World | Technology

GDPR, 8 months in: ‘These issues can no longer be ignored’

From fines to data breaches to more than 95,000 complaints, privacy remains a top concern for consumers. But what are organizations doing about it?

A Facebook IconFacebook A Twitter IconTwitter A Linkedin IconLinkedin An Email IconEmail

photo illustration de bits et d'octets de protection des données de l'Union européenne en forme de vague avec des étoiles de l'UEOne of the GDPR provisions obliges any business that suffers a data-security breach to report it within 72 hours or they can be fined. (Shutterstock/mixmagic)

The new global standard for data privacy and transparency—the European Union’s General Data Protection Regulation (GDPR)—was rolled out to great fanfare in May 2018. Eight months later, it’s time to see how it is stacking up to similar provisions in Canada, such as the recently amended Personal Information Protection and Electronic Documents Act.

The past eight months have been busy ones for European data protection authorities. In France, for example, between the end of May and the end of November 2018, the Commission nationale de l’informatique et des libertés (CNIL) received more than 1,200 breach notifications from various organizations (including 742 in just four months, which impact 33 million people). 

To recap, one of the GDPR provisions obliges any business that suffers a data-security breach to report it within 72 hours. They can face a fine of up to 20 million euros or four per cent of its annual revenue (whichever is higher) for non-compliance.

Many organizations have taken measures to protect themselves: 32,000 of them have appointed a data protection officer. But that’s not enough, says PwC Switzerland, which notes that “most organisations are not (yet) fully compliant with GDPR.” As a direct consequence, the first fines have been imposed in Europe: 4,800 euros in Austria, 20,000 euros in Germany and 400,000 euros in Portugal. But the biggest fine was in France: earlier this month, CNIL issued a fine of 50 million euros to Google for failure to comply with its GDPR obligations. Late last week, the tech giant announced it would appeal the ruling.

Patrick Boucher, the president of Gardien Virtuel, a Quebec firm specializing in data security, agrees: “We have clients who are very well informed about the law. Others who have never even heard of it. And, between the two, lots who found out about it at the last minute or who are unclear on its purpose and have not taken all the required measures.”

But it’s never too late to get on board, especially since the European data protection authorities are also jointly processing transborder complaints (345 to date). After being targeted by the United Kingdom’s Information Commissioner, AggregateIQ Data Services received Canada’s first enforcement notice.

People are also more concerned about the way their personal information is handled. Europe’s data protection regulators have received more than 95,000 complaints.

Not surprisingly, citizens’ organizations such as Quadrature du Net and NOYB have submitted a number of group complaints against digital giants, including Google, Amazon, Facebook and Apple. Likewise, consumer protection groups in seven European countries have instructed the European Consumer Organisation to file a complaint against Google, in part for obliging users to activate location tracking, under the pretext of “improving the user experience.”

NON-MUTUAL CONSENT

In the case of tech giants, the breaches are often massive.

At the last Chaos Computer Club conference, held in December in Leipzig, Germany, Frederike Kaltheuner and Christopher Weatherhead of the NGO Privacy International shared the results of their study: of the 34 Android apps they examined (highly popular apps downloaded between 10 and 500 million times), more than half sent user profile information to Facebook immediately upon installation, whether users had a Facebook account or not.

Since GDPR came into effect, Facebook has developed a function that allows app developers to clearly ask users for their consent, but what happens to their data is still unclear. In May 2018, in response to the Cambridge Analytica scandal, Mark Zuckerberg introduced the “Clear History” function, which is intended to increase user control over browsing history. However, the feature’s roll out was postponed yet again in December.

In short, privacy (the subject of 695 of the CNIL’s 742 breach notifications) is still the primary problem: too much information is visible to everyone or to unauthorized people. But Boucher is optimistic: “It’s not perfect, but the law has raised awareness about securities issues among companies, particularly executives, who are often caught up in daily operations. They now know these issues can no longer be ignored.”

For more information about the cybersecurity issues related to the introduction of GDPR, see GDPR raises major cybersecurity concerns.