Privacy & Information Security Law Blog

On June 9, 2020, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2019 (the “Report”).

The Report provides an overview of the CNIL’s enforcement activities in 2019. In particular, the Report revealed that:

• The CNIL received 14,137 complaints in 2019, which represents a 27 percent increase in complaints compared with 2018 and a 79 percent increase in five years. The complaints mainly concern the following issues:
  • Publication of personal data on the internet, including on search engines, social networks, online media and directories (nearly one third of the complaints). In particular, the CNIL received 422 complaints following individuals’ requests to delist information from search results (“right to be forgotten” requests), which represents a 13 percent increase compared to the number of complaints in 2018. The situation was settled in 98 percent of the cases transmitted by the CNIL to search engines;
  • Direct marketing, non-profit and political marketing activities by telephone, post, email or text message (14.7 percent of complaints). Individuals mainly complained that they did not give consent and/or succeed in stopping unwanted marketing communications;
  • Employee monitoring activities (CCTV, geolocation, call recording, etc.) (10.7 percent of complaints);
  • Failure to comply with individuals’ requests to exercise their data protection rights (about 400 complaints in the employment context); and
  • Failure to protect personal data, e.g., because the data was available on the internet or disclosed to unauthorized third parties, the passwords were transmitted in clear text or were not sufficiently robust, etc.
• The CNIL received 2,287 data breach notifications in 2019. The vast majority of them were due to confidentiality breaches.
• 64,900 organizations have appointed a data protection officer (“DPO”), bringing the DPO total to 21,000 (as a single DPO may be appointed for several organizations), which represents a 31 percent increase compared to the number of DPO appointments notified to the CNIL in 2018.
• The CNIL carried out 300 inspections in 2019, including 169 on-site inspections (when the CNIL visits a company’s facilities and accesses anything that stores personal data); 53 online inspections; 45 document reviews (when the CNIL requires an entity to send documents or files upon written request); and 18 hearings (when the CNIL summons representatives of organizations to appear for questioning and provide other necessary information). In 41 percent of cases, the CNIL’s inspections were initiated following complaints or claims. The inspections revealed several poor practices such as excessive delays in meeting individuals’ requests to exercise their data protection rights, lack of an unsubscribing link in direct marketing emails and the fact that customers could not delete their online account on their own. Conversely, the inspections revealed best practices such as the development of template responses for customer service to handle the exercise of individuals’ data protection rights and the tracking of individuals’ requests to exercise those rights in a specific tool. On March 12, 2020, the CNIL released its annual inspection strategy for 2020.
• The CNIL served 42 formal notices to companies in 2019. Formal notices are not sanctions. If a company does not comply with the formal notice within the time limit imposed in the notice, the CNIL will impose a sanction. Overall, only eight sanctions were imposed by the CNIL’s Restricted Committee in 2019, including seven fines totaling €51,370,000 and five additional injunctions subject to a financial penalty. Those sanctions mainly were imposed for failure to protect personal data, to provide notice to individuals, to define and apply adequate data retention periods and, in one case, for failure to comply with the individuals’ right of access to their personal data under the EU General Data Protection Regulation.

The Report also outlines some of the actions that the CNIL will further undertake in 2020, including:

• Publication of the final version of the CNIL’s recommendations on how to get users’ consent for non-essential cookies (the “Recommendations”). This is part of the CNIL’s action plan for 2019-2020 on online targeted advertising, covering cookies and similar technologies. This action plan consists of the following main components:
  • The publication of new cookie Guidelines on July 18, 2019, which introduced two main novelties: (1) continuing to browse a site (or app) can no longer be considered valid consent for the use of non-essential cookies; and (2) website operators must be able to demonstrate they have obtained valid consent; and
  • The publication of the Recommendations. On January 14, 2020, the CNIL published draft Recommendations, which were open to public consultation. The final version of the Recommendations will be published shortly.
• The CNIL’s participation in future facial recognition experiments. From 2018, the CNIL has called for a discussion on facial recognition, with the intent to fully contribute to the discussion. On November 15, 2019, the CNIL released its main objectives regarding the subject, namely: (1) presenting facial recognition from a technical point of view and, in particular, the diversity of potential uses; (2) highlighting risks; (3) reminding public and private organizations of the rules applicable to facial recognition devices; and (4) specifying the role of the CNIL in future experiments with or deployments of facial recognition devices.
• The CNIL’s COVID-19 guidance and inspections of France’s mobile tracing app (StopCovid) and of the data files put in place by the French Government in the context of lifting containment measures.