The French Data Protection Authority unveils its 2014 targets for inspections

30 April 2014

In 2013, the French Data Protection Authority ("CNIL") carried out 414 inspections, close to 35 less than it carried out in 2012. In line with its programme for 2013, these included inspections of both the private and public sectors : over a quarter of inspections concerned CCTV systems, and the remaining were directly related to compliance with the French Data Protection Act.

In its annual programme for 2014, the CNIL has set an overall objective to carry out around 550 inspections (+33%). Of these inspections, around 350 are to be carried out on-site and around 200 will be online inspections (this new power of conducting remote investigations has been introduced following changes made to the French Data Protection Act in March 2014).

The CNIL's priority focus areas for inspections in 2014 are the following:

  • 25% of on-site inspections will relate to CCTV systems: As in 2012 and 2013, the CNIL will focus on CCTV compliance.
  • Online payment linked with the fight against fraud and the protection of banking details, as the CNIL frequently receives complaints in this area.
  • The methods used by public electronic communication services (e.g. ISP/telco providers) to deal with personal data breaches so as to analyse compliance with data breach obligations which came into force in 2011.
  • Online dating services, as players in this sector collect a large amount of personal data, including sensitive personal data (e.g. sexual orientations, religious belief). According to the CNIL, controlling this area will enable the authority to identify the players and practices in this sector. Third-party applications linked to these dating platforms will also be under scrutiny.
  • Reviewing Information Notice in the context of mobile activities: The CNIL aims to continue the work undertaken in 2013 in relation to international cooperation between data protection authorities, particularly through the second stage of Sweep Day, an operation which required around 20 data protection authorities to analyse the information notices of around 2,000 websites in 2013. This year, the theme of this operation will focus on mobile privacy.
  • Pan-European Cookie Compliance Audit: The CNIL will also participate in an international audit relating to cookies organised by the G29, the aim of which will be to create an overview of European practices and harmonise the positions of different data protection authorities.   
  • The methods used for processing payment and collection of income tax. A number of files in this area are particularly sensitive as they are linked to the fight against fraud, which is why it is necessary to analyse the methods used in this area.
  • The functioning of the National Register of Household Credit Repayment Incidents ("FICP"), as the primary ground for complaints filed in the banking sector are in relation to this database.
  • The automated national criminal register on perpetrators of sexual or violent offences ("FIJAIS"), created in 2004 and the aim of which is to aid the prevention of repeat offences for previously convicted perpetrators of sexual offences, their identification and location. The CNIL considers it necessary to audit this register as it contains sensitive national information.

The CNIL article (in French) can be found here. For more information on the above, please contact our French Data Protection Team.