The French Data Protection Authority (CNIL) has been actively providing lots of guidance to companies, both before and after the entry into force of the General Data Protection Regulation (GDPR). Below is a summary of the recent updates that were published on the CNIL's website on various issues relating to the GDPR.
- Consent: how to say "Yes"
2018 has been the "year of consent" for individuals. With the entry into force of the GDPR, individuals have been overwhelmed by countless consent requests sent by data controllers throughout the Web or via emails. These consent requests were meant to "refresh" the consent previously obtained under the 1995 Directive.
Yet, it is not that easy to obtain a valid consent from individuals, as certain requirements have to be fulfilled. In the past few years, consent gave rise to a few enforcement decisions delivered by the CNIL against Google (in 2014), Meetic and Attractive World (in 2016) and Facebook (in 2017). Alongside these big fishes, two advertising start-ups were subject to an order issued by the CNIL last July for processing personal data without having obtained a valid consent. Furthermore, as explained in an earlier post, a few complaints have been filed with other Data Protection Authorities against Google, Instagram, Whatsapp and Facebook on the issue of "forced consent".
In light of this, the CNIL has published a notice on "consent" in which it re-emphasizes the conditions for obtaining valid consent, namely that consent must be:
- "Freely given": consent shall not be forced or influenced in any way. Furthermore, refusing a data processing should not entail negative consequences. In particular, when signing a contract, refusing a data processing that is not necessary to the performance of the contract should not lead to a refusal to perform the given contract.
- "Specific": consent should be granted for one processing operation corresponding to one single determined purpose.
- "Informed": four categories of information are needed to be given for consent to be informed, namely: the data controller's identity, the purposes of each processing, the categories of collected data as well as the existence of the right to withdraw consent. If applicable, individuals should be made aware of any data transfer to third countries and/or the use of the data for automated decision-making. This list seems to be exhaustive.
- "Unambiguous": according to the CNIL, pre-ticked boxes, bundled consents or silence do not constitute valid consent.
- Access: access by who and to what?
As the number of individual requests to gain access to their personal data continues to increase under the GDPR, the CNIL has also published a note on the right of access explaining to companies some of the basic rules to respect when handling data access requests.
- A far-reaching right
When facing a subject access request, data controllers have to provide them with a copy of the personal data undergoing processing. This right therefore covers all categories of personal data, whether collected online or offline, directly from the individuals or from other sources, that have to be provided –for free.
- …but not an absolute right
The right of access cannot violate third party rights such as the right to protection of personal data of third parties, intellectual property rights or trade secrets. It entails that individuals may only exercise the right of access with respect to their own personal data, unless they were granted a proxy to exercise this right of access on behalf of another individual.
Companies must verify and authenticate data subjects before handing over a copy of their data, using "all reasonable measures". According to the CNIL, authentication may simply derive from a customer ID or logging into a customer account. In case of reasonable doubt, companies may ask for a copy of their identity card. This constitutes a change compared with the former requirements under the national data protection law prior to the GDPR, which imposed on companies an obligation to request a copy of an ID document.
An access request can also be denied where groundless or excessive (e.g. where multiple access requests have been sent by the same individual).
- A well-oiled internal process
Data controllers have to respond to access requests within one month of receipt. This short time period requires companies to have an effective and well-oiled internal process for handling data subject access requests, particularly to reach out to the right staff members in order to be able to locate the data concerned in time to respond within the legal deadline. Yet, in the event of a surge in access requests or due to their complexity, this time period can be extended up to three months provided the individuals are duly informed.
- Data security breach notifications
In mid-October, the CNIL published an initial assessment of data breaches since the entry into force of the GDPR. The assessment is very factual:
- Number of data beaches. From May 25 to early October, 742 data breaches were notified to the CNIL (so around 6 per day), affecting in total around 33 million data subjects in France and elsewhere
- Nature of the breach. 94% of notifications result from a breach of confidentiality. Confidentiality usually comes alone – sometimes besides availability or integrity.
- Affected sectors. Most notifications originated from the hotel industry, technical sciences motor trade, the information and communication sector and finance and insurance.
- The CNIL highlighted a best practice applicable to third-party service providers through the example of a company providing booking services to multiple hotels. The former suffered from a data breach. It immediately informed the concerned hotels and provided them with guidance and support; it set up a hot line to help hotels notify the breach to competent DPAs and circulated a template letter to inform affected data subjects.
- The causes. 65% of data breaches are due to external malicious acts while 15% are triggered by internal human mistakes.
- External causes: 57% of data breaches result from hacking via malware or phishing.
- Internal causes: 10% result from data sent to the wrong recipient. Lost or stolen equipment account for less than 10%. The same goes for involuntary publications of data.
- 20% of data breaches were not attributed to a particular cause.
- Notification process before the CNIL. The CNIL favours a supporting approach towards notifying parties so as to advise them on improving containment measures and on the necessity of informing data subjects.
- The CNIL only used once its injunction power to order data controllers to inform affected data subjects (as set out in art. 58(1)(e) of the GDPR).
- Certification mechanisms
The French Data Protection Act, as amended by the law of 20 June 2018, gives the CNIL new powers in the field of data protection certification. Accordingly, and at the end of September, and following a public consultation, the CNIL issued two standards:
- A certification standard (« référentiel de certification ») that sets out the conditions for the admissibility of applications and the list of 17 skills and know-how required to be certified as a Data Protection Officer (e.g., knowing how to identify the legal basis of a processing, how to develop and implement staff training and awareness programmes or how to establish procedures to receive and manage requests for the exercise of the data subjects' right)
- An accreditation standard (« référentiel d’agrément ») that sets out the criteria applicable to organisations that wish to be authorised by the CNIL to certify the DPOs' competences on the basis of the certification standard.
In a mid-October publication, the CNIL summarizes the following key points:
- The French DPA assesses outlines that nearly 200 contributions from DPOs or future DPOs, data controllers, subcontractors and certification bodies were received during the public consultation on the draft standards which took place between the 23rd of May 2018 and the 22nd of June 2018.
- Regarding the certification of natural persons:
- The CNIL emphasizes that this is a voluntary mechanism, thus the certification is not required to perform the duties of a DPO. Nor is it a necessary prerequisite for being designated as DPO before the CNIL.
- Conversely, it is not required to be appointed as a DPO in order to apply for a certification.
- The certification exam consists of a multiple-choice test of at least 100 questions. To be eligible for the written test, the candidate must have at least 2 years' professional experience in the field of data protection. The certification is valid for 3 years from the date of issuance. Its renewal is possible provided that the natural person takes a new written test.
- The CNIL insists that it will not itself issue DPO certifications, as this mission is left to the certifying bodies that must be approved by the CNIL.
- Regarding the accreditation of the certifying bodies
- Pending the development of a specific accreditation programme for DPOs certification with the COFRAC (i.e., the French Accreditation Committee), certification bodies applying for CNIL accreditation must be accredited by an accreditation body in accordance with ISO/IEC 17024:2012 standard for personnel certification programmes in an existing field.
- Once accredited, the certification bodies must submit to the CNIL a bi-annual document encompassing exam statistics as well as the updated register of the certified DPO and an annual activity report.
- The CNIL reminds that its approval is only mandatory for organizations that wish to issue certifications on the basis of the certification standard developed by the CNIL. This means that any organisation can certify DPOs on the basis of their own certification standard (not approved by the CNIL) as is already the case today.
With special thanks to Sixtine Crouzet and Paola Heudebert for preparing this article.