On March 18, 2014, a new French consumer law (Law No. 2014-344) was published in the Journal Officiel de la République Franҫaise. The new law strengthens the investigative powers of the French Data Protection Authority (the “CNIL”) by giving the CNIL the ability to conduct online inspections.
Currently, the CNIL may conduct three types of investigations:
- On-site inspections – the CNIL may visit a company’s facilities and access anything that stores personal data (e.g., servers, computers, applications). On-site inspections currently represent the vast majority of the inspections conducted by the CNIL.
- Document reviews – these inspections allow the CNIL to require an entity to disclose documents or files (upon written request).
- Hearings – the CNIL may summon representatives of organizations to appear for questioning and to provide other necessary information.
Further to its new online inspection authority, now the CNIL also may identify violations of the French Data Protection Act through remote investigations. For example, this new investigative power will enable the CNIL to check whether online privacy notices comply with French data protection law, and to verify whether entities obtain users’ prior consent before sending electronic marketing communications.
The CNIL emphasized that the new online investigations will concern only publicly available data, and that the law does not give the CNIL the right to circumvent security measures to gain access to information systems.
In 2013, the CNIL conducted 414 inspections. In light of this new online investigation tool, even more inspections are likely in 2014.