The French Data Protection Authority, the CNIL, recently published its annual report reviewing its activities during 2013 and setting out its priorities for 2014. 

The report shows that, during 2013: 

  • The number of complaints made to the CNIL fell overall to 5,640. Most of these related to requests to erase internet data;.   
  • 15 data security breach notifications were received (a total of 31 notifications have been received by the CNIL since 2011);
  • 414 formal investigations were carried out, 33 % of which resulted from complaints made to the CNIL;
  • 57 formal notices were issued (88% of those after an investigation);
  • 14 sanctions were imposed. 7 of these were fines, the highest of which was €10 000. In most cases, the breaches identified were remedied after intervention by the CNIL. 

In the report, the CNIL urges French lawmakers to consider amending the law to allow individuals to request access to their personal data electronically and to empower the CNIL to impose higher fines. 

The CNIL also takes the opportunity in the report to set out some key concerns about the Draft Data Protection Regulation (the “Draft DP Regulation”) currently being considered by EU lawmaking institutions.  In summary, the CNIL has particular concerns about:               

  • the new ‘one-stop-shop mechanism’ concerning cross-border complaints.  The CNIL’s view is that more protection is needed for individual complainants.  In particular, the CNIL’s view is that the data protection authority of the member state in which the complainant is resident should be given greater powers to oversee the investigation of the complaint;
  • the separate regime concerning profiling using pseudonymous data.  The current text of the Draft DP Regulation provides that profiling based on pseudonymous data is acceptable provided the data cannot be linked to a specific individual.  The CNIL’s view is that no such separate regime should be created; and
  • the use of a risk-based approach to data protection compliance.  The CNIL’s view is that any such approach should not exempt the data controller from its overarching obligation to comply with its data protection obligations.

Read the CNIL’s report here.