This article was co-authored by Paola Heudebert, legal trainee at Fieldfisher, and Olivier Proust, Partner in the Privacy, Security & Information Law department at Fieldfisher.
On April 15 2019, the French Data Protection Authority (the "CNIL") released its 2018 Annual Report (hereinafter the "Report"). The key practical insights of this Report are summarized in this article.
- 2018: from theory to practice
2018 was an exceptional year marked by the entry into force of the GDPR. The CNIL contemplates that 2018 marked a new era of awareness of data protection issues among professionals and individuals. As rightly stated by Jean Lessi, CNIL's general secretary, this realization is " all the more important because, in addition to the novelty effect of the GDPR, there is also an undeniable 'spotlight' effect on pre-existing obligations and rights".
- A record number of complaints
The new legal framework has been widely publicized. 6 months after its implementation, 66% of the French population stated they were more concerned about the processing of their personal data, according to an IFOP survey conducted for the CNIL. As a result, in 2018, the CNIL received more than 11,000 data subjects' complaints, which represents an increase of 32% as compared to 2017. 9,000 of these complaints were considered as "complex", meaning that the CNIL had to either contact the controller directly in writing, or conduct on-site inspections, to enquire about the conditions under which its data processing was carried out. In others words, 80% of the individual complaints resulted in the CNIL's involvement. This shows once more the importance of taking data subject requests seriously and answering them in a timely manner (the CNIL being allowed to intervene within one month of the controller's denial or absence of response).
The Report interestingly highlights the sectors that are most subject to complaints.
- 35.7 % of the complaints concern the IT and telecom industry, making the erasure of data accessible online the primary concern of data subjects. The CNIL also acknowledges the growing concern of data used in smartphone apps;
- 21% of complaints concern the sales/marketing sector, especially direct marketing by text messages and emails without obtaining prior consent of the data subjects or the retention of consumers bank details;
- 16.5% of complaints are employment related including the use of CCTV and other monitoring practices at the workplace being under the CNIL's strict scrutiny;
- 8.9% of complaints pertain to the bank and credit sector especially the listing of individuals in the French National Database on Household Credit Repayment Incidents and the various difficulties experienced by data subjects to effectively exercise their right of access;
- 4.2 % of complaints are related to the health and social sector and more precisely to issues relating to accessing personal medical records;
It is also worth noting the growing interest of data subjects to exercise their right to data portability in particular in the banking sectors or in relation to online services.
Lastly, 20% of the complaints involved cross-border processing activities and required EU cooperation with other supervisory authorities.
- Advisory and consultation powers
In 2018, the CNIL sought to provide professionals with guidelines and documentation and took into account the need for legal certainty in a context of increased sanctions and the demand for greater simplification for smaller businesses. The French DPA was especially prolific and produced a plethora of guidelines and articles on a wide variety of topics ranging from template records for processing activities, through clarifications on key concepts such as consent or profiling, and guidelines on the privacy challenges of blockchain technology or artificial intelligence.
The CNIL also released 120 legal opinions, including on the amended French Data Protection Act or its implementation decree and on a number of other legal instruments.
- Supervision and enforcement
In 2018, the CNIL also flexed its GDPR muscles. It is however important to underline that most enforcement measures were still taken under the old Data Protection Directive and afferent version of the French Data Protection Act.
Regarding its investigating powers, the CNIL conducted 204 on-site inspections (including 20 on-site inspections of CCTV devices); 51 online inspections; 51 controls on a document production basis, and 4 hearings.
As regards its corrective powers, the CNIL sent 49 cease and desist letters (13 of which were made public), specifically targeting the insurance sector (5 decisions) and targeted advertising sector (4 decisions). The Report acknowledges that in the vast majority of cases, the simple intervention of the CNIL resulted in the organization's compliance. Indeed, of the 310 controls carried out, only 11 sanctions were adopted by the Restricted Committee, including 10 financial penalties (9 of which were made public), one non-public warning and one dismissal.
The majority of the financial penalties imposed in 2018 concerned security incidents (7 out of 10), in particular personal data breaches, which indicates more than ever the need to evaluate the risks inherent to the processing and to implement measures to mitigate those risks. Several big players were sanctioned including Uber, Bouygues Télécom, Dailymotion or Optical Centre. As acknowledged in the Report: "it is not the incident as such that the CNIL sanctioned, but the deficiencies and inadequacies in the security measures of which this incident was only a symptom".
- What to expect in 2019?
In 2019, the CNIL's actions will focus on three priorities:
- Successfully implementing the GDPR for individuals and professionals;
- Developing its legal, technical and ethical expertise capacity on a range of subjects such as cloud computing and virtual assistance;
- Maintaining its leading role at the European and international level. The CNIL is currently lead supervisory authority in 40 on-going investigations and is involved in 609 other cases.
The CNIL will also follow its annual inspections program, which represents one fourth of its prospective investigations. The French DPA aims to focus its controls on the practical exercise of data subject rights and on cross-sector issues such as the allocation of responsibility between controllers and processors, or children' privacy.