Privacy & Information Security Law Blog

On June 17, 2010, the French data protection authority (the “CNIL”) published its Annual Activity Report for 2009 (the “Report”) in which it outlines some of its priorities for the upcoming year.

In February 2009, the CNIL published a report on online targeted advertising. Among other things, the CNIL voiced its concern regarding online behavioral and advertising activities and analyzed the risks of increasing user profiling.  In 2010, the CNIL is expected to issue a joint opinion with the Article 29 Working Party on targeted advertising and behavioral analysis.  The CNIL also will open a dialogue with several stakeholders from the marketing sector to work on adopting a code of best practices.

In addition, the Report highlights the following topics:

• In the context of international data transfers, the Report describes the increasing effectiveness of Binding Corporate Rules (“BCRs”) through the “mutual recognition” principle, adopted by nineteen data protection authorities (“DPAs”).  In 2009, the CNIL approved BCRs for three companies and is currently reviewing seven others.  In 2010, the CNIL expects to receive approximately ten BCR applications coordinated by other DPAs.
• When transferring personal data to the U.S. in the context of pre-trial discovery proceedings, it is important to comply with the Data Protection Act and other applicable French laws.  In 2009, the CNIL issued guidelines explaining to companies based in France how to comply with these rules.
• Faced with an increase in offshore activities, the CNIL recently simplified its approval procedure for transfers of personal data outside of the European Union.  Now the President or Vice President of the CNIL may approve basic international transfers, although transfers of sensitive data continue to require the approval of the full college of commissioners.
• The CNIL also conducted an analysis of developing outsourcing activities (particularly in the context of cloud computing) and participated in the preparation of an opinion regarding the concepts of “controller” and “processor” recently issued by the Article 29 Working Party.
• In light of a recent decision by the French Court of Cassation, which found that a company’s whistleblowing procedure, although approved by the CNIL, was illegal due to its unrestricted scope, the CNIL intends to conduct hearings in 2010 to consider  modifying its 2005 authorization process for whistleblowing procedures.
• In 2009, the CNIL received more than 4,265 complaints and 68,185 data processing registrations.  It also conducted 270 on-site inspections, which constitutes a 24 percent increase over 2008.  Recently, the CNIL released its 2010 inspections report which indicates that it plans to conduct at least 300 inspections over the course of 2010.

Read the CNIL’s full report (in French).
Read our coverage of the CNIL’s 2008 Activity Report.