"Take control of your data"!

#DPW2024 • #DPD 2024 18th Data Protection Day • Privacy Day

28 January is Data Protection Day, the anniversary of the signing on 28 January 1981 of Council of Europe Convention No. 108, the first and only binding international instrument for the protection of individuals with regard to automatic processing of personal data. The international commemoration of this day has since developed into a week-long initiative.

Convention 108 has played a pioneering role in guaranteeing, on the territory of each State Party (including Monaco), for all individuals, regardless of their nationality or residence, respect for their rights and fundamental freedoms, and in particular their right to privacy, with regard to the automatic processing of their personal data.

🔒The theme of Data Protection Week, which runs from 22 to 28 January 2024, is "Take control of your data".

It emphasises the need for people to realise that they are not just passively involved in a process that is beyond their control and to which they are subjected from start to finish, without their knowledge, but that they are also actively involved as actors in the collection of their data when they voluntarily provide a large amount of data.

99 AVOCATS proposes an overview of personal data protection law in Monaco and a reflection on awareness: "From carefree submission to taking control of your personal data".

* * *

Overview of personal data protection law in Monaco

1993: introduction of personal data protection rules into Monegasque law and establishment of the personal data protection and control authority (CCIN)

Law no. 1.165 of 23 December 1993 regulating the processing of personal data was passed by the National Council on 13 December 1993 and came into force on 1 January 1994.

The Commission de Contrôle des Informations Nominatives (CCIN) is a consultative body reporting to the Minister of State.

1998: The CCIN takes up its duties

The first CCIN became operational in June 1998.

Its first years of activity focused on the following tasks, in a pedagogical approach: informing and advising the public and notifiers; registering private sector notifications; responding to requests for advice from the public sector; investigating complaints and claims.

2004 : first annual CCIN “droit d’@ccès” newsletter (right of access)

The CCIN's activity report is made public via its courriers annuels d'information (annual information letters), until 2008.

2008-2009: accession to Council of Europe Convention 108 and its additional protocol, and reform of Law no. 1.165

The National Council approved the ratification of Convention 108 and its additional protocol on supervisory authorities and transborder data flows (Law no. 1.354 of 4 December 2008). The Principality deposited its instruments of ratification with the Council of Europe on 24 December 2008. Convention 108 entered into force in Monaco on 1 April 2009 (Sovereign Order n° 2.118 of 23 March 2009).

The Monegasque Law was renamed Law no. 1.165 of 23 December 1993 on the protection of personal data, and reformed to bring its provisions into line with the Council of Europe's standards relating to the automatic processing of personal data (Law no. 1.353 of 4 December 2008): better definition of the essential legal concepts, enhanced protection with regard to the digital economy and the increasing use of technological means, cross-border flows of personal data and the processing of sensitive data. The new provisions come into force on 1 April 2009.

The CCIN has become an Independent Administrative Authority, with new powers to monitor compliance with legislative and regulatory provisions by those responsible for processing personal data, whether they be private players or public bodies and similar bodies.

Monaco's reform also takes into account the provisions of Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, due to its relations with European Union countries, for both geographical and economic reasons, and with the aim of obtaining an adequacy decision from the European Commission to facilitate transfers of personal data from the European Union to Monaco.

2010: CCIN's 1st annual public activity report

The 14 activity reports (2009-2022) highlight the increasingly sustained activity of the CCIN over the years.

2018: signing of Convention 108+ and consequences for Monaco of the entry into force of the European Union's General Data Protection Regulation 2016/679 (GDPR)

On 10 October 2018, Monaco was among the first signatories of the Protocol of Amendment (CETS No. 223) to Convention 108 (the amended Convention 108 is known as Convention 108+). Convention 108+ strengthens the rights of data subjects by taking into account technological developments, in particular the development of algorithms and artificial intelligence leading to automated decision-making, expands the list of powers of supervisory authorities and strengthens their cooperation, all in line with the GDPR.

A controller or processor located in Monaco may, in addition to the obligations set out in Law No. 1.165, be subject to the obligations of the GDPR applicable from 25 May 2018, due to its extraterritorial scope.

The CCIN publishes a FAQ "Impact of the GDPR in Monaco".

2020: consultation of the CCIN on the draft reform of the legislation on personal data

2021: Bills to ratify Convention 108+ and reform the legislation on personal data

On 20 December 2021, the National Council will receive Bill 1053 approving the ratification of Convention 108+, and Bill 1054 on the protection of personal data.

The purpose of the planned wide-ranging reform is: - firstly, to transcribe the new requirements of the Council of Europe's Convention 108+; - secondly, to bring Monaco's legislation into line with the standards of the European Union's "data protection package" consisting of the RGPD and Directive (EU) 2016/680 "Police Justice". Monaco aims to obtain an adequacy decision from the European Commission, which would facilitate the transfer of personal data from the European Union to Monaco.

2022: Opinion of the Office of the High Commissioner for the Protection of Rights, Freedoms and Mediation on Bill 1054.

2023: 30th anniversary of Law no. 1.165, continuation of parliamentary reform work, and draft law on the use of remote biometric identification to protect national security.

Law no. 1.165, which will be repealed once the new Personal Data Protection Law is passed, celebrated its 30th anniversary on 23 December 2023.

The legislative work carried out by the Digital Development Commission is continuing, with consultations with stakeholders and civil society.

The purpose of Bill 1087, which was received by the National Council on 19 December 2023, is to establish a clear, precise and specific legal basis for the conditions of use of remote identification technologies in places accessible to the public for the purposes of safeguarding public security. It takes as its reference the future legislation on artificial intelligence (AI) or "AI Act" of the European Union.

* * *

From carefree submission to taking control of personal data

The more familiar we are with technology, the more personal information we share without realising the implications, and without necessarily knowing how to take control of our data.

The collection of digital data is inevitable, but not totally unstoppable.

Indeed, while some data is collected without the knowledge of the "data subject" (masked, illicit collection), other data is produced voluntarily by the "data subject" and there is room for manoeuvre here.

The three classic types of online behaviour when it comes to data for which there is room for manoeuvre:

1. carefree: I'm concerned but I don't feel concerned. "I click, I get what I want, I have nothing to hide" - I am passively concerned.
2. submission: I feel concerned but I let myself be steered without questioning. "If the Internet asks me to enter my cousin's first name and date of birth to buy a pair of trousers, I'll do it. - I am passively concerned.
3. distrust: I feel concerned and I ask myself questions. "My data belongs to me, has value, and I'm taking control of it" - I'm actively concerned.

To take control of your personal data, you need to be aware of:

• your actions and motivations when using a smartphone, tablet, computer or connected object,
• of what is done with their data
• of their rights, which are not reserved for adults alone.

Being aware of your actions and motivations reduces the risk of uncontrolled digital behaviour.

Being aware of your rights reduces the stress caused by poorly controlled digital actions.

Good to know: the CCIN can also act at the request of minors to have illegal online content removed, without their parents being informed.

* * *

CCIN, Contact > https://www.ccin.mc/en/contact...

CCIN, "Know Your Rights" >https://www.ccin.mc/en/individ...

CCIN, "Letters to act" > https://www.ccin.mc/en/individ...