An Overview of GDPR implementation in France and insights regarding forthcoming ePrivacy in Europe

“You are certainly a little tired of hearing about the GDPR,” announced Armand Heslot of the French national data privacy commission (CNIL), during the opening of his keynote on GDPR at the Paris Data Marketing Exhibition on November 20, 2018.  It’s pretty much true, but that does not mean everything about it has been conveyed. He said these words just before giving us an overview of the implementation of the said rules. Since the implementation of the European Data Privacy Regulation in May 2018, there has been a flurry of content poured on professionals which has made them dizzy.The Paris data marketing keynote has been very useful in this regard to take stock of this new law. Though the conclusion is not very clear and the remedy against the malaise of professionals is not completely convincing. Rest assured, with ePrivacy, everything will become even more complicated and hypothetical.

GDPR and ePrivacy
Armand Heslot (right) presented a quantitative analysis of the implementation of the GDPR

Organized on November 20th, the Paris Data Marketing Fair was a must-attend event for professionals in our domain of work. It gave us an opportunity to present our views on a subject that has been on the nerves of many marketers in recent months: the famous GDPR.

The GDPR in Cologne in June 2018: Warten and Sehen Wir (Wait and See)

This reminded me of another conference that I attended and participated in as a speaker in the framework of the eZ Systems 2018 convention and under the auspices of a German association in Cologne in June this year. The GDPR was all freshly launched then. The room was filled with sceptical and lost marketers, including those from Germany and Denmark even, who asked us questions concerning the actual implementation of the GDPR. None of the participants was able to give a satisfactory answer, including the representative of one of the largest German publishing houses. It is therefore interesting to assess this subject a few months later and understand the implementation of this famous regulation to see if we have made any progress in the field, beyond the speeches.

Presentation of the CNIL by Armand Heslot

After recapitulating the principles of the GDPR on the use of data, the minimization of collected data, the principle of accuracy and duration of data retention and security, fairness of loyalty and transparency on the treatment and respect of the rights of people and access to data by people and finally portability, CNIL’s Armand Heslot gave us a quantified assessment of the implementation of the GDPR.
Since it was enacted in May 2018, 13,000 DPOs have been appointed, more than 600 data breaches have been notified to the CNIL, 45% additional telephone calls have been registered and over 64% more complaints by consumers. Here are the statistics:
(source: CNIL)

  • 24,500 organizationshave appointed a Data Protection Officer (either individuals or businesses); which represents 13,000 DPOs against 5,000 CNIL representatives, prior to the sanctioning of the GDPR

  • More than600 notifications of data breaches have been received, involving nearly 15 million people – roughly 7 per day since May 25

  • A significant increase in contacts with the public, especially professionals:+45% calls in the first 7 months of 2018; +83% online FAQ consultation

  • 3 million visits to the CNIL sitesince May 2018

  • 150,000 downloadsof the simplified registry model proposed by the CNIL

The numbers demonstrate that there has been an impact. At the same time, 600 notifications from 15 million people represent a proportion of 0.004%, which is way behind what’s observed of marketers in the field.It should be noted that CNIL has provided us with some clarifications:
The law allows the CNIL to go to companies and punish them. Armand Heslot reminded us that it’s a power that CNIL holds. These complaints are of paramount importance, and CNIL attends to them in due time. He called it “enforcement”.

CNIL’s view of the implementation of GDPR: “a little laxer on the new requirements”

The transitional period of two years is now over. We sometimes hear about a grace period during which CNIL won’t penalize companies that would violate the new regulation, but Armand Heslot tells us that this is not true.
What is true is that “the CNIL will be strict concerning the implementation of the directive before the GDPR and a little laxer on the new requirements“, as per his words. How will these sanctions be managed? For cross-border processing, intra-European coordination will certainly take a long time to get implemented, he says, “but the fines will be extremely high”.
But the most interesting part is that the national commission allows companies to come to conformity with the laws, and it does not levy any “tax” on them if they somehow fail to comply. The CNIL assures us that its goal is not to make money.
The CNIL, as explained by its representative, has established four companies publishing SDK of geolocation, “but 83% of the applications request these data of geolocation” he tells us, so there is still room for improvement.
However, the companies that were put in the default list have not been penalized. Armand Heslot mentions that a formal notice is sent to them to ensure that they comply. The CNIL does not recover any money from the sanctions (it is the public treasury that collects these fines) and has no objective to “make a profit”.
The UK has established an independent authority, the ICO (Information Commissioner’s Office), to ensure that companies and individuals comply with the data protection laws. The ICO has prepared a Data protection self assessment toolkit for organizations to help them comply with the data protection rules. It provides companies with checklists that allow them to securely operate on people’s personal data. The ICO also provides a checklist for small business owners and sole traders.

What awaits us with the new ePrivacy law

We have barely digested the GDPR (we will come back to it again), that a second law has arrived: the regulation of ePrivacy. One can say that the law is made to promote the notion of businesses admitting that uncertainty does not really favour growth, it rather generates chaos, especially for small businesses.
Although, I have maintained this stance always, the respect of the users has always been at the centre of our concerns, it is undeniable that the complexity of the field raises some questions. We will see more in the following chapter.
In a way, one has the impression that there is always a lack of understanding pertaining to the deontology of some businesses/publishers (and it has not decreased much on the ground since the month of May 2018) and a particularly rigid and complex legal framework.

Marketers are lost in the GDPR jungle

The premise is that marketers do not really understand the GDPR, and they are not to be blamed for it. This is true, in particular with regards to “the consent that is perceived as mandatory by marketers, while in fact, it is not”.
“The reality is more complex than what marketers believe. The question is what is the basis of processing and what rights are exercised with personal data…”
Interestingly, organisations are not always obliged to ask for an individual’s consent for using his data. The ICO highlights six valid reasons for which companies can use people’s data without their consent.
I am afraid that in the end, the result of the settlement is rather counterproductive.It is obvious that, since May 2018, a great number of marketers have ignored the regulation completely.I do not know a marketing expert who does not feel helpless after looking at his e-mail inbox and finding dreadful practices: automatic subscription to unsolicited lists, inoperative subscription, total disregard not only of the opt in but also of the opt-out…. The list of bad practices would be unending, not to mention those who scrape e-mail addresses from LinkedIn and send you advertising messages which are more or less promotional.
They do have (icing on the cake again) a link to unsubscribe at the end of a personalized pseudo email addressing you, as if you had asked for something. Let’s take a modest veil on the uses of data back shop. In short, nothing has changed except complexity. To add to my bewilderment, Armand mentioned that “e-Privacy will add complexity to the lot”, oh my God !
In conclusion, I must confess that I am not completely convinced by the way these regulations are implemented in the field. Unfortunately, neither do I know why we are here, nor what should be done to enforce the law properly. This is not part of my remit. As far as I am concerned, the regulation essentially sends professionals a reminder of ethical rules that are very useful and unavoidable. I am afraid, however, that the constant piling up of esoteric rules does not really is no improvement.
As I noticed in Cologne last June, professionals seem to on autopilot, repeating what they had heard about the GDPR and respect for private data, while bending their heads and working unabated. The cost of compliance, though mild enough for a large company, is far from meaningless for small and especially very small businesses.
The ICO has published a guide to help e-marketers with privacy and electronic communications regulations. I think it would make a good read for our confused marketers!

GDPR triggered data management improvement at large businesses

As a matter of fact, in large businesses, the members of this panel have confirmed that work has begun to improve the quality of data and the cleaning of data. It is more so for the amount of data that is useful for a business. It is good news, because 25% of databases are obsolete, according to Sylvie Brunet, who rightfully criticises the bad practice of systematically and frequently storing unnecessary data. Moreover, there is no question of discussing the usefulness of the protection of users’ data. As far as I am concerned, it has been a no-brainer from the first day since I started working in this business.
However, there were a few cases lately which showed how big companies can sometimes be negligent with regards to the data protection rules. And consequently, they get penalised by the national authorities. For example, Uber was fined more than 1 million euros in the UK and the Netherlands for disregarding personal data protection rules. The personal details of around 2.7 million customers and 82,000 drivers in the UK were hacked, and they were not informed about it for more than a year. In the Netherlands, the personal data of 174,000 customers and drivers was leaked, and Uber didn’t inform them within 72 hours after the discovery of the fraud.
But I think we will have to wait a long time before we know what the real impact of GDPR is. We will then be able to quantify whatever progress we have made. I hope that by then our mailboxes will be clean and we have got rid of all the useless and reprehensible spam, and I am not mentioning other bad practices. Unfortunately, I doubt it a little. But till then, let’s “wait and see”.

Yann Gourvennec
Follow me