On July 15, 2018, France defeated Croatia at the World Cup, earning a second star on its national soccer team jersey. A few weeks before that big event, another took place in Europe with the General Data Protection Regulation ("GDPR") entering into force on May 25, 2018 ("GDPR Day"). Now, four months after GDPR Day, on September 25, 2018, the CNIL, the French data protection authority, released some facts and figures on how GDPR has played out in France since GDPR Day and announced upcoming related initiatives.

Below, we provide a high-level summary of the CNIL findings.

How Has the GDPR Played Out in France Since GDPR Day?

As many other EU countries were, France was late in adapting its national laws to the GDPR. France's existing French Data Protection Act and its implementing decree were amended by a law and a decree dated, respectively, June 20 and August 3, 2018.

However, this delay apparently has not impacted the general public awareness of the new rights GDPR is bringing to the pitch. The CNIL reported the filing of 3,767 complaints since GDPR Day, 64 percent more than filed during the same period a year before.

Organizations are also scoring with 24,500 entities appointing 13,000 data protection officers. In addition, the CNIL reported an average of 7 personal data breach notifications per day, with 600 personal data breach notifications to the CNIL since GDPR Day that impacted approximately 15,000,000 data subjects. 

The CNIL is also reporting good sportsmanship among the member states, both formally (e.g., with 3 meetings held by the European Data Protection Board, a.k.a. "EDPB") and informally (with efficiency increasing in handling cases). The list of processing activities requiring a Data Protection Impact Assessment ("DPIA") has been submitted to the EDPB. (At its last meeting, on September 25-26, 2018, the EDPB reached an agreement on and adopted 22 opinions.) Details on the French list are expected soon.

What's France's Next Play?

To make it to the finals for the next World Cup, the French privacy squad is gearing up. Along with adopting new equipment (such as, by the end of this year, an ordinance to increase the readability of the regulatory framework), CNIL should be finalizing the certification criteria for data protection officers soon.

In addition, the CNIL is willing to step into an active position at the European level by, for example, leading the way in adopting guidelines on issues concerning "connected vehicles" and aiming to have the guidelines eventually debated at EU level and ultimately endorsed by the EDPB.

Finally, the CNIL has announced it will be publishing sector-specific codes of conduct (e.g., for medical research and cloud infrastructure) and dedicated factsheets.

The GDPR is a game played by 28 member states' data protection authorities (in front of many spectators); let's see who will taking home the trophy for privacy champion.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2018. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.