In 2014, I warned about the French data protection authority ("CNIL") being a regulator to watch. One year down the road, CNIL has not failed to deliver. A few weeks ago, CNIL released its Annual Activity Report for 2014 revealing that in the past year it had conducted 421 inspections (including 58 online audits), issued 62 enforcement notices and pronounced 18 sanctions. As the current chair of the Article 29 Working Party, CNIL continues to play an active role on the European and international scene on topics such as the General Data Protection Regulation, the on-going discussions between the US and EU on Safe Harbor and the recent online sweeps organized by GPEN.
What are the CNIL's top priorities?
The CNIL intends to conduct 550 inspections divided between 350 on-site or off-site inspections and 200 online audits. Specifically, CNIL will prioritize its actions in the following key sectors:
- Ecommerce: following its guidance on the processing of bank card details, CNIL will focus now on payment cards with no contact (i.e., bank cards that have an integrated chip and enable cardholders to make wireless payments via "near field communication" or "NFC" technology). In particular, CNIL will verify whether adequate security measures are designed around the use of such cards and whether the financial institutions who offer these types of cards inform their customers and enable them to object to using these cards (e.g., by deactivating the integrated chip or by ordering a traditional card that is not compatible with the "NFC" technology). CNIL is also preparing for the next evolution of entirely digitalized payments by smartphone.
- Employee privacy in the workplace: Employee privacy continues to be high on the CNIL's agenda due to the rising number of employees who file complaints with the CNIL each year. In particular, CNIL will inspect private and public organizations who have recently conducted surveys on social-psychological risks for employees.
- mHealth: Following the Article 29 Working Party's opinion on mobile apps and its letter to the European Commission on the meaning of "health data" in the context of mobile apps and devices (see our previous blog), CNIL will audit interconnected objects and online services in the area of health and well-being to verify (amongst other things) whether users are provided with notice and their consent is obtained.
- Public sector: With the French Parliament currently debating a new law to broaden the online investigation powers of the French law enforcement and national security agencies, CNIL will continue to monitor the compliance of public sector databases with the Data Protection Act. This time, CNIL will focus on the National Register for Drivers' Licenses ("Fichier National des Permis de Conduire") held by the Ministry of Interior, which centralises all the data about registered drivers, including fines and traffic felonies.
- Public Wi-Fi connections: Another growing area that is receiving particular attention are publicly available Wi-Fi hotspots (such as those that are available in department stores, train stations or airports) which capture data that is being transmitted by a user's mobile phone (e.g., type of device, MAC address, location data) and is being used more frequently to track users, to send them advertisements or offers, or to analyse their behaviour.
- Binding Corporate Rules: Last but not least, CNIL has announced its intention to begin enforcing against companies with BCR. Since their introduction in 2003, approximately 60 organizations have had their BCR approved, but so far, no enforcement measures were taken against BCR. However, a few months ago, the lead DPAs across Europe started contacting organizations with a view to verifying and completing the information about their BCR that is posted on the European Commission's website, thus implying that this grace period is over. The things CNIL could verify are, for example, whether a BCR policy is easily accessible on the organization's website and whether companies have implemented the internal measures that are required for BCR compliance.
What are the CNIL's enforcement powers?
The CNIL can carry out four types of enforcement actions, namely:
- On-site control: the CNIL may access the buildings and premises used to process personal data, inspect the data processing applications and databases;
- Off-site control: the CNIL may organize a hearing in its offices and require the data controller or its data protection officer to provide explanations;
- Long distance control: the CNIL may communicate with the data controller by postal mail or email and, for example, may conduct routine surveys; and
- On-line inspections: CNIL may conduct on-line inspections of personal data that is available on websites or mobile apps.
What sanctions can the CNIL pronounce?
If the CNIL finds that a company has failed to comply with the Data Protection Act, it can either pronounce a warning or issue a formal notice to comply within a given deadline. If the controller fails to comply with the notice served, the CNIL may then pronounce a fine up to EUR 150,000 (or EUR 300,000 in the event of a second breach within five years or 5% of the company's gross revenue for legal entities) or an injunction to cease the processing.
Are you prepared for a CNIL inspection?
In recent years, I have assisted many companies to comply with CNIL inspections. Too often, companies are caught by surprise when the CNIL comes knocking on their door unannounced because they haven't put in place any internal process for handling this kind of situation. As with any regulator, the dealings with the CNIL require a minimum amount of awareness and preparation.
While a CNIL inspection does not necessarily end with the CNIL pronouncing a fine or sanction against the company, inevitably this does have a disruptive effect for the company being investigated because it reveals the flaws that this company may have with regard to privacy compliance. Therefore, companies are in a better position if they tackle privacy issues at an early stage, rather than to leave it for later and risk having to fire-fight their way through a CNIL inspection.
By Olivier Proust, Of Counsel (firstname.lastname@example.org)