On April 26, 2011, the French Data Protection Authority (the “CNIL”) issued a press release unveiling its inspection goals for the coming year. In a report adopted on March 24, 2011, the CNIL indicated that it intends to conduct at least 400 inspections in France (100 more than the 2010 goal), with a special focus on the following issues:
International Data Transfers
The CNIL intends to inspect international transfers of personal data, both within French companies exporting data to foreign countries, and also possibly within companies located abroad that are importing personal data regarding French nationals. In particular, the CNIL will verify that American companies that have self-certified to the Safe Harbor framework comply with the Safe Harbor principles. The CNIL also intends to inspect the cross-border transfers of personal data that are carried out on the basis of EU model clauses and legal derogations.
Electronic Tracking and Behavioral Analysis
Inspections in this area will focus on various devices used to measure viewership (e.g., advertisement devices, direct marketing by electronic means) and behavioral analysis (e.g., websites, social networking, etc.), as well as online merchants who collect significant quantities of personal data regarding online purchases and specialize in fraud monitoring on the web (i.e., blacklisting activities).
Pursuant to a new security bill (“LOPPSI”) that came into force this year, the CNIL was granted additional authority to monitor the use of video surveillance cameras (i.e., CCTV cameras) both in private and public areas. The CNIL has indicated it will conduct at least 150 inspections of video surveillance devices this year.
Finally, the CNIL will continue to inspect data processing activities concerning health data, particularly companies that host health data and those that carry out medical trials.
More information on the CNIL’s 2011 inspection goals can be found (in French) on the CNIL’s website.