GDPR 2 Years Later: Privacy Takes Center Stage

Data Privacy

In BigIDeas on the Go, Florence Raynal, Deputy Director and Head of the Department of European and International Affairs at France’s Commission Nationale de l’Informatique et des Libertés (CNIL), evaluates the state of data privacy two years after the General Data Protection Regulation (GDPR) came into effect.

Proven Success for Data Subjects — It’s All in the Numbers

“It’s a very important moment, this two-year anniversary,” says Raynal. “We think the GDPR is a success in many aspects.”

Raynal takes a clear stance on GDPR’s primary achievement. It’s “the people, the individuals. GDPR has really, concretely reinforced their rights because it truly puts the individual at the center of the digital regulation. We see this concretely every day, with the increase of complaints that we have from data subjects.”

She has figures to back it up. “We recorded approximately 14,000 complaints for 2019, so it’s an increase of almost 30 percent compared to 2018.” While a rise in complaints might sound like a bad thing, it reflects a wider public awareness. More individuals know that they have a right to their data—and where to go when companies violate that right.

According to Raynal, GDPR’s technological adaptability has a lot to do with its success. “We see it every day. We have projects coming from startups, from IT companies. We can see it right now with the Covid-19 crisis, where we have just worked on a new app for French people. The GDPR principles are fit for new technologies.”

A One-Stop-Shop System for Privacy

Improved communication across regulatory bodies in the EU was an early goal of GDPR, and it continues to be a benchmark for success.

The regulation aligns European interests and “provides the same powers, the same competencies among Europe for data protection authority,” says Raynal. She calls the increased communication, cooperation, and accountability across EU nations a “one-stop-shop system” for cases and actions that are under review.

“Before, it was not necessarily the case. We had some differences, divergence between authorities in Europe. So it’s important that now we have exactly the same level of competencies and of powers.”

Again, she brings it back to concrete figures. In 2019, “we had something around one thousand cases in our internal system of information that we share with all the data protection authorities, and approximately around 80 final decisions with respect to cross-border cases that we are sharing at the EU level.

“It’s a beginning,” Raynal admits. “We are in a learning curve, but it’s a very interesting collaboration…. On a daily basis, we are in contact with our counterparts in the EU, and we are working on concrete complaints.”

A “Dynamic” Influence — Data Privacy Legislation Goes Global

The GDPR set the stage for successful privacy regulations, effectively ensuring they would get attention elsewhere.

“GDPR is being used outside of the EU—not necessarily as a model; that might be a little too strong, but other governments are using the GDPR to draft their own legal regimes around privacy in their countries,” says Raynal.

GDPR’s international reach falls directly under Raynal purview at CNIL. “We have a lot of interaction with non-EU countries,” she says of her team, which facilitates meetings with foreign delegations. “We have more and more requests from countries outside of the EU to meet and understand what we are doing and how we are organized. They’re very interested in the CNIL structure and how we work.”

Organizations are also reconsidering their approach to GDPR — and privacy regulations in general. Raynal is seeing what was once irritation and dread mature into resourcefulness.

“We see more and more companies using the GDPR not only as a kind of mandatory obligation or something burdensome that needs to be done, but more as kind of element that is a value on the market, that can be a competitive advantage.”

Going forward, Raynal wants to continue to “open a dialogue in order to really adapt to what’s going on on the ground, and not just be in Babel Tower.

“We have been working a lot at the EU level at an international level, so I hope that in 10 year’s time, we will have a global instrument for data protection. Not only a European one, but a larger one where we will also tackle these kinds of issues that are very important for all citizens of the world.”

Listen to the full podcast to learn more about how Raynal sees data rights legislation evolving over the next decade.