On 8 April the French Data Protection Authority (the “CNIL”) published its annual report summarising its 2015 activities and briefly describing the objectives for the years to come ("Annual Report").

CNIL’s major focus areas in 2015

According to the Annual Report, the major focus areas of the CNIL over the past year have been related most notably to:

  • analysis and advice in the course of adoption of legal provisions related to intelligence services, security and terrorism (14 bills and the related decrees);
  • advice on personal data transfer mechanisms from the EU to the US following the invalidation of Safe Harbor by the ECJ on 6 October 2015 (the CNIL’s President, Isabelle Falque-Pierrotin, is also the President of the Article 29 Working Party); and
  • queries related to delisting by the search engines further to ECJ’s Google Spain decision dated 13 May 2014.  

Increased number of controls carried out by the CNIL

Over the past year 7,908 complaints have been filed by the CNIL - a record number exceeding by 2,000 the number of complaints filed in 2014.

Also the inspections and controls carried out by the CNIL have increased over 2015. Last year, 501 data controllers (of which 70% belong to the private sector) were inspected, representing an increase of controls by 20% compared to 2014. According to the CNIL, this increase is partly due to its extended use of online control tools.

Furthermore 41% of the controls were spontaneously initiated by the CNIL, 35% were carried out in the course of its annual control programme, 15% were carried out further to a complaint and 9% formed a part of existing sanction or formal notice procedures.

Increased number of repressive actions and sanctions

Further to its inspections, the CNIL issued an increased number of formal notices: 93 notices were issued in 2015 compared to 62 in 2014. These notices concerned a variety of organisations and among the main categories of breaches addressed by these notices there were breaches related to cookies as well as:

  • incomplete information of the data subjects;
  • insufficient security measures; and
  • disproportionate or unspecified data retention periods.  

According to the CNIL the majority of the issued formal notices were followed by data controller’s compliance, however 10 sanctions have been pronounced by the CNIL in 2015:

  • warnings (the same number as in 2014); and
  • 3 fines, ranging from EUR 15,000 to EUR 50,000 (7 fines had been pronounced in 2014).  

As for 2016, the CNIL has already imposed a EUR 100,000 fine on Google Inc. on 10 March 2016 and served Facebook Inc. and Facebook Ireland with a formal notice.

The future priorities of the CNIL

The CNIL has engaged an analysis on the privacy related impacts of connected devices. It has also announced that among its future priorities within its three year action plan (2016-2018) there is notably:

  • assistance to companies with the changes related to the upcoming General Data Protection Regulation; and
  • assistance to various organisations in the course of their digital transformation, by modernising its approach and putting in place new self-assessment tools, new labels, guidelines etc.  

Finally, the CNIL welcomes the currently debated French Digital Republic Bill which is about to increase the maximum amount of its fines up to EUR 1,500,000 or even EUR 20,000,000.

The CNIL’s 2015 Annual Report is available here (French).

Submitted by Thierry Dor, Partner and Dane Rimsevica, Associate at Gide Loyrette Nouel – Paris, France,  in partnership with DAC Beachcroft LLP.