In the current context, what is the CNIL's control strategy for 2020?

By Ariane Mole, Merav Griguer, Alexandre Euverte

03-2020

On March 12, the French Data Protection Authority (CNIL) published its inspection strategy for 2020.

The publication of the CNIL’s annual control program is always an important element that the companies should take into consideration to be prepared for it. While the CNIL's on-site inspections will necessarily be postponed in the immediate future due to COVID-19, this program covers the entire year, and also concerns its other inspection methods, which are carried out online, on the basis of documents or by mail. The CNIL indicates on its website that it carries out thousands of investigations each year.

Whatever its method, an audit may follow a complaint (customers, employees, Internet users, association, trade union, etc.), a topic revealed in the news, a data breach, or be part of the CNIL's annual program.

The CNIL strong positioning in 2020

The control strategy for 2019 was characterized by the authority’s will to put an end to the post-GDPR transition period, the CNIL considering that the companies now had sufficient time to complete their compliance program with the new regulation.

Therefore, the CNIL's punitive actions intensified in 2019, which will continue in 2020, with a strong focus on the matters identified in the CNIL’s annual plan. The CNIL is the most repressive data protection authority in the European Union, with a total amount of €51.1 million in administrative fines imposed since the GDPR came into force (the German authority comes in second place with approximately €24.6 million in fines).

3 themes in 2020 that target the everyday life of the French people

For 2020, the French authority declared that it will concentrate about 20% of its action on 3 main areas:

Security of health data,
New uses of geolocation data,
Cookies and other tracking devices.

In 2019, the subject matters of the CNIL’s program were data subjects’ rights, children’s personal data, and the allocation of responsibilities between data controllers and data processors.

This year, the CNIL intends to target specific categories of personal data processing. Health data processing are considered "risky" processing, since health data is treated as sensitive data and must be subject to special precautions and measures. The CNIL argues that "Recent current events regarding health (telemedicine, connected health devices, personal data breach within public institutions ...) shows the attention that must be paid to the security of health data processing".

Processing involving geolocation data and cookies use large volumes of data; the CNIL considers such processing to be particularly intrusive in the everyday life of the French people.

In all respects, the CNIL wishes to address the privacy issues and concerns raised by these new uses now affecting all aspects of everyday life and impacting the relation to health, mobility and online services.

The 2020 program is in line with the CNIL’s previous initiatives

The CNIL has already addressed the processing of geolocation data in the Ad Tech sector over the last few years. This year, the authority will also monitor local and mobility services that use geolocation (optimisation of travel routes, exchange platforms for example or other services). The authority states that it will in particular monitor the proportionality of the data collected, the data retention periods, the information provided to the data subjects and security measures.

Professionals will have to pay particular attention to cookies and other tracking devices. Indeed, without waiting for the adoption of the future e-Privacy Regulation, the CNIL adopted new guidelines in July 2019 and published, in January 2020, a draft recommendation submitted for public consultation, which should be once and for all adopted in the coming weeks. Following a 6-month adjustment period from the final publication of the recommendation, CNIL's inspections and punitive actions will follow. This is the transitional period previously announced by the CNIL to allow the players concerned to bring themselves into compliance.

However, it should be noted that the CNIL has already initiated several investigations on major online advertising companies, encouraging them to acknowledge the new draft recommendation and to help online users to keep control over their personal data. The CNIL has also already launched other inspections since the beginning of the year on the themes of its inspection program for 2020.

In the current context, on-site inspections will most likely be postponed at the end of the sanitary crisis that France is going through or at least after the containment measures announced by the French government on 16 March 2020. Nevertheless, the CNIL agents remain in operation, remotely, which means that the other types of inspections could be implemented (or even replace certain inspections initially planned on the spot).