iOS 14, advertiser ability to accurately target and measure their campaigns on Audience Network will be impacted, and as a result publishers should expect their ability to effectively monetize on Audience Network to decrease. Ultimately, despite our best efforts, Apple’s updates may render Audience Network so ineffective on iOS 14 that it may not make sense to offer it on iOS 14. We expect less impact to our own advertising business, and we’re committed to supporting advertisers and publishers through these updates. ...We believe that industry consultation is critical for changes to platform policies, as these updates have a far-reaching impact on the developer ecosystem. We’re encouraged by conversations and efforts already taking place in the industry - including within the World Wide Web Consortium (W3C) and the recently announced Partnership for Responsible Addressable Media (PRAM). We look forward to continuing to engage with these industry groups to get this right for people and small businesses.".

For the moment it is possible to do some remarks.

• The RGPD is not applicable outside European Union, as the Court of Justice of European Union has said in 2019, but it is possible to follow its logic by Corporate Social Responsibility and Raison d'Etre, expressed by corporate "policy" as Facebook does itself for its own consumers. American Laws follow the logic of this European Regulation, as the California Law of 12th of July 2018 to protect consumers' privacy (which is distinct to the "right to be forgotten"). In this case, it is always so difficult to distinguish the reason why a firm applies the logic of a non-applicable text or applies it beyond its requirements....
• In Europe this is organized by regulation, for instance the new French legal possibility to put segmented advertising in Television from Septembre 2020.
• The way used here by the opponents is the "conversation" and "efforts" to find satisfying balance between interests in presence, not only Facebook and Apple but behind them consumers, platforms, advertising firms which want to obtain personal data of consumers for creating targeted advertising. For the moment, this notion, proposed by Professor Julia Black of "conversational Regulation" does not work very well.
• Maybe Administrative bodies, Politicians or Courts could step in, through Competition Law, or Regulatory Law, or Compliance Law. If conversations turn short.
• The core legal question is the battle between subjective rights.
• Here, the "right to access to information" versus the "right to privacy", technology being in between. Competition Law is more built on Freedoms (free market, free movement of capital, goods, persons) and Regulation & Compliance Law more on Rights (Right to access, but also Right to be no accessed).
• Regulatory Law has created the "right to access", for instance right to access network. This subjective right had been established in the US by Competition Case Law and in Europe by European Regulations. Similarly the Right to Access to Information is the basis of the Financial Markets Regulation, also of the principle of "Open Internet".
• Because in general terms Compliance Law internalized into entreprises the duty to get organized for aiming monumental goals, they are obliged to concretize the right of some to obtain information (for instance shareholders) but they are also obliged to concretize the right of some to obtain information, concerning them, not to be given.

This is the paradox of Compliance Law, between Information and Secret. Who holds the balance?

__________________________________________________________________________