In 2012, the French Data Protection Authority ("CNIL") carried out 458 on-site inspections as part of its programme which focussed on mobile phone operators, processors of health data and police and customer databases. This was a 19% increase on the number of inspections which were carried out in 2011 and it came in addition to other controls following complaints received. The CNIL indeed received 6000 complaints in 2012. 137 of the CNIL's on-site inspections concerned CCTV systems.
The CNIL's annual programme for 2013 was adopted on 28 February 2013 and published on 19 March 2013. The CNIL has set an objective of achieving around 400 inspections this year. A quarter of the CNIL's inspections will relate to CCTV systems. According to the CNIL, a third of inspections will be reserved for the investigation of complaints received.
The CNIL will focus on the following issues in its programme of inspections for 2013:
- 25% of the inspections will relate to CCTV systems :As in 2012, the CNIL will focus on CCTV compliance since French law was recently amended to provide more powers to the CNIL on such systems.
- Data processing by market research companies: The CNIL's action in this area will provide it with a clear idea of how the data is used and will allow the authority to advise market research companies on any corrective actions which they need to take.
- Data processed by hotspots offering free Internet access (e.g. Wi-Fi hotspots): A large amount of very precise data is produced by the use of these services by a growing number of people (e.g. internet browser history information, private correspondence, retention of traffic data for law enforcement purposes). The checks to be carried out by the CNIL will aim to ensure that the legal framework for the retention of such data is respected.
- Processing by local authorities of data relating to persons' social difficulties: The CNIL will carry out inspections of communes, CCAS boards and councils, focussing on the strong challenges which such bodies face in terms of the protection of data which they process about people in difficult social situations. Such challenges include maintaining the security of data, the sharing of information between different entities and data retention issues. The CNIL aims to ensure that controllers fully respect the rights provided by law in relation to such data.
- Data about persons detained in prison: The CNIL's checks in this area will allow it to assess the conditions under which data kept by prison authorities is used. Such data includes the national file of prisoners, CCTV and possible electronic surveillance during provisional release.
- Police files: The CNIL will also monitor the operational services of the police and gendarmerie in order to see first-hand how police files are used. This idea was already included in the CNIL's programme in 2012.
- International enforcement actions: Another main theme for the CNIL in 2013 will be international cooperation on investigations between data protection authorities. According to the CNIL, if there is already some international cooperation in a certain area (such as the ability to ask another European DPA to carry out an investigation, or carrying out an investigation which another European authority asked it to) the CNIL is keen to increase its activity in this area, in line with the recommendations in the proposed new EU General Data Protection Regulation.