The GDPR’s extra-territorial reach – Data Protection in Tunisia

GDPR is not an EU-only topic as it effects international companies outside Europe as well as soon as there is any business relationship with a EU-based company. We interviewed Héla Ben Miled, Judge at the Tunisian Administrative Court of Justice and member of the UN Data Privacy Advisory Group, about data protection in Tunisia.

Héla Ben Miled Tunisia Héla Ben Miled will be speaking at European Data Protection Days in Berlin in May 2017. Get your ticket now to learn about the effect of GDPR for countries and businesses outside the EU.

EDPD17 – register now!

Could you give us a short introduction since when data protection has been implemented in the Tunisian constitution and what major developments it underwent?

Héla Ben Miled: The data protection legal framework in Tunisia was implemented by:
-The new Tunisian constitution of 2014 which stipulates in article 24 that private life and personal data are protected. It is important to note that Tunisia highly regards data protection and privacy by making them a part of the national constitution.
-The law 2004-63 of 27th July 2004 relating to personal data protection established for the first time in Tunisia a specific legal privacy framework and set up a data protection body “l’Instance Nationale de Protection des Données à Caractère Personnel” which has begun to work efficiently since its inception in 2009.

Although the above-mentioned Personal Data Protection Act criminalizes the failure to comply with the obligations laid down for the processing of personal data, the choice of the Data Protection Authority was not in its infancy based on a repressive policy but on the contrary on pedagogical work, trying to disseminate a culture of data protection based on the commitment of the various stakeholders-the industry, the data subject, the controller and processorwhose aim is the efficient and harmonized application of the law.

In this regard, a dedicated telephone hotline has been explicitly devoted to the public and requests for information are made daily to the Data Protection Authority, both nationally and internationally.

As European Data Protection officers are focused on the implementation of the GDPR: Are there similar developments in Tunisia?

Héla Ben Miled: Given the fact that Tunisia has a long tradition of trading with Europe, each new European development has an impact on Tunisia’s economy. In addition, the GDPR has extra-territorial reach since it can be applied to organizations located outside the EU when they deal with personal data relating to people who are within the EU.

The Tunisian outsourcing organizations which process personal data on behalf of European controllers become directly concerned and must be ready to meet the May 2018 deadline, by implementing a privacy by design approach and conducting privacy impact assessments, putting into practice the right of data portability and data minimization, the procedures for detecting data breaches and dealing with valid consent and children’s data.

In my opinion, one of the most important consequences of the GDPR for Tunisian organizations will be the creation of the DPO function. Until there, there were compliance officers who played amongst other tasks the role of DPO. Dedicating a person to the respect and protection of data would certainly help to disseminate a new culture of data protection in Tunisia.

I think that the GDPR offers to Tunisian companies a great opportunity to be transparent and to build a relationship with their customers based on trust. They don’t have to miss this important chance.

You see data protection as a tool to attract foreign investors. How do you plan to achieve this?

Héla Ben Miled: Compliance with the EU regulation rather than being considered as a new burden will constitute on the contrary a competitive advantage and a pledge of quality and trust. Foreign data controllers would prefer to work with processors which belong to the same culture of data protection. Everyone has to follow the same rules. To achieve this, firstly, Tunisian data protection law needs to be amended and updated according to European standards in order to ensure an adequate level of protection. In parallel with the law reform which can take time and before the GDPR enters into force, the organizations have to comply with it very quickly and put the adequate procedures in place in order to fulfill the new obligations of transparency (for example by conducting privacy impact assessments before implementing any project of data processing, drafting a Code of conduct or obtaining certificate of compliance with the GDPR). How companies manage their data becomes a corporate issue.

It is sure that it is going to have financial implications but the return on investment would be even greater and would allow organizations to increase their market value and as a direct consequence to win new customers or retain the existing ones. At the country level, it will create new IT employment.

You are also member of the UN Data Privacy Advisory Group, what are the current most important topics in this committee?

Héla Ben Miled:

  • Opportunities and challenges in Big Data for development and humanitarian action
  • Fragmentation of international data protection landscape
  • Data governance and responsible use of Big Data (consent, purpose, legitimacy, purposes, proportionality)
  • Conducting a risk-utility assessment tool
  • How to address the risk of re-identification and ensure data security
  • Challenges and opportunities of public-private data collaboration to facilitate humanitarian action