GDPR, four letters that have caused a lot of ink to flow. When the General Data Protection Regulation came into force on May 25, 2018, the ominous birds prophesied that Europe was shooting itself in the foot. By equipping itself with a particularly restrictive device, the Old Continent imposed on its companies a brake on innovation, a competitive disadvantage compared to their American or Chinese competitors, who are less careful in terms of respect for privacy.
Five years and a few scandals later, including that of Cambridge Analytica, and the tide has turned. Software publishers, cloud service providers, digital platforms… all put forward their compliance with the GDPR as a marketing argument, an antidote to the American Cloud Act and its principle of extraterritoriality which threatens personal data, including those hosted on European soil. The GDPR has also made small. On January 1, 2020, California adopted a California Consumer Privacy Act (CCPA).
“A solid and coherent regulatory framework”
A lawyer specializing in digital law, Alexandre Lazarègue looks at the path taken. According to him, the GDPR has established “ a solid and coherent regulatory framework, guaranteeing clear rights and obligations for individuals and companies so that everyone maintains control of their personal data”.
The GDPR has thus strengthened the confidence of citizens in the management of their personal data, by offering increased control mechanisms with the rights of access, rectification, portability and erasure of data. By sparking a public debate on confidentiality issues, it also, according to the lawyer, “ played a key role in raising public awareness of data protection”.
A mechanism that goes hand in hand with increased responsibility on the part of those responsible for processing personal data. Companies and public actors are required to put in place appropriate security measures, obtain explicit consent from data subjects for the processing of sensitive data and notify data breaches as soon as possible.
A compliance which is not an easy project to lead for SMEs and even ETIs. According to a recent Opinionway survey for the firm Grant Thornton, 17% of French ETI managers say they are completely unaware of the contours of the European regulation, five years after its implementation.
While 69% of business leaders judge their level of compliance to be quite good, 27% say they are unaware of the risks involved. Among the difficulties encountered, they cite the complexity of assessing the compliance of subcontractors (37%), monitoring the lack of compliance of supplier and customer contracts (20%) and carrying out impact analyzes (19% ).
DSA, DMA, Data Act, AI Act
In fact, there is no question for Alexandre Lazarègue to relax the efforts. ” Companies must continue to invest in strong compliance programs and educate their employees about the importance of data protection. Vigilance must be maintained all the more as other threats are looming with the rapid development of artificial intelligence or the Internet of Things (IoT).
Many European texts have thus supplemented the right to personal data such as the Digital Services Act (DSA) on social networks, the Digital Markets Act (DMA) on the competition rights of GAFAs or the future Data Act on the data of connected objects pending the AI Act on the management of artificial intelligence algorithms.
Despite this regulatory arsenal, the GAFA are struggling to discipline themselves and scrupulously respect the GDPR despite numerous decisions of severe condemnation in terms of fines. What is a fine of 1.2 billion euros worth for Meta when the American group achieved 116.6 billion dollars in turnover in 20202?, asks the lawyer.
Alexandre Lazarègue draws a parallel with the opening up to competition from telecoms. Some incumbent players have preferred to resist compliance with the new rules and expose themselves to legal convictions in order to maintain market share. Faced with digital giants, which are not very quick to self-discipline, it is therefore necessary, according to him, to strike at the wallet and fully apply the financial sanctions provided for by the GDPR, i.e. up to 2 or 4% of turnover. global.
To his eyes, “Access to the European market for around 500 million educated consumers with good purchasing power, fond of these new uses, is a target of choice”. It requires an entry ticket in terms of privacy that regulators must enforce.
Half a billion euros in fines since 2018
The French regulator, the Cnil, has just published its activity report for the 2022 financial year. The Commission informs us that it has dealt, for the first time since the entry into application of the GDPR, with complaints that it does not received some. That is 13,160 complaints handled for 12,193 complaints received. The result of two years of effort and the opening of a portal offering users the possibility of following their file, simplifying and securing exchanges with the Cnil.
In 2022, repressive activity increased with 21 sanctions and 147 formal notices for a cumulative amount of fines exceeding 100 million euros. Among the organizations affected are companies of all sizes, including digital giants (Google, Meta, Microsoft, TikTok).
Since the entry into force of the GDPR, the total amount of penalties imposed exceeds half a billion euros. The simplified procedure which targets “files not presenting any particular legal or technical difficulty” will allow the Cnil to gain in responsiveness. The penalty incurred under this simplified procedure is a maximum of 20,000 euros.
Finally, the supervisory authority has put itself in working order to carry out foresight and anticipate technologies or new uses that may have significant impacts on privacy through its Digital Innovation Laboratory of the CNIL (Linc ) Last January, it set up a new service dedicated to AI. It should be in high demand in the months and years to come.
