One year after the implementation of the GDPR, are Europeans’ personal data better protected?

This post is also available in: frFrançais (French)

On 25 May 2018, the General Data Protection Regulation 2016/679 (GDPR) became applicable in all European Union countries, its purpose being to strengthen and unify the protection of personal data (see AEDH).
Just over a year after its entry into force, the European Commission issued a press release on 24 July 2019, based on a Eurobarometer survey of March 2019, welcoming the results of its application.
Implemented by all Member States (except Slovenia), the GDPR allows Europeans to know in principle which of their personal data are collected and used by companies that should therefore respect the privacy of customers or Internet users. The GDPR requires them to seek their consent (free, explicit, informed, and unambiguous) and grant them: the right to know what data is being used, for what purpose, for how long, and to object to it; the right to forget (i.e., dereferencing on the Internet); the right to access all their stored data; the right to retrieve that data; the right to challenge decisions using algorithms. They also have an obligation to inform them in the event of a data breach or leak.
Companies, whether using their “customers” data or simply recording their employees’ data, have had to “adapt” their practices, says the European Commission in its press release.
These obligations have generated heavy investments and an additional workload, sometimes difficult to bear for small and medium-sized enterprises (whose representatives had warned before the vote on the text about their future difficulties) and according to some surveys, only 20% of companies have finalised their compliance with the main principles of the DGPS, especially since this text has left many grey areas and unclear directives.
According to the Commission “Thanks to the GDPR, EU citizens are increasingly aware of data protection rules and their rights… ». The Eurobarometer survey published in May 2019 shows that a majority (67%) of the 27,000 Europeans surveyed have already heard of the GDPR, but only 36% know what it is for (with notable differences between countries: 90% of Swedes have heard of it compared to 44% of the French). Just over half (56%) of respondents using social networks have tried to change privacy settings (4% less than in 2015), 29% trust sites and 27% do not know how to do so, while six in ten say they read privacy policies online, but only about one in ten (13%) read them completely: they are too long! In fact, the most remarkable change for Internet users is the pop-up offering to accept or refuse cookies that access to each website will leave on the computer or other device used by the Internet user, accompanied by a proposal to read the long list of general conditions or legal notices of websites and contracts.
The study also reveals that 57% of respondents know that there is a data protection authority in their country, but only 20% know about it.
These are all arguments why the European Commission decided to launch a new campaign in the summer of 2019 to encourage Europeans to read privacy statements, optimise their privacy settings and learn about the role that Privacy Authorities can play in protecting their personal data.
Thus, their role in monitoring the compliance of companies’ practices and the sanctions they can impose on them for non-compliance with their obligations has been strengthened by the GDPR. The number of complaints or requests for information has risen sharply over the past year: more than 144 000 complaints and questions have been registered with national authorities and the Commission points out that more than 400 pan-European cases have been opened with the European Data Protection Committee (an institution which replaces the G29, created by the GDPR composed of all the presidents of national authorities and the European Data Protection Supervisor), companies often offering the same services in several European Union countries or operating in transnational processing.
Spectacular sanctions have been imposed by some Data Protection Authorities (the GDPR allows them to impose sanctions of up to 4% of a company’s annual turnover).

In France, in January 2019, Google was fined €50 million for failing to inform users, whose data it uses for advertising purposes; in the United Kingdom in July 2019, the hotel group Marriott and British Airways were fined €100 million and €200 million respectively for failing to protect the data of hundreds of thousands of customers stolen during hacking; in Germany it is a Knuddels Social Network site.of which was recently sanctioned up to €20,000 for data leaks; in Portugal it is a hospital that was sentenced to €400,000; in the Netherlands also a hospital was sentenced to a fine of €460,000 for not having sufficiently secured patients’ data.
The amounts of these sanctions are justified by the seriousness of the data security breaches, the absence of consent, the volume of data affected and the nature of the data, in particular sensitive data, or the lack of cooperation, negligence or bad faith of the convicted companies.
The Commission considers that data protection and privacy can nowadays be a competitive advantage for some companies, which is probably why several countries, in particular those in the EEA (Switzerland, Norway, Iceland and Liechtenstein) or third countries, have adopted protective legislation or are considering it in the near future.
Another consequence of the implementation of the GDPR is perhaps an encouragement to a European digital sovereignty that the AEDH calls for. Thus, at the beginning of August 2019, the Ministry of Justice and Security of the Netherlands published a report recommending that administrations and civil servants no longer use Microsoft Office suite applications for a simple reason: they do not comply with the GDPR.
After one year of implementation, the record of the GDPR seems rather mixed considering that only 20% of companies have complied, but at a time when cyber attacks, data theft, malware and ransomware are constant threats, and when, as the Commission rightly points out, “The protection of personal data is a fundamental right in the European Union”, It is to be welcomed that this text has been adopted after a few years of tough negotiations, but it is crucial to the credibility of the Commission (which will publish a review in 2020) that all companies finally comply, that all Data Protection Authorities have the means to fulfil their mission and that all European residents are informed and able to protect their data and their privacy. AEDH will remain vigilant on these issues.

Maryse Artiguelong

Translated with