Thanks to the Law of 7 October 2016 for a digital Republic2, the CNIL penalties have been increased so they can reach 3 million euros. The legal framework is gradually becoming more and more coercive. Now, with the General Data Protection Regulation, penalties can reach 10 to 20 million euros, or 2 to 4% of the worldwide turnover, depending on the category of offence.
According to you, which of the new consumers’ rights can be considered as the most essential advances ?
The European regulation gives control back to citizens concerning their personal data
Data portability is one of the most important novelties, as it allows citizens to recover the personal data they had given to a professional in a structured format, commonly used and machine-readable, to transfer it if they want to another professional3.
This right can be applied, for instance when a consumer wants to change operator or electricity supplier. The European regulation anticipates other major advances for consumers: the right to oblivion has been strengthened, just like the protection of minors. Furthermore, professionals are now obliged to respond to consumers’ demands within one month.
Do you think consumers have enough information about the use of their personal data ?
The Law for a digital Republic anticipates several provisions of the General Data Protection Regulation.Consequently, professional are already obliged to inform consumers about the length of their data retention.
The European regulation also allows professionals to provide some new information like the legal basis of the treatment or legitimate interests of the processing controller if need be. It is hoped that the new regulatory framework and the information campaigns of data protection authorities contribute to sensitizing consumers to their personal data management.
In case of non-respect of their rights, which resorts can consumers use ?
The first thing to do is to get in contact with the processing controller, the Data Protection Officer, if he has been designated within the concerned company.
Standard letters to report a failure, to exercise a right, to ask for something, etc. are online on the CNIL website. Consumers also have the possibility to make a complaint to the CNIL or to the public prosecutor.
Furthermore, consumers can join a consumer group in order to take part in collective actions. For the time being, it is still emerging. But there is a risk that it becomes commonplace in the coming years, all the more so that the law to modernise the economy of the 21st Century has already introduce the mechanism of group action concerning personal data5.
However, the European regulation should facilitate communication between the different actors. Mechanisms will be put in place by professionals in order to respond to consumers’ requests and guarantee a greater transparency in the treatment of their personal data.
In a fast-moving and complex regulatory context, the aim is to achieve a balance between legal provisions and professionals’ economic interests.
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/CE (General Data Protection Regulation).
2 Law No 2016-1321 of October 7, 2016, for a Digital Republic.
3 This right will only concern the sites where the number of user accounts who logged in during the past six months do not exceed a threshold set by decree.
4 Article 32 of the Law of 6 January 1978 relating to data processing, files and liberties.
5 Law No 2016-1547 of November 18, 2016 on the modernization of the Justice in the 21st Century, articles and seq.