Chawki Gaddes, a professor of constitutional law and president of the National Authority for the Protection of Personal Data (INPDP), gave AfricanManager an exclusive interview in which he spoke of important points, including the new draft law on the protection of personal data, all the penalties provided for under this new law, overruns and infringements identified by the authority and the parties involved in the INPDP…
Tunisia is in the process of introducing a new law on the protection of personal data, where are we currently?
We are changing our legal framework to conform to European standards and international protection standards. It was therefore necessary to improve Organic Law number 63 of July 27, 2004 on the protection of personal data.
This law suffered from deficiencies and failures which render certain provisions obsolete and inapplicable.
The new draft law is intended to comply with the provisions of Council of Europe Convention 108 on the protection of personal data and also of the new European General Regulation on the subject, which is expected to enter into force in May 2018.
Tunisia has filed last July the instruments of ratification of the convention with the Council of Europe and we will become a member next November 1.
What are the main characteristics of this European law and their impact on national legislation?
This general European regulation is, contrary to Convention 108 (it is only binding for ratifying States), a general law approved by the European Council and Parliament.
The new law will enter into force in May 2018 in all States without the need for a national law.
From this date, the national laws of the states protecting personal data will be replaced by the European Data Protection Regulation (French: RGPD).
As from May 2018, the standard of protection of personal data will be the European regulation and no longer Convention 108. And that is why it has been said that today it is necessary to change the Tunisian law so that it complies with these regulations.
In this situation it was no longer possible to revise the national law, which was too far from current international standards.
The only solution was to devise a new draft law that would conform to the content of the European regulation.
What role will the Authority play in this regard?
In all the countries of the world, the protection body enjoys the necessary independence for its action; it authorizes the processing of data, checks, regulates and transforms itself into a court if the law is violated or transgressed. It plays these roles because it is a specialist in the field.
All bodies are free and independent in their actions; they enforce the law and punish violations, like courts.
It is in this vein that a sanctions committee will be set up within the body that will be presided over by a magistrate and who will be required to respect the rights of the defense.
It is true that the amount of financial penalties seemed too large for the structures consulted. Indeed it can go up to 4% of the turnover of the previous fiscal year. But it is not our invention; it is what the RGPD institutes.
For the past three decades, European authorities have learned that the only way to enforce data protection standards by companies that are increasingly omnipotent in economic terms is to hit hard.
Look at the last sanction of the Spanish authority against Google you will understand.
In all cases the 4% is a maximum limit and can be adjusted according to the seriousness of the violation recorded.
The Authority filed complaints, among others, against five private clinics. Where are we on these issues?
The authority continually transmits files to the Public Prosecutor. Section 77 of the 2004 Act requires it to do so each time it finds a violation of the protection standards.
In this context, in June 2016, it transmitted 15 very important files on recalcitrant public and private structures.
These include social funds (CNRPS and CNSS) but also clinics and a regional hospital, not to mention STEG.
The requests were forwarded to the National Guard for investigation. Yet their treatment did not impose this procedure.
The persons responsible for the processing of personal data must complete the obligatory prior proceedings before the authority. These structures refuse to do so, the Authority attests to the absence of proceedings, the violation is thus consumed and found, there is no longer reason to investigate.
The case should have been transmitted very much since June 2016 for judgment. The National Guard will not answer the prosecutor before two years!!! During which these structures will continue to violate the law with impunity.
Are things going faster with the public prosecutor now?
Yes it is more and more fluid. We recently sent the case of a computer service company that put up for sale a database of citizens with their full names and telephone numbers.
The manager of the company made this announcement on his LinkedIn page and boasts that it was the base of Tayara.tn!!!
Cases were sent to several other prosecutors who took a quick step in transferring the case for trial.
This is the case of Sfax or lately the Kef.
Other structures have rapidly regularized their situations and their cases have been filed with the public prosecutor: this is the case of the CNAM, Tunisair or TLS contact…
What decisions can be taken against those who violate the law?
According to article 90, the chief executive of these institutions risks a month of imprisonment and a fine of 5 thousand dinars.
It is true that it is difficult to put CEOs in prison but the judge will surely find a way to modulate the sanction. To say more than that would be an interference in the work of justice.
On the other hand, it will be recalled that Article 53 of the Criminal Code is an ordinary and general law whereas Article 90 is an organic and special law. So the judges should give it priority. And there is more doubt: the sanction will hurt and serve as an example to naysayers. This is the approach to be followed in a State where the rule of law is upheld.
Have you get a lot of complaints?
Yes more and more, but the problem is that we do not have the human means to treat them. We are three people in this Authority. We do not have any skills or sworn agents.
The majority of complaints relate to video surveillance, SMS or personal data transmitted to the courts in an illegal manner.
Recently a decision was made on a data host operator who transferred data outside the national territory without the consent of the clients and without the authorization of the authority.
The case was referred to us by the public prosecutor, he requested that the complainant lodge his complaint directly with the court !!!
Today, no judicial decisions have been issued to enforce overruns in the protection of personal data.
Do not you think that the penalty of 4% of the turnover of a company is disproportionate?
Yes, but we realized all over the world that there was a lot of profits generated by the processing of personal data for the benefit of companies.
That is why every entrepreneur who breaks the law must pay sums that are harmful and dissuasive. The goal is not the penalty per se, but that the one who processes the personal data is responsible because a 4% fine can lead to bankruptcy.
When will the bill be approved?
A workshop will take place on October 12 to make the final adjustments on the new bill. It will subsequently have to be submitted to a cabinet meeting at the end of October and later to the Parliament in November.
With this law, Tunisia will be the first Arab country with a law in line with European standards. This action will help to make Tunisia a platform of services for both Africa and Europe, it is my deep conviction.
At the national level, people are beginning to talk about the protection of personal data. Many complaints are received by the Authority in this regard. The process to make this law more effective blocks the doors of justice. But the consultation will allow over time to overcome this blockage.
Are you satisfied with the budget allocated to the Authority?
You cannot ask for a budget when you do not have the human resources to spend it. Money is used to carry out actions. For this you need staff. The Authority does not have it; there are only three to deal with the case.
We have never managed to spend more than 50% of the budget allocated to the Authority in the first six years f administration. The rest is carried over from one year to the next. There is no point in asking for more even though we do not have the means to carry out actions.
To give an example. We had to create a website, we did not have the skills to do that, so it was the president who carried out the specifications, it was he and the accounting officer with the secretary-general who opened the bids. It is the president who works with the company to construct the site both in terms of form and content. Once the site is online, the president will be the webmaster.
Is this normal? Of course not … This is why we are asking for the funds that we can consume, while remaining convinced that the State cannot go further in view of its financial situation and that independent bodies must find the way to own resources to give them more independence