PARIS — Europes privacy rules are about to get very real.
According to the head of Frances data protection authority, the period of relative tolerance following the introduction of the General Data Protection Regulation (GDPR) is now over.
Going forward, any company that has yet to comply with the rules should expect tough scrutiny and, failing changes, the threat of financial penalties of up to 4 percent of their global annual turnover, warned Marie-Laure Denis, who leads Frances Commission Nationale de lInformatique et des Libertés (CNIL).
“If the CNIL was relatively tolerant over the course of last year, a transition year, we consider that its now up to companies to be compliant in terms of data protection,” Denis said during an interview in Paris.
“So we will not hesitate to impose sanctions, carefully and in a proportionate manner,” she added.
A year after the rules were enforced across the European Union, the CNIL is the only European authority to have come down on a Silicon Valley company, hitting Google with a €50 million fine in January for violating the GDPRs rules on consent gathering.
Ireland, the lead authority in Europe for Facebook, Google and Twitter, has yet to impose any fines despite 18 ongoing investigations into multinational firms. Differences in how to apply the rules have led to criticism that Irelands data regulator is too soft, while some tech industry players argued that Frances move against Google was motivated by political considerations.
Speaking in her Paris office overlooking the Ecole Militaire barracks on the Left Bank of the Seine, Denis — who took over from Isabelle Falque Pierrotin in February — pushed back hard against such criticism, and played down any differences with Ireland.
“There is no anti-GAFA approach at the CNIL,” she said. “At the same time, Google is a large digital company and as all very large digital companies they have obligations in terms of data protection, and in a way the bigger they are, the more obligations they have and the bigger the risks linked to their use of data.”
She added: “On Google, Ive heard a bit of everything: It was too much or not enough. Maybe that means were in the right place.”
While Google — which, with Facebook, controls much of the global online ad market — has said it would appeal the CNIL fine, the company has yet to do so, she added. The search giant plans to submit its appeal before an end-of-May deadline, according to a person familiar with the proceedings.
Objections if needed
Over the next few months, European data protection authorities are expected to review a first wave of GDPR investigations into big U.S. tech companies, most of which are based in Ireland to take advantage of low corporation taxes, among other reasons.
Helen Dixon, the head of Irelands Data Protection Commission (DPC), told a U.S. Senate hearing in early May that her office would present conclusions of investigations into potential privacy violations toward mid-year, and that she had reason to believe that some U.S. companies had breached GDPR statutes. The DPC investigations include several targeting Facebook and its subsidiaries, as well as a probe into Google announced last week.
Denis said France was cooperating closely with the Irish regulator, particularly on investigations that had originated from French group complaints, and would review any suggested Irish sanction at the European Data Protection Board (EDPB).
(The Quadrature du Net, a French non-governmental organization focused on privacy, filed a grouped complaint last May against several digital giants including Facebook over the notion of “forced consent.”)
“There is a real cooperation [with the Irish],” she said.
But Denis — who attended the elite Ecole Nationale dAdministration and was previously at the Conseil dEtat, the legal adviser to the executive branch — underscored that France, as warranted, could raise objections during a review at the EDPB, which supervises the EU privacy watchdogs.
“France is a concerned authority in several cases, and has a responsibility to follow through on the processing of those complaints,” she said. “That includes the possibility of raising objections if necessary, after an informal process of consultation.”
The implementation of the GDPR remains patchy across the EU, a year after its introduction. European Justice Commissioner Věra Jourová called out Greece, Portugal and Slovenia as countries that have yet to transpose the EU regulation into national law, a year after it came into force.
Denis acknowledged those differences and the slow pace of enforcement.
“You might say that the car is not going fast enough — but its moving, with a mechanism that is different from the one it had before, and were several parties behind the wheel. So while its noRead More – Source