The GDPR: A look back at data protection in Europe

The GDPR was born to strengthen data protection as technology evolves in Europe. The increase in reports and fines reflects the difficulty companies have in remaining compliant.

The GDPR, or General Data Protection Regulation, was adopted in 2016 to strengthen existing data protection regulations in response to the technological developments of recent decades. The regulation aims to protect individuals’ privacy by regulating the collection, processing, and storage of personal data.

Since it came into force, the GDPR has had a significant impact on the way companies and institutions manage personal data. It has imposed strict obligations in terms of transparency, consent, security, and individuals’ rights over their data.

Fines imposed on companies for non-compliance with the GDPR have become a major concern. Since 2018, many companies have been fined for breaching it. The total amount of fines imposed in Europe has reached around €5 billion and continues to rise. This trend underscores the growing importance attached to data protection and the commitment of European authorities to enforcing the provisions of the GDPR.

Companies must remain vigilant and continue to invest in compliance with data protection regulations to avoid heavy financial penalties.

The consequences of non-compliance in a few figures

In 2022, only 42% of European companies were fully compliant with the GDPR. This means that more than half of companies are not complying with the regulation’s requirements. The largest fine ever was the €1.2 billion imposed against Meta (formerly Facebook) in May 2023 for illegally collecting personal data from European users.

Nick Clegg, Meta’s head of public affairs, felt that this “unjustified and unnecessary” sanction “sets a dangerous precedent for the many companies that transfer data between the US and the EU”. He also announced that he would appeal the decision.

Other major fines include:

  • Google, 60 million euros in 2020 for violating transparency rules on the collection of personal data.
  • Mailchimp, 220 million euros in 2021 for illegally collecting and using personal data from European users.
  • Amazon, 746 million euros in 2022 for illegally collecting and using personal data from European users.

Among the breaches most frequently penalized by data protection authorities are failure to respect the rights of data subjects, including the right to access, rectify, delete, transfer, and object to the processing of their personal data, as well as a lack of transparency in the collection and use of personal data, and shortcomings in data security.

In the CNIL’s latest annual report, presented on Tuesday, May 23, 2023, we learn that “345 controls were carried out, 147 formal notices served and 21 sanctions adopted […] The organizations concerned by these measures are of all sizes, including digital giants, and fall within a wide variety of sectors. Since the RGPD came into force, CNIL’s repressive policy has not changed. The objective pursued is first and foremost to bring organizations into compliance.

In this respect, 94% of investigations carried out result in organizations being brought into compliance, without the CNIL resorting to sanctions. Even so, between 2018 and 2022, the total amount of sanctions handed down by the CNIL will total more than half a billion euros, a figure that reflects the weight of data exploitation in today’s business models.”

How can you prevent accidents and comply with regulations?

One of the main aims of the RGPD is to be able to accurately track data flows and how they flow from one facility to another. The difficulty therefore lies in the fact that data outsourcing to third-party companies is particularly common.

The Cloud is a more convenient option for sharing sensitive information. Employees can upload attachments to the Cloud and send recipients the link to access them. However, the Cloud is not an impenetrable fortress protecting all the information it contains; it is in fact a server managed by a third party who is responsible for ensuring its security.

The first important point is to choose service providers whose servers are located in Europe. Local authorities who need to keep their data on French customs territory should choose a server located in France, as should companies working with local authorities.

In response to the rise in cyber-attacks and the consequent use of Cloud services, ANSSI (the French National Agency for Information Security) has decided to create a benchmark that will enable companies and public authorities to choose reliable solutions when outsourcing their data. The SecNumCloud label aims to set a high level of security for Cloud service providers. The label is valid for 3 years and must be subject to surveillance audits every 18 months by PASSI-qualified service providers.

SecNumCloud is built on a solid foundation and was inspired by the ISO 27001 standard. It covers more than 360 requirements in 14 security areas, including access control and identity management, human resources security and information security incident management.