In November 2023, the National Commission on Informatics and Liberty (CNIL), the French data protection authority, has announced having issued 10 new sanctions under its new simplified procedure following complaints with respect to geolocation of vehicles and video surveillance of employees, data minimization, right to object and lack of response to CNIL requests.

The New Simplified Sanction Procedure

The simplified sanction procedure was introduced in 2022, to simplify and accelerate the sanction procedure for cases “which do not present a particular difficulty”. The purpose of this new procedure is to “increase the effectiveness” of the CNIL’s enforcement action, in particular in response to complaints it receives (there were more than 12,000 complaints in 2022).

The sanctions that may be imposed under this procedure are (i) a fine of up to €20,000, (ii) an injunction with a penalty capped at €100 per day of delay and (iii) a call to order. These sanctions cannot be made public. The decision is taken by the president of the sanction formation (or one of the members of this formation) ruling alone, and no public session is organized, unless the organization requests to be heard.

Under this new procedure, the CNIL has sanctioned private and public organizations over the last two months for a total amount of €97,000 in fines.

Focus on Use of Devices That May Lead to Constant Employee Monitoring

Among the 10 decisions, the CNIL has singled out the recuring topic of excessive and disproportionate employee monitoring and, more particularly:

  • Geolocation of employee vehicles – The CNIL reminds that the continuous recording of geolocation data, without the possibility for employees to stop or suspend the system during break times, is, unless specifically justified, an excessive infringement of freedom of free movement and the right to privacy of employees.
  • Video surveillance of employees – The CNIL reaffirms its position against continuous video surveillance of workstations, which is often disproportionate, even when used for purposes such as prevention of workplace accidents or evidence of business transactions.

By issuing sanctions under the simplified procedure, the CNIL is sending the message that it will not limit its enforcement action to large organizations and complex matters. All organizations are potentially at risk of an enforcement action, in particular in cases where a complaint is filed with the CNIL. Moreover, an organization for which a simplified procedure has been initiated faces the risk that the CNIL uses its ability to switch, at any time, to the ordinary procedure, which allows it to issue the maximum level of fines under GDPR and a publication of the decision.