CNIL Releases 2019 Annual Activity Report
Wednesday, June 10, 2020
French Data Protection Authority Data Privacy 2019 Report
Print Mail Download i

On June 9, 2020, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2019 (the “Report”).

The Report provides an overview of the CNIL’s enforcement activities in 2019. In particular, the Report revealed that:

  • The CNIL received 14,137 complaints in 2019, which represents a 27 percent increase in complaints compared with 2018 and a 79 percent increase in five years. The complaints mainly concern the following issues:

    • Publication of personal data on the internet, including on search engines, social networks, online media and directories (nearly one third of the complaints). In particular, the CNIL received 422 complaints following individuals’ requests to delist information from search results (“right to be forgotten” requests), which represents a 13 percent increase compared to the number of complaints in 2018. The situation was settled in 98 percent of the cases transmitted by the CNIL to search engines;

    • Direct marketing, non-profit and political marketing activities by telephone, post, email or text message (14.7 percent of complaints). Individuals mainly complained that they did not give consent and/or succeed in stopping unwanted marketing communications;

    • Employee monitoring activities (CCTV, geolocation, call recording, etc.) (10.7 percent of complaints);

    • Failure to comply with individuals’ requests to exercise their data protection rights (about 400 complaints in the employment context); and

    • Failure to protect personal data, e.g., because the data was available on the internet or disclosed to unauthorized third parties, the passwords were transmitted in clear text or were not sufficiently robust, etc.

  • The CNIL received 2,287 data breach notifications in 2019. The vast majority of them were due to confidentiality breaches.

  • 64,900 organizations have appointed a data protection officer (“DPO”), bringing the DPO total to 21,000 (as a single DPO may be appointed for several organizations), which represents a 31 percent increase compared to the number of DPO appointments notified to the CNIL in 2018.

  • The CNIL carried out 300 inspections in 2019, including 169 on-site inspections (when the CNIL visits a company’s facilities and accesses anything that stores personal data); 53 online inspections; 45 document reviews (when the CNIL requires an entity to send documents or files upon written request); and 18 hearings (when the CNIL summons representatives of organizations to appear for questioning and provide other necessary information). In 41 percent of cases, the CNIL’s inspections were initiated following complaints or claims. The inspections revealed several poor practices such as excessive delays in meeting individuals’ requests to exercise their data protection rights, lack of an unsubscribing link in direct marketing emails and the fact that customers could not delete their online account on their own. Conversely, the inspections revealed best practices such as the development of template responses for customer service to handle the exercise of individuals’ data protection rights and the tracking of individuals’ requests to exercise those rights in a specific tool. On March 12, 2020, the CNIL released its annual inspection strategy for 2020.

  • The CNIL served 42 formal notices to companies in 2019. Formal notices are not sanctions. If a company does not comply with the formal notice within the time limit imposed in the notice, the CNIL will impose a sanction. Overall, only eight sanctions were imposed by the CNIL’s Restricted Committee in 2019, including seven fines totaling €51,370,000 and five additional injunctions subject to a financial penalty. Those sanctions mainly were imposed for failure to protect personal data, to provide notice to individuals, to define and apply adequate data retention periods and, in one case, for failure to comply with the individuals’ right of access to their personal data under the EU General Data Protection Regulation.

The Report also outlines some of the actions that the CNIL will further undertake in 2020, including:

  • Publication of the final version of the CNIL’s recommendations on how to get users’ consent for non-essential cookies (the “Recommendations”). This is part of the CNIL’s action plan for 2019-2020 on online targeted advertising, covering cookies and similar technologies. This action plan consists of the following main components:

    • The publication of new cookie Guidelines on July 18, 2019, which introduced two main novelties: (1) continuing to browse a site (or app) can no longer be considered valid consent for the use of non-essential cookies; and (2) website operators must be able to demonstrate they have obtained valid consent; and

    • The publication of the Recommendations. On January 14, 2020, the CNIL published draft Recommendations, which were open to public consultation. The final version of the Recommendations will be published shortly.

  • The CNIL’s participation in future facial recognition experiments. From 2018, the CNIL has called for a discussion on facial recognition, with the intent to fully contribute to the discussion. On November 15, 2019, the CNIL released its main objectives regarding the subject, namely: (1) presenting facial recognition from a technical point of view and, in particular, the diversity of potential uses; (2) highlighting risks; (3) reminding public and private organizations of the rules applicable to facial recognition devices; and (4) specifying the role of the CNIL in future experiments with or deployments of facial recognition devices.

  • The CNIL’s COVID-19 guidance and inspections of France’s mobile tracing app (StopCovid) and of the data files put in place by the French Government in the context of lifting containment measures.

Copyright © 2024, Hunton Andrews Kurth LLP. All Rights Reserved.

Current Legal Analysis

More from Hunton Andrews Kurth

FTC Issues Sweeping Final Rule Banning Non-Competes but Broom Not Out of the Closet Yet
by: Kevin Hahm , Leslie W. Kostyshak
A Ban on Noncompete Agreements? FTC Uses Section 5 Against Employers and Proposes Rule to Ban Noncompete Clauses Entirely
by: Kevin Hahm , Leslie W. Kostyshak
Proposed FTC Ban on Non-Competes: Considerations for M&A Transactions
by: Ryan A. Glasgow , Austin Maloney
FTC Final Rule Limiting Non-Competes: Considerations for M&A Transactions
by: Austin Maloney , Jordan G. Sisco
The Federal Trade Commission Issues a Final Rule Banning Most Worker Non-Compete Agreements
by: Ryan A. Glasgow , Jason P. Brown
In Groundbreaking Final Rule, EPA Designates Two PFAS as Hazardous Substances Under CERCLA
by: Paul T. Nyffeler, PhD , Matthew Z. Leopold
CIPL Publishes White Paper on Leveraging Data Responsibly and a Holistic Data Strategy
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
New Bipartisan Federal Privacy Proposal Unveiled: American Privacy Rights Act
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
Recent N.D. Ill. Ruling Upholds Common Interest Doctrine Over Communications Between Biometric Technology Vendors and Customers
by: Julia Y. Trankiem , Torsten M. Kracht
Senators Introduce Stablecoin Bill
by: Scott H. Kimpel

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins