On May 25th, 2018 came into force the General Data Protection Regulation (GDPR). The main purpose of this text was to redefine the rights of citizens and the obligations of companies in regards to personal data throughout the European Union.
AWARENESS AND INCREASE IN THE NUMBER OF COMPLAINTS
The entry into force of the GDPR has raised awareness of data protection issues among professionals and especially individuals. As proof, according to an IFOP survey conducted in April for the National Commission for Informatics and Liberties (NCIL), 70% of French people say they are more sensitive than in recent years to the protection of their personal data.
The NCIL explained that it received 11,077 complaints, an increase of 32%, directly attributable to the GDPR. This is due to the fact that this new legal framework has not gone unnoticed by the public – media coverage of the text and the growing importance of the issue of helping personal data.
These complaints relate to:
- the dissemination of data on the internet (373 requests for dereference, right now allocated by the GDPR.) It is for people to request the deletion of data concerning them on the internet (name, surname, contact details, comments, photographs, videos, accounts, etc.) These complaints reflect the difficulties faced by people to control their digital lives, including their online reputation: 35.7%;
- the marketing / trade sector: 21%;
- human resources: 16.5%;
- banking and credit: 8.9%;
- the health and social sector: 4.2%.
Moreover, it is not only in France that the number of complaints has increased. The same is true of our Irish counterpart, which received twice as many complaints (6,624) in the first year of application of the GDPR than for the whole of 2017.
AN EXEMPLARY FINE AGAINST A WEB GIANT
The associations La Quadrature du Net and None of your business have filed two complaints against Google. In fact, they criticized the company for not having a valid legal basis for processing personal data of the users of his services, in particular for personalizing advertisement. Following these two complaints, the NCIL first conducted, in September 2018, an online check to verify compliance with the GDPR and Google’s law and freedom of information for the processing of personal data. It analyzed a user’s journey and the documents they can access by creating a Google account when setting up their Android mobile device. The conclusion was without appeal, lack of :
- adequate information,
- explicit consent previously collected.
Following this observation, the NCIL decided to impose a record fine of 50 million euros. Other complaints have been filed against Facebook, Amazon and LinkedIn that have received no sanction to date.
SANCTIONS WHICH APPEAR TOO LIGHT
Despite the record fine, according to a study by the law firm DLA Piper, only 91 fines have been issued since the entry into force of the GDPR by the authorities of control of personal data. In all, it is a little less than 56 million euros in fines that have been inflicted since May 2018, including Google.
In the columns of Le Monde, the new president of the NCIL explained that one year after the entry into force of the GDPR, it was « the end of some form of tolerance« . At a conference a few days ago, his Irish counterpart promised, « for the coming months » the « results » of the numerous investigations conducted by his administration.
To conclude, we can say that the GDPR has triggered awareness within companies. Data is certainly an essential asset for them, but the trust of the users in digital is just as much. It can even become a competitive advantage. They have sometimes fallen behind in their new obligations but are catching-up in other ways. At least we hope so! It is important to note that 18,000 delegates have been appointed to ensure data protection. The NCIL will continue to support companies this year. It has also launched a MOOC to help people become familiar with the GDPR. This initiative is one of the many actions implemented by the NCIL.