Posts Tagged ‘Enforcement’

The EU “cookies sweep day” and national cookie audits

Posted on September 22nd, 2014 by

Cookies have recently become a hot topic again, following a press release by the French Data Protection Authority (CNIL) on July 11th, 2014, announcing a EU “cookies sweep day” and enforcement actions in France. Here’s an update on what has happened and what to expect.

1. EU Cookies Sweep Day: 15 – 19 September

When did the EU “cookies sweep data” take place?

From 15 to 19 September, the Article 29 Working Party (“WP29″) conducted a coordinated online audit of the main websites operating in Europe to verify compliance with the EU cookie requirements. The CNIL and other Data Protection Authorities (“DPAs”) spent a couple of days assessing the level of compliance on some of the most visited websites.

Did the “cookies sweep day” concern all websites?

No, the EU “cookies sweep day” only concerned websites that are targeting European consumers. Potentially any website (operated either within or outside the EU) that uses cookies or other tracking technologies to collect personal data from users in Europe may have been audited. Websites that do not provide services to European consumers, or that do not collect personal data via cookies from Europeans users, were normally not concerned. According to the CNIL, the main sectors to have been audited were e-commerce platforms and media websites.

Where did the “cookies sweep day” take place?

The EU “cookies sweep day” was an initiative of the WP29, and any DPA could take part in it. Therefore, potentially any website available in the European Union may have been audited.

How many websites were audited?

The WP29 did not release any official number of websites that were audited. However, the CNIL announced that it had audited 100 websites.

What did the DPAs verify?

The EU “cookies sweep day” offered an opportunity for all DPAs to verify together whether websites comply with the EU cookie requirements (namely the notice and consent rules) and to produce a comparative review of their practices with regard to cookies. In particular, the DPAs verified the number and types of cookies use, the manner in which users are informed about the use of cookies, and the process for obtaining consent.

What is the outcome of the “cookies sweep day”?

The DPAs will share the results of their respective audits with a view to comparing these results among Member States and possibly harmonising their positions with regard to cookies compliance in Europe. Furthermore, it is likely the WP29 will release a public statement about the results of the “cookies sweep day” in the near future.

Is there a risk that non compliant companies may be sanctioned?

The purpose of the EU “cookies sweep day” was not to conduct enforcement actions. However, the results of the audits may be used by each DPA to enforce compliance with the cookie provisions under national law. Some data protection authorities have already begun enforcing cookie rules in their respective jurisdictions (see our previous blog).

For more information about the EU Cookies Sweep Day, click here.


2. Cookie audits in France: October 2014

In its July 2014 press release, the CNIL also announced that it would audit websites in France to verify compliance with French cookie provisions. Last year, the CNIL issued guidance on how to comply with cookie requirements in France (published in December 2013) and the CNIL now expects companies to be compliant. This enforcement program will enable the CNIL to test its new on-line investigatory powers that came into force following a revision of the French Data Protection Act in March 2014 (see our previous blog). This is in line with the CNIL’s inspections plan published earlier this year, which announced at least 200 online inspections.

What will the CNIL verify?

The CNIL will focus its investigation on:

  • The types of cookies and other tracking technologies that are used (e.g., HTTP, local shared objects (flash cookies), finger printing, etc.)
  • The purposes of the cookies used and whether the owner of the website knows and understands the purposes of all the cookies (including third party cookies) used on his website.

Furthermore, where prior consent is required, the CNIL will verify:

  • The method used to obtain consent from the user
  • The quality, accessibility and clarity of the information provided to users
  • The consequences of a refusal from the user to use cookies. As an example, the CNIL refers to users of a e-commerce website whose only option is to refuse all cookies via the cookie settings of their web browser. As a result, such users may not be able to use the website at all.
  • The possibility to withdraw user consent at any time
  • The duration of cookies.

What are the risks for companies?

In France, the CNIL has the power to conduct on-site and on-line inspections that can be followed by administrative sanctions. In particular, the CNIL can issue a public warning or an enforcement notice asking the company to comply within a given period of time. If the company fails to comply with the terms of this notice, the CNIL may then initiate administrative proceedings which ultimately can lead to a fine or an obligation to cease the processing.

What should companies do in advance of this enforcement action?

Cookie compliance is still very much a hot topic in Europe, with different countries amending their laws and DPAs issuing guidance or conducting enforcement actions. Therefore, companies should not wait until they are being investigated to put their house in order. Some basic steps can be taken to make sure you comply with the cookie requirements:

  • Audit your websites to find out what types of cookies (or other tracking devices) you use
  • Analyse the purposes of the cookies
  • Assess the level of intrusiveness of cookies and verify which cookies require prior consent
  • Publish a clear, understandable and accessible cookie policy on your website
  • Implement an adequate cookie consent mechanism

For more information on cookie audits in France, the CNIL’s press release is available (in French) here.

For more information about cookie consent requirements in Europe, click here.

CNIL: a regulator to watch in 2014

Posted on March 18th, 2014 by

Over the years, the number of on-site inspections by the French DPA (CNIL) has been on a constant rise. Based on the CNIL’s latest statistics (see CNIL’s 2013 Annual Activity Report), 458 on-site inspections were carried out in 2012, which represents a 19 percent increase compared with 2011. The number of complaints has also risen to 6,000 in 2012, most of which were in relation to telecom/Internet services, at 31 percent. In 2012, the CNIL served 43 formal notices asking data controllers to comply. In total, the CNIL pronounced 13 sanctions, eight of which were made public. In the majority of cases, the sanction pronounced was a simple warning (56 percent), while fines were pronounced in only 25 percent of the cases.

The beginning of 2014 was marked by a landmark decision of the CNIL. On January 3, 2014, the CNIL pronounced a record fine against Google of €150,000 ($204,000) on the grounds that the terms of use available on its website since March 1, 2012, allegedly did not comply with the French Data Protection Act. Google was also required to publish this sanction on the homepage of within eight days of it being pronounced. Google appealed this decision, however, on February 7th, 2014, the State Council (“Conseil d’Etat”) rejected Google’s claim to suspend the publication order.

Several lessons can be learnt from the CNIL’s decision. First, that the CNIL is politically motivated to hit hard on the Internet giants, especially those who claim that their activities do not fall within the remit of the French law. No, says the CNIL. Your activities target French consumers, and thus, you must comply with the French Data Protection Act even if you are based outside the EU. This debate has been going on for years and was recently discussed in Brussels within the EU Council of Ministers’ meeting in the context of the proposal for a Data Protection Regulation. As a result, Article 4 of the Directive 95/46/EC could soon be amended to allow for a broader application of European data protection laws to data controllers located outside the EU.

Second, despite it being the highest sanction ever pronounced by the CNIL, this is hardly a dissuasive financial sanction against a global business with large revenues. Currently, the CNIL cannot pronounce sanctions above €150,000 or €300,000 ($410,000) in case of a second breach within five years from the first sanction pronounced, whereas some of its counterparts in other EU countries can pronounce much heavier sanctions; e.g., last December, the Spanish DPA pronounced a €900,000 ($1,230,000) fine against Google. This could soon change, however, in light of an announcement made by the French government that it intends to introduce this year a bill on “the protection of digital rights and freedoms,” which could significantly increase the CNIL’s enforcement powers.

Furthermore, it seems that the CNIL’s lobbying efforts within the French Parliament are finally beginning to pay off. A new law on consumer rights came into force on 17 March 2014, which amends the Data Protection Act and grants the CNIL new powers to conduct online inspections in addition to the existing on-site inspections. This provision gives the CNIL the right, via an electronic communication service to the public, “to consult any data that are freely accessible, or rendered accessible, including by imprudence, negligence or by a third party’s action, if required, by accessing and by remaining within automatic data protection systems for as long as necessary to conduct its observations.” This new provision opens up the CNIL’s enforcement powers to the digital world and, in particular, gives it stronger powers to inspect the activities of major Internet companies. The CNIL says that this law will allow it to verify online security breaches, privacy policies and consent mechanisms in the field of direct marketing.

Finally, the Google case is a good example of the EU DPAs’ recent efforts to conduct coordinated cross-border enforcement actions against multinational organizations. In the beginning of 2013, a working group was set up in Paris, led by the CNIL, for a simultaneous and coordinated enforcement action against Google in several EU countries. As a result, Google was inspected and sanctioned in multiple jurisdictions, including Spain and The Netherlands. Google is appealing these sanctions.

As the years pass by, the CNIL continues to grow and to become more resourceful. It is also more experienced and better organized. The CNIL is already very influential within the Article 29 Working Party, as recently illustrated by the Google case, and Isabelle Falque-Pierrotin, the chairwoman of the CNIL, was recently elected chair of the Article 29 Working Party. Thus, companies should pay close attention to the actions of the CNIL as it becomes a more powerful authority in France and within the European Union.

This article was first published in the IAPP’s Privacy Tracker on 27 February 2014 and was updated on 18th March 2014.

UK e-privacy enforcement ramps up

Posted on April 29th, 2013 by

The times when one could say that the UK ICO was a fluffy, teethless regulator are over. Recently, the ICO has been going through its most prolific period of enforcement activity – by the end of 2012 it had imposed 25 fines, issued 3 enforcement notices, secured 6 prosecutions and obtained 31 undertakings and 2013 looks set to bring similar activities (in March for example the ICO issued its first monetary penalty for a serious breach of the Privacy and Electronic Communications Regulations 2003 (‘PECR’) relating to live marketing calls – a £90,000 fine for Glasgow-based DM Design for unwanted marketing calls.

To coincide with such activities, the ICO has recently updated the enforcement section of its website. What this tells us is that whilst data security breaches will continue to be a significant area of focus for the ICO, PECR breaches will also figure highly in the ICO’s enforcement agenda. In this regard, the ICO tell us that it has already been active in the areas of ‘spam texts’, sales calls and cookies.

Spam texts are identified as ‘one of the biggest concerns to consumers’ (the ICO refers to texts about accident and ‘PPI’ claims, in particular) and refers to the work it has carried out with members of the mobile phone industry in order to identify an organisation which is now the subject of enforcement action. The ICO also identifes ‘Live’ Sales Calls and ‘Automated Calls’ as other areas of priority, and have explicitly identified (and published) the names of a number of companies where they have either met to discuss compliance issues; or indeed are in the process of activeley monitoring ‘concerns’ about compliance with a view to considering enforcement action. This is not only related to UK-based companies, but also those based overseas who are targeting UK-based consumers. The ICO tell us that they are actively working with the FTC in the US and with other regulators based in Ireland, Belgium and Spain through Consumer Protection Co-operation arrangements.

Finally the ICO tells us that between January and March 2013 it received a further 87 reported concerns via its website from individuals about cookies (many less than the amount of concerns about unwanted marketing communications from individuals, it has to be said). The ICO will continue to focus on those websites that are doing nothing to raise awareness of cookies or obtain users’ consent, and also on those sites they receive complaints about or are ‘visited most by consumers’. However the ICO also say that they have ‘maintained a consumer threat level of ‘low’ in this area due to the low level of concerns reported’.

It is obvious that as consumer technologies such as tablets and smart-phones continue to develop, so too will the ICO’s enforcement strategy in this area. Compliance with PECR should therefore also figure highly on any business’s data protection compliance strategy.

CNIL unveils 2012 annual activity report

Posted on April 29th, 2013 by

On April 23rd, 2013, the French data protection authority (the “CNIL”) unveiled its 2012 Annual Activity Report (the “Report”). The CNIL’s Report gives an overview of the actions and initiatives undertaken in the past year, and is also a good indicator for what to expect in the coming year.

The CNIL has adopted a three-year strategic orientation program for the period 2012-2015. This action plan sets out three priorities, namely:

– To adopt a policy of openness and consultation towards stakeholders ;
– To raise the level of awareness among data controllers (particularly companies) and to help them develop tools that allow them to implement the data protection principles; and
– To increase the level of compliance through a more targeted and efficient enforcement policy.

Focusing on the CNIL’s enforcement strategy, the summary below highlights some of the key points in the CNIL’s Report:

– Complaints: The number of complaints has risen to 6000 in 2012. 46% of complaints concerned the right to object to the data processing. The constant rise of complaints over the past years indicates that citizens are more and more aware of their data protection rights and are taking action more frequently. The telecoms/internet sector appears to have triggered most of the complaints (31%).

– Inspections: The CNIL conducted 458 on-site inspections in 2012, which represents a 19% increase compared to 2011. 285 of the inspections were carried out in the context of the Data Protection Act, while 173 inspections concerned the use of videosurveillance equipment. With regard to the Data Protection Act, 23% of the inspections were triggered by complaints and another 26% were initiated by events picked up in the news. This shows that the CNIL often takes action when a particular event or situation makes the headlines. 40% of the inspections are in line with the priorities set out by the CNIL in its annual inspection’s plan, which shows some consistency in how the CNIL operates within a particular sector or business activity.

– Sanctions: In 2012, the CNIL served 43 formal notices asking data controllers to comply. In most of the cases, the CNIL did not pronounce any sanction because the data controller had complied. In total, the CNIL pronounced 13 sanctions, eight of which were made public. The publicity of the sanction follows a recent amendment of the Data Protection Act, which authorizes the CNIL to publish the sanction it pronounces. In the majority of cases, the sanction pronounced was a simple warning (56%), while fines were pronounced in only 25% of the cases. The CNIL pronounced only one injunction to cease the processing. The low number of fines can be explained by the fact they do not have a very deterrent effect for companies in France (by law, the maximum fine for a first violation is EUR 150,000). On the contrary, a warning can cause serious reputational damage to the data controller, particularly when it is made public, which may explain why the CNIL has chosen to publish its sanctions in 60% of the cases.

– Videosurveillance: In 2012, the CNIL carried out over 170 inspections of videosurveillance systems. In this context, the CNIL received more than 300 complaints, 75% of which concerned the use of video cameras at the workplace. The CNIL notes a lack of clarity surrounding the current legal framework for videosurveillance measures, the insufficient or inexistent information of individuals, the inappropriate use of cameras, and insufficient security measures. In 2012, the CNIL published six practical guidebooks, explaining how to use video cameras in compliance with the law.

– Data breach notifications: Following the implementation of the revised ePrivacy directive into French law, the CNIL received the first notifications for data breaches in the telecoms sector. While the total number of notifications for 2012 remains fairly low, the CNIL expects to receive more notifications in the coming year.

It is also worth noting that the CNIL’s budget and manpower have also increased in 2012. As the years pass by, the CNIL continues to grow and to become more resourceful. It is also more experienced and better organized. Thus, data controllers should pay close attention to the actions of the CNIL as it becomes a most powerful authority in France and within the European Union.

The CNIL’s 2012 Annual Activity Report is available (in French) at

Misdirected e-mails and miscreant employees beware: ICO flexes its enforcement muscle!

Posted on June 13th, 2011 by

Last week was a busy week in the world of UK data protection enforcement, with reports of not one, but two significant data protection enforcement acts by the Information Commissioner’s Office (“ICO“).

£120,000 Monetary Penalty Notice for Surrey County Council

First, there was the news that the ICO had imposed a fine of £120,000 on Surrey County Council for a serious breach of the Data Protection Act 1998 (“DPA”). The fine related to misdirected e-mails sent by Council staff on three separate occasions, with each e-mail resulting in confidential and sensitive personal information falling into the hands of unintended recipients. The most serious of the three incidents saw sensitive personal information about 241 individuals’ physical and mental health being inadvertently sent to various transportation companies, including taxi firms and coach and mini bus hire services. The other incidents concerned sensitive personal information being inadvertently circulated to newsletter registrants and to an incorrect group mailing list.

Following the fine, Information Commissioner Christopher Graham said: “Any organisation handling sensitive information must have appropriate levels of security in place. Surrey County Council has paid the price for their failings and this case should act as a warning to others that lax data protection practices will not be tolerated.

s.55 prosecution against former T-Mobile employees

In a separate development, two former employees of T-Mobile were prosecuted and fined a total of £73,700 for having stolen and sold customer data from the company on 2008.  The former employees, David Turley and Darren Hames, pleaded guilty to the section 55 DPA offence of unlawful obtaining of personal data. The prosecution was the culmination of a joint investigation by the ICO and T-Mobile into how customers’ names, addresses, telephone numbers and customer contract and end dates were being unlawfully supplied to third parties.

What this means

These reports highlight that the ICO’s data protection enforcement capabilities, having been criticised for so long by privacy commentators, are really beginning to ramp up.  Since the introduction of its fining powers in April 2010, the ICO has now issued no fewer than 6 fines (one every two months or so) with an aggregate total of £431,000, including two against private businesses.  The ICO has also demonstrated that it is not a ‘one trick pony’, showing that it will resort to criminal prosecutions (as in the case of the former T-Mobile employees) and other means of enforcement where these are warranted.

More tellingly, we are also starting to learn what makes the ICO tick.  The subject of fines issued so far have included:

  • misdirected communications of sensitive personal information (on e-mail and by fax);
  • unencrypted laptop theft;
  • failure to exercise proper due diligence over data processors; and
  • unlawful publication of individuals’ sensitive personal information online.

The message for data controllers is clear – lead by example, don’t risk becoming the example!