France records big jump in privacy complaints since GDPR

Another European data protection agency has reported a sharp rise in the numbers of complaints since the EU updated its privacy framework four months ago, when GDPR came into force, updating regional data protection rules and introducing much higher penalties for privacy violations.

France’s CNIL agency said today that it’s received 3,767 complaints since May 25, when GDPR came into force, up from 2,294 complaints over the same period last year — which it notes was already a record year.

CNIL says this represents a 64% increase in complaints, which it suggests shows that EU citizens have “seized the GDPR strongly” — attributing public engagement on the issue to media attention on the new regulation and on data protection stories such as the Facebook-Cambridge Analytica data misuse scandal.

It also reports receiving more than 600 data breach notifications, affecting a total of around 15 million people, since GDPR D-Day.

Last month data from the UK’s Information Commissioner’s Office also showed a big rise in privacy complaints since the new regulation came into force, with 6,281 filed between May 25 and July 3 — more than double the 2,417 complaints lodged during the same period a year earlier.

A report in The Irish Times at the end of July also indicated similar increases in Ireland. The Irish Data Protection Commission was reported to have received 1,184 data breach reports two months after GDPR — up significantly on the average of 230 reported each month in 2017. The DPC also logged 743 complaints in the first two months of GPDR, with the regulation reportedly applying in 267 cases.

As well as receiving record numbers of privacy complaints from individuals, CNIL notes that two organizations have filed complaints on behalf as consumers (a ‘collective redress‘ capacity introduced by GDPR, at least in EU countries where the national government chose to adopt it).

The two organizations filing complaints on consumers’ behalf in France are Max Schrems’ privacy NGO, noyb (which was one of the first out of the gate to file GDPR complaints over ‘forced consent’, including in France against Google); and the French digital rights group, La Quadrature du Net, which CNIL says has lodged complaints with it against Google, Amazon, Facebook, LinkedIn and Apple.

In its four month update since GDPR the regulator also notes that European data protection authorities are currently handling and co-operating to investigate more than 200 cross-border complaints.

“These complaints raise questions about consent in general, and in particular that of minors,” it notes.

It also says 24,500 organizations have appointed a data protection officer, since GDPR came into force and ushered in a general requirement for a DPO (at least in most cases).

More privacy-related developments look to be in the pipe too, as CNIL says it will be proposing some new regulatory tools — including a biometrics standard regulation, which it says has been in consultation since September 3. “It will set a demanding and protective environment,” it writes of that.

Standards for a certification for DPOs is also slated to be finalized during September.

And the regulator says it’s working on a number of codes of conduct — to cover specific tech areas, such as medical research and cloud infrastructure.