At first sight, Carpe Diem has everything from a quiet little bar in the corner of Châtelet. The terrace welcomes guests who want to enjoy a drink in the sun outside the office, but if you had the misfortune to venture into the cellar on Monday night, you could witness a strange scene: a dozen people seated wisely around a few beers, reading aloud and in turn excerpts from the famous General Regulation on Data Protection. This European text came into effect in May and gives cold sweats to SMEs and GAFA.
"Read the text, in good company"
It is in this bar that members of the RGPD Book Club have taken refuge since November 2017. Every first Monday of the month, the group of ten members met to study in detail the text. Lawyers, developers, researchers and activists, the small group led by Suzanne Vergnolle set out to read and comment on the 80 pages of the European regulation. "The initial idea is to read the text in full and in good company," says Suzanne Vergnolle, a lawyer specialized in the issue of personal data. "For the most part, the people who came to the Book Club would soon be faced with the RGPD, whether for their work, their personal life or as part of their associative activities. Setting up an appointment to read it together made it possible to create a group emulation. "
And the atmosphere is indeed studious in the cellar of Carpe Diem: this Monday of June, a dozen participants are present. The session begins with a quick tour of the news, before attacking the heart of the subject. Members read the text article by article, then comment and explain their meaning by providing each interpretation. The articles studied concern the national supervisory authorities, gathered in the data protection committee, a new form of G29 instituted by the RGPD. One freely exchanges on the different missions attributed to this committee, as well as on the governance of the organization instituted by the RGPD. In turn, the participants express themselves, either to clarify a term, to ask a question or to point out a possible flaw in the interpretation.
A glaring example raised by members of the group during their reading: the RGPD originally promised to propose a single legislative framework for all European countries. But in many cases, the text leaves the jurisdiction to States to decide how to proceed. "The regulation leaves some room for maneuver to Member States, who can adopt more specific provisions: this creates a form of legal uncertainty that can affect consistency when applying the Regulation" summarizes Suzanne Vergnolle. A studious reading, but who knows how to remain critical of the text.
An open method
We could put the initiative as a fad of law, but as Suzanne Vergnolle reminds, the diversity of profiles is at the heart of the project "The goal is still to have opinions of people with routes and different formations. The RGPD is a text that has technical aspects that hard-nosed lawyers do not completely master: I learned a lot when reading certification-related topics, for example, thanks to comments from members who had been directly confronted to these aspects. The RGPD is a text that lends itself particularly well to the exercise because of its subject, data protection, which affects areas related to computer science as well as design and administration. But the method could be declined to other texts having nothing to do with the new technologies, suggests Suzanne Vergnolle, which evokes for example the recent law against the sexual violence and sexist.
The text is complex and requires serious analysis, but if you approach it with the right frame of mind, it's quite understandable
Gianfranco Cecconi- Volunteer and consultant at Capgemini But the idea was not born in a Parisian cellar. As Suzanne Vergnolle explains, it was from a blog post published by Gianfranco Cecconi that the idea came up. As he explains to ZDNet.fr, the idea of a RGPD Book Club came to answer a concrete problem: the need to comply with it. "At the time, I volunteered for an organization called Datakind, which, as an organization, was processing personal data, its members or ad hoc participants," says Cecconi. "Our budget was particularly limited and we could not afford the services of a lawyer. "So our solution was to bring together several volunteers to read the text and talk to each other," he continues. With three other Datakind volunteers, they decide to read the text to understand exactly what changes are needed to achieve compliance. "The initial project was an internal initiative within Datakind. But out of habit, I tend to design projects that can be opened. So I chose to explain the concept in a blog post, "says Cecconi.
If the idea can make you smile, it seeks to be part of a dynamic of reappropriation of the law by citizens, avoiding the passage through intermediaries sometimes questionable. And to take the opportunity to twist some of the myths around the text: "I think a lot of people have benefited from the GDPR and the worry it caused to sell their services. Too bad. The text is complex and requires a serious analysis, but if you approach it with the right frame of mind, it's quite understandable, "stresses Gianfranco Cecconi.
The RGPD, and beyond
Both groups can congratulate themselves on achieving their goals. Gianfranco Cecconi explains that his group managed to complete the reading of the text two months before the entry into force, which left the time to the members of the club to implement the necessary changes. On the Parisian side, Suzanne Vergnolle's group celebrated the success of the company by giving two conferences to present the approach in Passage en Seine and Toulouse, on the occasion of the THSF. The objective here was not directly to accompany the compliance, but rather to "touch people who would like to read the text, but in the end would not do it alone," says Suzanne Vergnolle.
It is hard to imagine the method to impose itself in the large companies of the CAC40, but it could give ideas to VSE / SME or small organizations often helpless to the new requirements of the text and difficult to afford the services of a specialized lawyer. "The text has its flaws and some promises have not been kept, but reading it really helps to realize that the obligations are not so new that it" recalls Suzanne Vergnolle. The RGPD takes over many obligations that already existed in the French law Informatique et Libertés.
Although the RGPD Book Club has officially completed the task it has set for itself, members are nevertheless considering extending the experiment on an ad hoc basis in order to comment on future court decisions clarifying the application of the regulation. And Suzanne Vergnolle discusses the possibility of creating a GDPR Fight Club, an association that would allow members to exercise the new rights set up by the RGPD. A simple idea in the air for now, but after all, the RGPD Book Club started like this.