Sergiu Gatlan* says new figures show Europe’s General Data Protection Regulation has seen more than 95,000 complaints lodged since it was introduced last year.
The European Commission says that Data Protection Authorities (DPAs) across Europe received 95,180 complaints regarding the mishandling of personal data and companies reported a record number of 41,502 data breaches since Europe’s General Data Protection Regulation (GDPR) was enacted on 25 May last year.
According to the GDPR provisions, organisations have the obligation to report data breaches to their national DPA in under 72 hours if the personal data of European citizens is unlawfully or accidentally disclosed.
National DPAs have initiated 255 investigations following the complaints lodged by both individuals and organisations.
It is important to mention that a couple of dozen GDPR investigations were also initiated outside the scope of the complaints advanced by individuals.
Moreover, the European Commission’s statistics show that the most common types of GDPR complaints were related to telemarketing, promotional emails and video surveillance/CCTV, which were found to violate multiple provisions.
The Commission’s statement said: “We are already beginning to see the positive effects of the new rules.”
“Citizens have become more conscious of the importance of data protection and of their rights.”
“And they are now exercising these rights, as national Data Protection Authorities see in their daily work.”
“They have by now received more than 95,000 complaints from citizens.”
As reported by Cisco in its Data Privacy Benchmark Study, organisations that closely follow the requirements of the GDPR experience benefits such as lower frequency of and effects from data breaches, as well as shorter downtime, fewer records being impacted by the attacks, and lower overall costs.
Furthermore, Cisco found that country GDPR-readiness was between 42 per cent and 76 per cent, with the European countries involved in the survey — France, Germany, Italy, Spain, and the UK — unsurprisingly scoring a lot higher on the scale compared with other countries.
As an example of the GDPR being used to protect the personal data and privacy of European citizens, France’s National Commission on Informatics and Liberties slapped Google with a €50 million (A$79 million) fine on 21 January for not obtaining user consent for processing data for ad personalisation purposes and for violating transparency and information obligations.
Google-owned YouTube is also the target of a GDPR complaint filed by the non-profit European Centre for Digital Rights (or NOYB) for “right to access” violations described in GDPR’s Article 15, with a possible maximum penalty that could reach €3.87 billion (A$6.1 billion) according to the NGO, with Amazon, Apple, DAZN, Spotify, SoundCloud, Flimmit, and Netflix also being targeted by related GDPR complaints.
Acxiom, Oracle, Criteo, Quantcast, Tapad, Equifax, and Experian were also subject to GDPR complaints filed by user rights group Privacy International because they were collecting the data of millions of users to create user profiles.
* Sergiu Gatlan is a reporter for Bleeping Computer. He tweets at @serghei.
This article first appeared at www.bleepingcomputer.com/.
