Earlier this year we reported on the new online investigative powers of the French Data Protection Authority (the “CNIL”) (See blog post here: FRANCE: The CNIL Gets New Online Investigative Powers). Whereas before CNIL agents could only conduct on-site inspections, since March 2014 they are authorized to perform online inspections and issue compliance orders to companies in violation with the French Data Protection Act. Importantly, the data controller is only informed of the investigation once it has been conducted.
The CNIL recently revealed its online enforcement priorities and investigation methodology.
The CNIL is contemplating some 200 online investigations this year, and dating websites are on top of the CNIL’s list given the extent and volume of personal data collected on those sites. Investigations will focus on the relevance of the collected data, privacy notices, the security of the processed data and compliance with CNIL registration/filing formalities. The investigations will also enable the CNIL to verify compliance with the cookies recommendation adopted by the CNIL on December 5, 2013, by looking at the number and nature of the cookies set on the user device, the quality and relevance of user notices, and how user consent is collected.
The decision to launch an online investigation is made by the CNIL’s President, Isabelle Falque Pierrotin, following which the CNIL agents in charge of the investigation are appointed via an order. The technical conditions of the investigation and verifications undertaken are consigned in an investigation report, which is then sent to the website’s data controller. The data controller must submit any comments to the CNIL within a specific time frame. The online investigation may be supplemented by subsequent on-site inspections, document reviews and hearings. Once the investigation has completed, the CNIL may then send the data controller a formal notice and, depending of the seriousness of the case, commence sanction proceedings.