Pursuant to the new French consumer law adopted on March 17, 2014 which, among other things, amended the French Data Protection Act, the French Data Protection Authority (the “CNIL”) has gained new investigative powers. CNIL agents are now authorized to perform online inspections and issue compliance orders to companies in violation with the French Data Protection Act.
Until now the CNIL has been conducting:
- On-site inspections during which its agents can visit company facilities and have access to servers, computers, devices and applications that have the capacity to store data;
- Document reviews, which allow the CNIL to obtain from a company disclosure of any documents or files, through a written request;
- Hearings, which allow CNIL agents to summon any individual in connection with an investigation.
The new prerogatives enable CNIL agents to sift through data accessible or made accessible online in order to identify any violations to the French Data Protection Act. If a violation is identified, CNIL agents will draw up an official report, which will be submitted to the company.
For instance, CNIL agents will now be able to identify security breaches on the Internet (without infringing companies’ security according to the CNIL), to check the compliance of of privacy notices, cookies policies, data collection forms and consent collection mechanisms.
In practice, CNIL agents were already conducting such inspections online as a first step in the investigation process. However, additional inspections were necessary in order to gather evidence and issue compliance orders. Such inspections were particularly expensive for the CNIL, time consuming for its agents, and poorly adapted to the digital environment.
This new investigative power is, according to the CNIL, an “opportunity to be more effective and responsive in a constantly evolving environment“. Indeed, in 2013, 414 inspections were conducted by the CNIL, which is relatively modest considering the number of sites collecting personal data online. More inspections and compliance orders are expected in 2014.
The CNIL’s enforcement authority is unchanged (EUR 150,000 maximum for first-time offenders, issued only once against Google Inc, see our previous post here). The proposed EU Data Protection Regulation, overwhelmingly adopted by the European Parliament on March 12, 2014, would increase maximum fines to EUR 100,000,000 or 5% of annual worldwide turnover.