The EU’s General Data Protection Regulation, four months on
On May 25, 2018, a new law regulating the collection and use of the personal data of European citizens came into force in all 28 EU member states, the General Data Protection Regulation (GDPR).
Compared to the previously applicable text (the 1995 Data Protection Directive), this new regulation further strengthens the protection of European citizens’ personal data, while harmonising protection across the EU. The GDPR officially grants the right to data erasure (a light version of the “right to be forgotten”) while introducing new rights including that of data portability, which obliges data holders to transmit relevant data in a structured format to a new supplier, at the specific request of a citizen. The regulation strengthens existing rights such as the right to explicit and positive consent on the part of the citizen from whom an organisation seeks to collect personal data. Finally, the text reinforces the principle of accountability with respect to all parties responsible for data processing.
Organisations dealing with data have been at action stations for months or even years, depending on how strategic the data is for the market concerned. But, four months after it came into effect, how has it impacted European, more specifically French, citizens? How is this new text perceived? Are they even aware that the new legislation has come into force? Do they feel better protected than previously? Have they changed their habits regarding inappropriate use and protection of their data?
Limited awareness, limited changes
To find out, we surveyed French students from a major French business school (Audencia Business School in Nantes). More than 300 students, aged between 17 and 29, of whom 58% were women, agreed to answer our questions. There were three major observations:
- Awareness of the existence of the GDPR remains limited, with only 50% of the 312 respondents stating they had already heard of the text. To overcome any limits due to the declarative nature of responses, we then asked respondents to tell us what GPDR stands for. 150 respondents (just under half of our sample) accepted to do this. Among these, 14% finally said they did not know; 20% were able to give a rough outline of the meaning; 13% gave a close approximation, and 52% gave the exact meaning of the acronym.
- Despite the somewhat less than perfect awareness of the text, it is generally perceived as a good solution to control the way our data is used. 63% think that the GDPR will be implemented quite well by companies. 58% go further in believing that this type of regulation should change the way companies and their sites collect and use data in the future. However, 42% of them remain, on the contrary, sceptical about the efficiency of the text…
This lack of control is all the more surprising since these same individuals state that they feel largely under-informed about how organisations collect and use their personal data. 80% consider they receive insufficient information when companies collect data about them. One-third of respondents even say they do not know whether they approve the use that companies make of their data, while 46% say that they do not really approve it (32%) or even actually disapprove it (14%).
Impact of the Facebook scandal
A few months after the emergence of the Facebook–Cambridge Analytica scandal, in which the social platform was accused of allowing access to millions of accounts, we also sought to evaluate the impact this may have had on user practices. Only 23% of respondents indicate they have since changed the way they use the platform. The changes mainly consist of modifying privacy settings (28%), limiting the amount of personal information provided (21%), posting less intimate and sensitive information (15%), a general reduction of activity on the network (11%), sharing fewer photos (9%) writing fewer messages (6%) and finally, less use of “Facebook Connect’ (a tool which allows Facebook users to log on to third party websites via their Facebook account) (4%). Only 3 of the 312 respondents indicate that they have since uninstalled the application.
Generally, we find here a phenomenon known as the “privacy paradox”, which describes what is often a wide discrepancy between people’s attitudes toward data itself (generally a strong concern about what digital players know about them and how their data is used) and actions that may be taken to restrict this exploitation (often limited or almost non-existent).
To conclude this survey, we asked the young people what additional measures would improve data protection:
- 20% call for greater information, communication and even education on this theme.
- 17% advocate an even stricter legal solution with heavier penalties.
- 12% believe that more choice and control should be given to citizens, something already provided by the GDPR, probably showing a lack of awareness of the rights that the text confers to them.
- 10% consider there should be independent bodies charged with auditing companies and monitoring the proper application of the text, although this role in France has been entrusted to the National Commission for Information Technology and Liberties (CNIL) since 1978.
- 8% think that citizens themselves should be more empowered.
- 7% believe that companies should have greater accountability in this area, an idea that is effectively contained in the GDPR.
To sum up, our respondents call for rights that the new text has in fact anticipated and included. It remains to be seen whether companies play ball or if they just do the bare minimum in terms of applying the legislation. Young people seem to be quite optimistic on this issue – let’s hope they will be proved right.