The new French Act on consumer protection enacted on March 18, 2014 broadens the investigative powers of the CNIL (the French Data Protection Authority) by enabling its members and empowered agents to carry out online investigation.1
Until now, the CNIL investigative powers were limited to three main measures:
- on-site inspections, i.e. CNIL access to hardware (e.g. servers, computers, applications) on which are stored files and personal data;
- off-site inspections, i.e. CNIL written request for communication of documents or files; and
- hearing inspections, i.e. CNIL power to summon persons implementing files or their representatives to appear before the CNIL and provide useful information.
The modified French Data Protection Act now allows the CNIL to perform remote investigation to identify any violations to the French Data Protection Act. According to the CNIL, such new power will notably be used to monitor and act quickly in case of data breach, as well as ensure compliance with information notices disclosed on online forms and with modalities of collection of data subject's consent with regard to electronic prospecting.2
The CNIL will perform such remote investigation on the basis of any accessible online content including information negligently made available or disclosed by a third party, and, where appropriate, will access and remain in automatic processing systems for the time necessary for its findings.3 Despite such convoluted wording, the CNIL quickly pointed out that this new power will not grant it the possibility to bypass the technical security measures put in place in order to secure websites.4
Findings will then be compiled in the form of an official report that will be enforceable against the organizations investigated. There may be some hesitation regarding the conclusive force of such reports, since this new CNIL power does not provide procedural safeguards. In particular, contrary to reports following on-site and/or off-site inspections that would be drafted on a contradictory basis, reports following an online investigation would not be established in accordance with the adversarial principle.5 Besides, the modified French Data Protection Act does not provide for the possibility for the organizations investigated to refuse such online investigation (such as in the on-site inspection).6
It remains to be seen whether the CNIL will take additional steps to enhance the probative value of its observations and follow for instance the example of French bailiffs that are subject to stringent requirements before ascertaining illegal activity online, including but not limited to clearing the cache memory of their web browsers.
This new power is likely to significantly increase the number of investigations undertaken by the CNIL, which has already performed 414 audits in 2013, therefore requiring persons operating personal data further compliance with the data protection legal framework.