Le RGPD un an après : quels enseignements, et quelles perspectives ?

GDPR one year later: what lessons and what prospects?

Legal Watch – June 2019.

On May 25, 2018, the General Data Protection Regulation came into force.

This new text has brought about numerous changes in business practices, whether at the level of their internal organization or contacts with their customers.

Although data protection has been enshrined in the legal framework since 1978 in France and 1995 at the European level, this Regulation has given new impetus to what represents both a human right and an economic issue. And the financial penalties provided for in the new text are no stranger to this.

What is the practical situation regarding compliance, the actions of the CNIL and its European counterparts?

In France, there has been a dramatic increase in complaints, security notifications, and requests for information to the CNIL. At the end of May, the supervisory authority published a statistical report on this first year, which reported more than 11,900 complaints (+30 %) and 2,044 data breach notifications. The CNIL is also continuing to investigate numerous cases, some of which are in cooperation with its European neighbors. It is thus involved in 800 transnational proceedings.

While supporting companies in their compliance efforts, the CNIL has also issued numerous sanctions. Let's take a closer look at a few of them:

  • The most spectacular sanction is undoubtedly the one imposed on Google, for a record amount of fifty million euros.
  • Two other, much more modest, sanctions nevertheless deserve particular interest, because they were brought before the Council of State, which examined their proportionality.
  • In one of the cases dated April 17, 2019, the Council of State upheld the €75,000 penalty: after a formal notice and several repeated requests from the CNIL, Adef (Association for the Development of Homes) had still not remedied a security flaw that allowed online access to housing applicants' documents. The time taken by the association to implement the required corrective measures was one of the determining factors for the Council of State.
  • In the second case, also dated April 17, 2019, the Council of State reduced the amount of the penalty imposed by the CNIL on Optical Center: the company had in fact corrected a security flaw within two days of the CNIL's notification that allowed access to customer invoices via its website. The penalty was reduced from 250,000 to 200,000 euros.
  • We will conclude this brief inventory with the most recent sanction of June 13, 2019, significant this time because it concerns a very small business: the Uniontrad Company had set up a video surveillance system which placed its employees under constant surveillance.

In this case, the CNIL had also alerted the company twice before formally ordering it to change its practices, without the required measures being taken by the end of the given deadline. On June 18, the CNIL issued an administrative fine of €20,000, taking into account the company's size and financial situation.

The conclusion drawn from these various cases is that both multinationals and smaller businesses or associations are likely to be subject to sanctions. Furthermore, all the decisions highlight the importance of the data controller's responsiveness when an infringement is discovered, and the impact this responsiveness has on the amount of any potential sanction.

What about our European neighbors?

All indicators show an increase in complaints and investigations by data protection authorities, as well as in the amount of sanctions.

There are just over 280,000 cases across all data protection authorities in the European Economic Area, including approximately 144,000 complaints and 89 security breaches. At the end of May, 371 data protection authorities were under investigation.

An initiative to list the various sanctions at European level, updated by a German consultancy firm, provides a global view of the actions of the supervisory authorities: https://www.enforcementtracker.com.

The highest penalties, besides the one adopted by the CNIL concerning Google, were imposed by Portugal, which imposed a €400,000 fine on a hospital for failing to protect patient data; by the CNIL, again, for €400,000 against a real estate agency; and by Spain regarding a smartphone application that secretly uses individuals' phone microphones. The Spanish professional football league was fined €250,000 for this violation, and has appealed this decision.

Towards coordination of public authorities beyond the GDPR?

A notable new development concerns the cooperation of public authorities with the aim of increasing their coherence and effectiveness. These initiatives particularly concern data protection authorities, those responsible for competition issues, and those responsible for consumer protection.

The discussions, initiated in 2016 by the European Data Protection Supervisor as part of the "digital clearing house" project, are now being orchestrated by the academic sector and are supported by a resolution of the European Parliament.

The project now brings together authorities from Europe as well as other continents. The synergies developed focus on the protection of individuals in the context of the digital economy and "big data." The meeting on June 5, 2019, brought together 25 supervisory authorities from the European Union and elsewhere. Two major issues were discussed, concerning Facebook and Microsoft. The authorities are also focusing their discussions on the development of services with non-monetary compensation. In other words, to what extent can we accept individuals paying with their data in exchange for a digital service?

Concrete guidance on this issue is expected in the autumn, following the next meeting of supervisory authorities. This could be a significant development in light of the challenges of the digital economy.

And also:

• In France : The CNIL is putting online a new version of its tool aimed at helping the data controller in its impact analyses (AIPD).

• in Europe : Towards a stricter interpretation of electronic prospecting rules? Several supervisory authorities have announced that they are reviewing their interpretation, with regard to obtaining consent from data subjects and cookies. These include Belgium, France, the United Kingdom, and the Netherlands. It should be noted that the European Data Protection Board had already explicitly ruled, in a May 2018 press release, against the use of "cookie walls," which make access to a website conditional on visitors' consent.

• in the world: In order to assess the need for a law regulating algorithms, the US Senate Commerce Committee examined, during a hearing on June 25, how companies such as Google, YouTube and Facebook use artificial intelligence to influence

Discover Viqtor®
en_USEN
fr_FRFR de_DE_formalDE es_ESES elEL it_ITIT hrHR pt_PTPT nl_NL_formalNL de_ATDE_AT etET fiFI lvLV lt_LTLT sk_SKSK sl_SISL en_USEN