As it does each year, the CNIL has just published its annual inspections program. This program illustrates the CNIL’s technological and sector-specific priorities, independently of the approximately 6,000 complaints it receives each year and which may also trigger an inspection.
The first innovation in the 2014 program lies in that the CNIL has decided to implement new online inspection powers, enacted by the Act of March 17, 2014 (hereafter the “Act”). The CNIL now has an online investigative power comparable to, or even greater than, the power conferred on it for onsite verifications. Indeed, these digital investigations are carried out without the possibility of exercising a right to object, without the website’s manager being informed and, as such, without a report being prepared in the presence of all parties (see our alert of January 30, 2014). As the Act states, online inspections apply only to data that are “freely accessible”; they do not allow the CNIL to break through security measures. Thanks to this new power, which is quicker to implement while at the same time being less costly in terms of resources, the CNIL has announced a significant increase in its target number of inspections in 2014 (+33%, or 550 inspections in 2014 versus 414 in 2013).
Within this framework, pursuant to the terms established at the EU level by the WP 29 (organization bringing together all of the European data protection authorities, currently headed by the CNIL), the CNIL intends to inspect websites' policies and practices on cookies. For the European authorities, including the CNIL, this will involve evaluating the quality of information provided to Internet users and the means for obtaining their consent. As no specific sectors are mentioned, these inspections will likely be conducted on a broad range of websites.
Similarly, the CNIL will inspect, “the protection of privacy on mobile terminals”, i.e., tablets, smartphones and, in all likelihood, whether the many applications, offered to users and which collect and process large quantities of personal data, are compliant.
The 2014 inspection program clearly shows that the CNIL, acting as a national authority and as president of the WP 29, wishes to increase European and international cooperation between authorities to adapt to the fact that data flows are now transnational by nature. To this end, the CNIL appears to wish to confer on the WP 29 a more operational inspection role, which moves it somewhat away from its original duties as a consultative body issuing opinions and recommendations.
When it performs online inspections, the CNIL also will probably also verify whether websites comply with their obligations regarding personal data and IT system security and, if applicable, it will also evidence the online security breaches.
The second area of the CNIL program involves banking data and banks.
Indeed, taking into account the “recurrent” complaints it receives showing deficiencies in terms of banking data confidentiality and security, the CNIL states that it wishes to “raise awareness” of the actors involved and “verify” application of its November 2013 recommendation on storing debit/credit card numbers. In addition to specifying the means for obtaining the customer’s consent so as to retain his banking data, this new recommendation strengthens the security measures required of merchants. At the same time the recommendation encourages the said merchants to notify parties involved of all “security breaches” regarding their banking data in anticipation of future regulatory obligations. By committing as of 2014 to monitoring the proper application of its recommendation from last November, the CNIL wishes to send a strong signal that this recommendation is important and to warn the market that it does not intend to give companies more time to comply with it.
This inspection area should, technically, lead to both online inspections serving as security “tests” and ordinary onsite inspections. Potentially, all commercial sectors will be affected, including e-merchants, major brand names in distribution and brick-and-mortar stores, since collecting banking data is part of their daily business.
In the past, the CNIL penalized merchants on several occasions due to deficiencies in their security measures and excessive data retention. The CNIL has announced that it wishes to devote “a large number of inspections” to this issue.
The banking sector will also be affected by the CNIL’s inspections because the CNIL wishes to verify the functioning of the National Database on Household Credit Repayment Incidents (the “FICP”). The FICP, which is under the Bank of France’s authority, lists payment incidents and banks directly provide information to it. However, for some time the CNIL has reported failures in registering or removing the relevant persons from the database. This is the leading source of complaint involving the banking sector received by the CNIL. The CNIL has already issued some sanctions on this basis.
The third inspection area involves electronic communications operators and data security. Since August 2011 and implementation of the “telecoms package”, communication operators are required to notify the CNIL and, in most instances, the affected persons, of security breaches involving personal data. As there have been many recent events involving security breaches, like the “Orange case” and the loss of 800,000 customers’ data, the CNIL wishes to verify that operators have the required internal processes and that they are compliant for performing their notice obligations. It should be noted that this issue was already included in the CNIL’s 2013 inspection program.
Lastly, the CNIL has announced that it will inspect dating websites that collect a large amount of data, “including sensitive data (sexual orientation, ethnicity, religion, etc.).” Furthermore, various third-party applications are available and active on these dating websites, which makes the CNIL wish to determine, “what processing is performed and to identify the sector’s actors and practices.”
Confronted with this ambitious program, which includes a new inspection form (online) and involves strategic banking data, companies have to take the necessary actions for ensuring that their data processing are compliant and anticipate the responses they will provide if they are inspected by the CNIL.