The French data protection authority, the CNIL, has published its annual report for 2021 (in French) which contains some useful information and figures notably on complaints, investigations and sanctions as well as standards of references issued by the CNIL in relation to specific processing activities.
- Complaints, Investigations and Sanctions
In 2021, the CNIL received 14,143 complaints (an increase of 7% compared to 2020 but similar to 2019) out of which:
- 1,436 relate to access rights (28% of which are employee requests);
- 1,906 relate to a request to delete names of corporate officers from online directories;
- 973 relate to commercial, associative and political solicitation, by email (38 %), by SMS (29 %), by mail (20 %) and by phone (13 %); and
- Several complaints related to CCTV in the work place.
Some complaints have been transferred to another lead authority under the one stop shop and cooperation rules.
The CNIL has also received 5,882 indirect data subject action requests (the indirect action is the only one available for certain data basis such as the one for the police or secret services).
The CNIL reports that many complaints have been made about organizations that are established outside of the EU (UK, Switzerland, United States of America, Canada, Russia, Australia, South Korea and China) mainly in relation to the publication of data on the Internet.
It carried out 384 investigations, 31% of which followed from complaints or reports.
The CNIL highlights:
Cookie compliance has been one of the priority themes set by the CNIL for 2021 and the CNIL has launched an unprecedented control campaign.
- Health data
The CNIL also continued its control activities on the security of health data by investigating 30 medical analysis laboratories, hospitals, service providers and data brokers, notably in relation to COVID-19 pandemic related data. Some of these procedures are still ongoing.
It controlled 22 organizations, 15 of which are public with respect to the level of internet security. The investigations revealed obsolete cryptographic suites making websites vulnerable to attacks, shortcomings concerning passwords and, more generally, insufficient means with regard to current security issues.
The CNIL issued:
- 135 formal notices; and
- 18 sanctions for a record total amount of fines exceeding 214 million euros.
Out of the 18 sanctions,
- 12 have been made public;
- 15 consist of fines (5 with injunctions under penalty per day of delay);
- 2 consist of calls to order with injunctions; and
- 4 are decisions taken by the CNIL as a lead authority.
The most frequent breaches include:
- Lack of information and excessive retention;
- Lack of security; and
The CNIL also issued two public sanctions against the Ministry of the Interior, concerning the illicit use of drones and poor management of the automated fingerprint file (FAED).
Investigation program for 2022
In February, the CNIL published its priority focuses for investigation in 2022 investigation program, which accounts for around one third of its investigations, on the following three major topics:
- Marketing activities/commercial solicitation
This follows the numerous complaints received on this topic and the publication in February 2022, a new “commercial management” reference framework, in particular framing the carrying out of commercial prospecting. The CNIL intends to investigate data brokers and other intermediaries.
- Monitoring tools in the context of telework
The significant shift to teleworking has led to the development of specific tools, including tools allowing employers to ensure closer monitoring of the daily tasks and activities of employees. The CNIL considers it necessary to check the employers’ practices in this field.
The CNIL intends to explore issues relating to data transfers and the management of contractual relations between data controllers and cloud solution provider subcontractors.
- Data breach notifications
The CNIL has received 5,037 data breach notifications (a 79% increase compared to 2020) out of which, 63% were due to an external cause (accident or malicious act). The CNIL considers that this figure is still too low compared to actual data breaches which may have occurred.
- Support to public authorities the legislator
The CNIL responded to 22 parliamentary hearings and issued 121 opinions on bills and decrees. 16 of these opinions concerned how data processing was implemented in the context of the fight against the COVID-19 pandemic.
The CNIL also handled 576 health authorization applications in 2021 and issued 54 research authorizations on COVID-19.
- Soft law and support to businesses
In 2021, the CNIL adopted several standards of reference and sectorial recommendations. These included:
- Standards of reference relating to care, accommodation, social and medico-social support of disabled elderly persons;
- Standards of reference relating to the designation of drivers who have committed a traffic violation;
- Standards of reference relating to rental management;
- Standards of reference for health data warehouses;
- Recommendation on the exercise of data subject rights through a representative;
- Interim recommendations for the quality control of clinical trials during the health crisis;
- Recommendation on logging measures;
- Draft standards of reference for the management of pharmacies; and
- Practical recommendation in the insurance sector completing a 2014 compliance pack.
It has also developed tools to enable the development of virtuous digital innovation, in particular through its “start-up” strategy deployed in 2017. This year, this has resulted in the implementation of a first personal data sandbox for health. As a result, 12 projects have been supported by the CNIL, including 4 in a reinforced way.
- New sanction procedure for 2022
As of January 2022, the law has created a simplified sanction procedure that allows, most notably, the CNIL to handle a higher number of complaints. The sanctions that can be issued by the CNIL under this procedure are limited to a call to order, a fine of a maximum amount of €20,000 and an injunction with a penalty capped at €100 per day of delay. These sanctions cannot be made public.
- Focus for 2022-2024
The CNIL has identified three areas in which it intends to establish a position and elaborate tools before including them in the investigation program:
- Augmented cameras and their uses
The accelerated development in the field of so-called “augmented” cameras, often coupled with predictive algorithms, raises the question of the necessary and proportionate nature of these devices and runs the risk of large-scale monitoring of people.
- Data transfers in cloud computing
- Collection of data collections by smartphone apps
Faced with the opacity of technologies and the heterogeneity of practices, the objective of the CNIL is to make visible the data flows and strengthen the compliance of mobile apps and their ecosystems, to better protect the privacy of smartphone users.
If you need assistance in France on data protection issues, contact email@example.com