Presentation
GDPR & CNIL: The new General Data Protection Regulation
The entry into force of the General Data Protection Regulation (GDPR) has profoundly changed the legal framework for companies responsible for data processing.
However, some professionals expressed significant reservations about the CNIL’s (French Data Protection Authority) ability to apply these new tools to companies’ activities, particularly regarding the possibility of formal audits. Indeed, the GDPR did not modify or increase the independent authority’s human and technological resources, thus limiting its means of action.
Nevertheless, published indicators demonstrate that professionals and individuals have embraced this new framework and that its implementation is effective in France and Europe. The CNIL specifies that since May 2018, it has received more than 600 data breach notifications, concerning approximately 15 million people – an average of seven per day.
CNIL: Internet users, the primary players in compliance
The CNIL’s (French Data Protection Authority) strength in enforcement appears to lie particularly in the increased involvement of internet users in ensuring that companies offering online platforms and services comply with the GDPR. The CNIL’s Secretary General, Jean Lessi, announced a gradual increase in complaints and claims filed with the CNIL since May 25th.
Indeed, the Commission has recorded a sharp rise in complaints since the adoption of the General Data Protection Regulation – 7,350 complaints compared to 5,250 on the same date in 2017, representing a 41% increase.
As Mr. Lessi points out, the nature of the complaints has changed, “with an increase in those concerning users’ online lives [requests for data deletion, etc.], which now account for 38% of complaints registered so far in 2018, compared to only 27% in 2017.”
GDPR: Professionals more responsible regarding personal data
Another criterion justifying the GDPR’s increased strength is that the Commission has observed a greater sense of responsibility among companies which, instead of concealing potential security breaches in their data systems—including cyberattacks, hardware loss, or human error—prefer to inform the French Data Protection Authority (CNIL) to avoid any subsequent penalties.
The CNIL received nearly 800 personal data breach notifications in five months. This figure, indicative of progress in corporate security culture, also reveals an increase in the number of incidents.
Among the factors encouraging this behavior is the independent authority’s more supportive approach towards companies that voluntarily come forward, seeking to promote support for repairing and securing information systems rather than applying a purely punitive policy.
Similarly, publicity has continued since the GDPR came into effect regarding all the sanctions imposed by the CNIL (French Data Protection Authority) in connection with personal data protection violations, affecting all types and sizes of organizations. Recent examples include IDEF, Optical Center, the Alliance Française association in Paris, and the Force Ouvrière trade union.
Personal data: Media coverage of the GDPR is central to its effectiveness
Professionals justify internet users’ behavior by citing “the media spotlight on data protection,” which they claim has prompted citizens to be more vigilant about protecting their personal data.
The Cambridge Analytica scandal, which revealed the massive sharing of personal data from the Facebook platform with a political targeting company, is also cited.
With the debates surrounding the draft budget bill approaching, this situation would allow the CNIL (French Data Protection Authority) to argue for an increase in the resources allocated to the authority. In April 2018, Isabelle Falque-Pierrotin, president of the CNIL, reiterated the need for a substantial increase in resources given their new obligations.
