On July 15, 2018, France defeated Croatia at the World Cup, earning a second star on its national soccer team jersey. A few weeks before that big event, another took place in Europe with the General Data Protection Regulation ("GDPR") entering into force on May 25, 2018 ("GDPR Day"). Now, four months after GDPR Day, on September 25, 2018, the CNIL, the French data protection authority, released some facts and figures on how GDPR has played out in France since GDPR Day and announced upcoming related initiatives.

Below, we provide a high-level summary of the CNIL findings.

How Has the GDPR Played Out in France Since GDPR Day?

As many other EU countries were, France was late in adapting its national laws to the GDPR. France’s existing French Data Protection Act and its implementing decree were amended by a law and a decree dated, respectively, June 20 and August 3, 2018.

However, this delay apparently has not impacted the general public awareness of the new rights GDPR is bringing to the pitch. The CNIL reported the filing of 3,767 complaints since GDPR Day, 64 percent more than filed during the same period a year before.

Organizations are also scoring with 24,500 entities appointing 13,000 data protection officers. In addition, the CNIL reported an average of 7 personal data breach notifications per day, with 600 personal data breach notifications to the CNIL since GDPR Day that impacted approximately 15,000,000 data subjects. 

The CNIL is also reporting good sportsmanship among the member states, both formally (e.g., with 3 meetings held by the European Data Protection Board, a.k.a. "EDPB") and informally (with efficiency increasing in handling cases). The list of processing activities requiring a Data Protection Impact Assessment ("DPIA") has been submitted to the EDPB. (At its last meeting, on September 25-26, 2018, the EDPB reached an agreement on and adopted 22 opinions.) Details on the French list are expected soon.

What’s France’s Next Play?

To make it to the finals for the next World Cup, the French privacy squad is gearing up. Along with adopting new equipment (such as, by the end of this year, an ordinance to increase the readability of the regulatory framework), CNIL should be finalizing the certification criteria for data protection officers soon.

In addition, the CNIL is willing to step into an active position at the European level by, for example, leading the way in adopting guidelines on issues concerning "connected vehicles" and aiming to have the guidelines eventually debated at EU level and ultimately endorsed by the EDPB.

Finally, the CNIL has announced it will be publishing sector-specific codes of conduct (e.g., for medical research and cloud infrastructure) and dedicated factsheets.

The GDPR is a game played by 28 member states’ data protection authorities (in front of many spectators); let's see who will taking home the trophy for privacy champion.