This overview outlines key features of GDPR implementation, in the light of the landmark decisions of the French and European Regulators over the past 5 years. Its purpose is to assist you planning your GDPR project with a risk based approach, aligned with the regulatory authorities’ expectations.
- Overview of the past 5 years GDPR enforcement
- Key statistics
- Recent landmark cases
- GDPR Key features
- Extraterritorial scope outside European Union & Data transfers
- Principles: Accountability, Privacy by design
- Actors : Controllers vs. Processors; DPOs
- Documentation: Record, DPA, DPIA
Conclusion: upcoming European regulations impacting data
Overview of the past 5 years GDPR enforcement
GDPR is a European Regulation, which came into effect in May 2018.
General Data Protection Regulation (GDPR) :
- carries penalties of up to the higher amount between € 20 M or 4% of the organization’s worldwide annual turnover
- applies to companies even with no presence in the EU
- covers personal data (directly or indirectly identifying a natural person) & all processings (any action on personal data)
- applicable without difference to any organization whatever the size, turnover, activity sector
The aggregate amount of sanctions issued from the 27 data protection across Europe and UK from 2018 to 2022 based on GDPR is € 2,5 Bn.
+50% is the 2022: year-on-year increase in aggregate reported GDPR fines of 50% vs 2021, whereas 109,000 data breaches were notified to regulators in 2022 (a decrease on the total of approximately 120,000 in 2021).
Grounds for sanctions & Top enforcement priorities in 2022
=> Ad-tech and Behavioral advertising
=> 50 % of sanctions issued by the French supervisor are related to a lack in security measures (art.32)
Frequent grounds for sanctions include excessive retention durations & lack of transparency
Sources: DLA Piper’s 2022 annual GDPR survey, CNIL statistics
GDPR Key statistics
The DPOs – Key figures for France are the following:
- 73.000 organisms had appointed a DPO in 2020.
- Profiles: 47 % have a background other than legal and tech: administrative and financial background, audit & compliance.
- 72 % internal DPO employee of one Controller
- 13,5 % shared internal DPO: employee shared for several Controllers
- 14,7 % external DPO in an independent structure (e.g. Attorney).
With these key statistics in mind, let’s examine some high-profile cases that have set significant precedents over the past 5 years
Overview of the past 5 years – High profile cases
Criteo case (june 2023)
Criteo – CNIL 15/06/2023 – fined €40 M
Through the one stop shop mechanism, Criteo was fined by the CNIL €40 M, representing 2% of the company’s worldwide turnover of € 2 Bn.
Criteo is an AdTech company specializing in ad-retargeting, tracking the browsing activity of users and offering personalized ads through cookies.
The CNIL found that it had failed to demonstrate that individuals provided their consent when cookies were placed on their devices.
The main grievances include:
> lack of control & contractual allocation of responsibilities between joint controllers
– failure to respect the right to withdraw consent
– lack of information & transparency obligations and failure to comply with the right of access
Credential stuffing case (january 2021)
CNIL 27/01/21 – controller fined €150,000 – processor fined €75,000
On the ground of GDPR article 32, The CNIL sanctions the failure to implement Technical and Organizational Measures that would have enabled avoiding the data breach
Paradigm shift: first time a processor’s liability is engaged under GDPR. However the controller’s liability is not relieved
2) GDPR Key features
GDPR Extraterritorial scope outside EU
GDPR applies to any organization that (art. 3)
🔸 Is established in the EU: regardless of whether the processing takes place in the EU or not
🔸Is not established in the EU, when
- it processes personal data of EU residents when offering them goods or services
- it monitors EU residents’ behavior
🔸 Accountability: Organizations are responsible for ensuring and demonstrating compliance with GDPR’s requirements for the processing of personal data & to implement internal mechanisms and procedures to demonstrate compliance with legislation
🔸 Privacy by design: methodology involving considering GDPR-related issues from the outset for any project involving the creation of products or services
🔸 Privacy by default: corollary of privacy by design – From the inception of the service or product, privacy protection is implemented and applied by default, without requiring any user intervention
GDPR Actors – DPO
(art 37) PRIVATE ORGANIZATIONS: controller or processor shall designate a DPO where their core activities:
a) involve regular and systematic monitoring of individuals on a large scale
=> large scale is an undefined concept. EDPB guidelines take into consideration (i) the number of individuals concerned (ii) the categories of data processed (their volume and/or nature) (iii) the duration of the processing (iv) the geographical extent
b) involve large-scale processing of sensitive data
=> Sensitive data (art. 9 GDPR) biometric & genetic data, data concerning health, sexual life, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning criminal convictions and offenses (art. 10 GDPR).
GDPR Actors: Controllers vs. Processors
🔸 Controller: organization which alone or jointly with others determines the purposes and the means of the processing
🔸 Joint Controllers: where 2 or more controllers jointly determine the purposes and means of processing
🔸 Processor: organization which processes data on behalf of a controller and under their its instructions
Accountability implies that specific documentation should be made available to the Regulator upon request.
They include record of processing activities and a GDPR Documentation.
Record of processing activities
When it comes to GDPR projects, businesses tend to focus on quick wins.
However it is important to keep in mind that the record of processing activities is the first and fundamental basis for your GDPR implementation project
(art 30) Controllers shall maintain a record of processing (personal data mapping):
- name and contact details of the controller, joint controller, controller’s representative & DPO
- purposes of the processing
- categories of data subjects & categories of personal data
- categories of recipients
- where applicable, transfers outside EU & documentation of suitable safeguards
- retention duration
- description of the technical and organizational security measures
GDPR Documentation – Data Protection Agreement
Art. 28: Between a Controller & its Processor it sets out
- subject-matter and duration of the processing
- the nature and purpose of the processing
- type of personal data and categories of data subjects
- the processor:
- processes the personal data only on documented instructions from the controller
- ensures that persons authorized to process the personal data have committed themselves to confidentiality
- takes all measures required pursuant to a 32
- Subject to approval to engage another processor
- makes available to the controller all information necessary to demonstrate compliance
Art 26: Between Joint Controllers
- determine their respective responsibilities
- applicable between entities of the same group or between two different companies
Where there is a data transfer: Standard Contractual Clauses (template of the European Commission June 4 2021)
GDPR Documentation – DPIA
(art.35) If a processing meets at least 2 of the following criteria, a Data Protection Impact Assessment (DPIA) must be conducted:
- involves the evaluation or scoring of personal aspects or the rating of the data subject, such as their work performance, health, preferences or interests, reliability or behavior, location, and movements
- involves automated decision-making with significant effects on the data subject, such as the loss of a right (credit refusal, denial of a promotion, denial of a position)
- involves systematic monitoring of individuals (e.g. video surveillance)
- involves the collection of sensitive data
- concerns « vulnerable » individuals (employees or minors)
- involves large-scale processing
- involves the matching or combining of datasets
- involves the use of innovative technology or the application of new technological solutions (connected devices, fingerprint recognition systems, facial recognition)
- prevents the data subject from exercising a right or benefiting from a service/contract
Conclusion: upcoming European regulations impacting data
Upcoming European regulations impacting data are gamechanger & landmark regulations:
🔸 Digital Services Package including Digital Services Act and Digital Markets Act passed in July 2022
🔸 AI Act: voted by European Parliament on June 14 2023, final version of the law expected to be passed later this year:
- bans biometric surveillance, emotion recognition, predictive policing AI systems
- introduces right to make complaints about AI systems
🔸 Data Act: draft issued by the European Commission in Feb. 22, proposal for regulation establishing a harmonized framework for industrial, non-personal data sharing in the EU
🔸 Data Governance Act : aims at public sector organizations (States, authorities) & data sharing service providers: including content-sharing platforms, social networks, cloud services
🔸 E-privacy regulation: EU Council’s draft regulation aiming at replacing the 2002 e-privacy Directive
Author : Florence Ivanier, Attorney, member of the Paris Bar, Data Protection Officer