The National IT and freedom commission (CNIL) has taken the initiative to quantify the amounts spared by deploying rules protecting personal data, in particular since the entry into force of the General Data Protection Regulation (RGPD) in May 2018.
Published
Reading time: 5min
:quality(50)/2025/06/14/gettyimages-1301983462-684d730fd50f7171318163.jpg)
Personal data is the information that identifies a person or making them identifiable. For example, these are names, first names, date of birth, a telephone number, a photograph, the social security number, a voice recording … It has been exactly seven years, since the entry into force in May 2018 of the General Data Protection Regulation (GDPR), that all European countries have standardized their rules in this area.
By imposing requirements for operations, conservation and sharing of these elements so coveted to operating the users of digital services. With in case of loss or theft of this data fines of up to 4 % of the globalized global turnover of the entity deemed responsible.
To start, and it is not immediately quantifiable, we can appreciate the fact that all the organizations that are led to compile information – which concerns us directly to the point of being able to identify us as an individual – grants them special protection. But to go beyond this feeling, the National IT and Liberties Commission (CNIL) has just led an economic analysis of the impact of the regulations that it is notably responsible for applying.
By focusing on the problem of identity thefts, because it is the most documented. A malicious practice that can cause both financial damage – with embezzlement of payments or bank accounts, and moral – with damage to personal or professional reputation that is difficult to reporable and that can drag over time.
The CNIL distinguishes direct costs – linked directly to identity theft. And indirect costs, such as the reluctance of the victim – in the weeks following the materialization of the usurpation – which leads her to reduce her online purchases. In fact penalizing electronic commerce actors. According to the estimate established by the Commission, the security provisions imposed by the GDPR would thus have made it possible to avoid up to 219 million euros in losses linked to the costs of identity theft in France, including 132 million euros for direct costs.
And up to 1.4 billion euros with regard to the entire EU, including 988 million for direct costs alone.
This mode of evaluation which is based on university publications and public statistics is interesting because it completes the way of approaching the regulations. Which is not only considered from the angle of constraint, but also of the value it contributes to creating. As if we identified lives that the mandatory deployment and use of safety belts had been able to save during a year.
We note that in addition to sectoral regulators, as in France the CNIL on the subject of personal data, the market authorities are increasingly asking for companies concerned by cyber attacks to communicate on their financial impacts.
This contributes to making a prejudice born in the digital space very concrete.
Thus, at the end of May 2025, the British distribution channel Marks & Spencer said that the hacking of its equipment occurred last April, paralyzing part of the online orders and payment terminals in its stores, had cost it 355 million euros. As a listed business, the group had to ensure this transparency by A press release officiatesL. Thus, not only is it necessary in the wake of the crisis proceed with a measure of the costs caused by the disaster but also make it public. It becomes a full -fledged governance approach.
Users of digital services are increasingly aware that they have real rights in this virtual world. In February 2025, the League for Human Rights (LDH) followed last May by French lawyers launched a group action against Apple with Apple with A dedicated website which has already collected more than fifteen thousand complaints. The Apple vocal assistant is criticized for having recorded the voice of thousands of users without their knowledge.
