Overview of GDPR implementation and the advent of ePrivacy in Europe

GDPR may seem a bit heavy at the seams, but ePrivacy might complicate things even further. “You are certainly a little tired of hearing about GDPR,” announced Armand Heslot of the French data privacy watchdog (CNIL), during the opening of his keynote on GDPR at the Paris Data Marketing fair on November 20, 2018.  It’s pretty much true, however do not surmise that all marketers have fully understood the new regulation. He pronounced these words just before delivering an overview of the implementation of GDPR. Since the launch of the European Data Privacy Regulation in May 2018, there has been a flurry of content poured on professionals, the impact of which has mainly been to drive all of them potty. This keynote has been instrumental in better understanding the situation which, however, is not very clear. And many professionals feel rather awkward and unsure about the future. Rest assured, with ePrivacy, everything will become even more complicated and hypothetical, Heslot warned.

Overview of GDPR implementation and the advent of ePrivacy in Europe

GDPR ePrivacy
Armand Heslot (right) presented a quantitative analysis of the implementation of the GDPR

The Paris Data Marketing Fair took place on November 2018, it was a must-attend event for professionals in our field of practice, for whom GDPR has been a thorn in their side for the past few months.

GDPR meeting in Cologne in June 2018: Warten and Sehen Wir (Wait and See)

This reminded me of the eZSystems June 2018 convention.

GDPR had just been launched by then. The room was filled to the brim with marketers, most of them skeptical or even bewildered. Even our German and Danish colleagues, were asking questions concerning the actual impact of the implementation of GDPR as if it had never happened.

None of the speakers was able to give a satisfactory answer to the question about the true impact of that implementation. including the representative of one of the largest German publishing houses.

This assessment which took place a few months later was instrumental in improving our understanding of the implementation of this regulation and of the progress we have made in the field, over and above the ubiquitous and inevitable lip service.

The status of GDPR by French data privacy watchdog (CNIL)Armand Heslot

After a recap on the principles of GDPR on the use of data, the minimization of collected data, the principle of accuracy and duration of data retention and security, fairness of loyalty and transparency on the treatment and respect of the rights of people and access to data by people and finally portability, CNIL’s Armand Heslot gave us a quantified assessment of the implementation of GDPR in France.

Since it was enacted in May 2018, 13,000 DPOs have been appointed, more than 600 data breaches have been notified to CNIL, 45% additional telephone calls have been made and over 64% more complaints by consumers. Here are the statistics:

(source: CNIL)

  • 24,500 organizations have appointed a Data Protection Officer (either individuals or businesses); which represents 13,000 DPOs against 5,000 CNIL representatives, prior to the sanctioning of the GDPR

  • More than 600 notifications of data breaches have been received, involving nearly 15 million people – roughly 7 per day since May 25

  • A significant increase in contacts with the public, especially professionals: +45% calls in the first 7 months of 2018; +83% online FAQ consultation

  • 3 million visits to the CNIL site since May 2018

  • 150,000 downloads of the simplified registry model proposed by the CNIL

Those numbers show that there has been a clear impact of GDPR in France.

Having said that, one must bear in mind that 600 notifications out of 15 million people only represent a mere 0.004%.

By French law CNIL is allowed to reach out companies and punish them. Complaints are of paramount importance, and CNIL attends to them in due time.

CNIL’s view of the implementation of GDPR: “a little less severe” from now on

The transitional period of two years is now over. We sometimes hear one can be granted a reprieve, but Armand Heslot assured us that this isn’t true.

What is true is that “CNIL will be strict concerning the implementation of the GDPR regulation and a little less severe with regard to the new requirements.

How will these sanctions be managed? For cross-border processing, intra-European coordination will certainly take a long time to get implemented, he said, “yet the fines will be extremely high.”

But the most interesting part is that the national commission allows companies to come to conformity with the laws, and it does not levy any “tax” on them if they somehow fail to comply. The CNIL assures us that its goal is not to make money.

The CNIL, expressed its representative, has sued only four SDK software publishing companies, “but these SDKs make up 83% of all applications [that] require these location data,” he said. Bottom line, there is room for improvement.

However, the companies that have been given formal notice have not been sanctioned. The formal notice, Armand Heslot reminds us, is made to let the company comply. The French Watchdog does not recover the money from the sanctions (Inland revenue collects these fines) and has no wish to grow these numbers for the sake of raising funds.

The UK has established an independent authority, the ICO (Information Commissioner’s Office), to ensure that companies and individuals comply with  data protection laws. The ICO has prepared a Data protection self assessment toolkit for organizations to help them comply with the data protection rules. It provides companies with checklists that allow them to securely operate on people’s personal data. The ICO also provides a checklist for small business owners and sole traders.

What awaits us with the new ePrivacy law

GDPR has only just been implemented, and a new regulation is in the making: it is named ePrivacy. Despite the fact that data privacy acts are said to be enforced to encourage business, there is very little evidence of that. They rather produce chaos, especially when it comes to small businesses.

Even if respect for users has always been at the heart of your concerns, as it has been of ours, it is undeniable that the increasing complexity spurred by such regulations poses a few questions.

In a way, I am under the impression that we are caught between two extremes: a total lack of ethics on the part of certain merchants / publishers (on which, by the way, GDPR has has very little impact so far) and a particularly rigid and complex hair-raising legal framework.

Marketers are lost in the GDPR jungle

The premise is that marketers do not really understand GDPR, and they are not to be blamed for it. This is true, in particular with regards to “the consent that is perceived as mandatory by marketers, whereas in fact, it is not.”

The reality is more complex than what marketers believe.The question is: ‘for what purpose are you processing this data?’

Interestingly, organisations are not always obliged to ask for an individual’s consent for using his data. The ICO highlights six valid reasons for which companies can use people’s data without their consent.

I am afraid that at the end of the day, this regulation might prove rather counterproductive.

It is obvious that, since May 2018, a great number of marketers have ignored the regulation completely. There isn’t a marketing expert who does not feel helpless after looking at his/her e-mail inbox and realising how badly all marketers are behaving: automatic subscription to unsolicited lists, dysfunctional subscription links, total disregard not only for opt in but also for opt-out…

The list of bad practices is endless, not to mention those who scrape e-mail addresses from LinkedIn and send you messages which are more or less promotional.

They do have (icing on the cake) an unsubscribe link at the end of a pseudo personalised email, pretending you have requested some information whereas you haven’t. Let us not even mention how such data is manipulated in the background.

Now, the final straw as Heslot added is that “e-Privacy will add complexity to the lot”, oh my God!

In short, nothing has changed except that things have become even more complex.

In conclusion, I must confess that I am not completely convinced by the way these regulations are implemented in the field. Unfortunately, I am not competent enough to know why we have reached this situation, nor what should be done to enforce the law properly. That is not my area of expertise.

For me, regulations should be a backup for an uncompromising code of ethics. I’m afraid, however, that piling up additional uselessly convoluted regulations will not really improve things.

As I noticed in Cologne in June, professionals seem to be repeating the lessons they have learned here and there, a sort of catechism of GDPR and respect for data privacy, minutes before putting their blinkers on and continuing to work as before. Besides, the cost of compliance, fairly innocuous for a large company, is a far heavier burden for SMEs and Soho businesses.

The ICO has published a guide to help e-marketers with privacy and electronic communications regulations. I think it would make a good read for our confused marketers.

GDPR triggered data management improvement at large businesses

As a matter of fact, in large businesses, the members of this panel have confirmed that work has begun to improve the quality and the cleaning of data. As well as determining the amount of data that is useful for running the business.

It is good news, because 25% of databases are obsolete, according to one of the speakers, Sylvie Brunet, who rightfully labelled as worse practice, this habit of storing systematically and frequently unnecessary amounts of data.

There is no question of discussing the usefulness of data privacy efforts. As far as I am concerned, it has been a no-brainer from the day I started working in this business.

However, there were a few cases lately which showed how big companies can sometimes be negligent with regards to data protection rules. And consequently, they get penalised by the national Watchdogs and regulators.

For example, Uber was fined more than 1 million dollars in the UK and the Netherlands for disregarding personal data protection rules. The personal details of around 2.7 million customers and 82,000 drivers in the UK were hacked, and no one was informed about it for more than a year. In the Netherlands, the personal data of 174,000 customers and drivers was leaked, and Uber didn’t inform them within 72 hours after the discovery of the fraud.

But I think we will have to wait a long time before we know what the real impact of GDPR is. We will then be able to quantify whatever progress we have made. I hope that by then our mailboxes will be clean and are rid of all the useless and despicable spam and other bad practices.

Unfortunately, I have my doubts. Until then, let’s wait and see how things go and grow a stiff upper lip.

Yann Gourvennec
Follow me