A new French consumer law (No. 2014-344), passed on March 17, 2014 has granted the French Data Protection Authority (Commission Nationale de l’Information et des Libertés (CNIL)) the ability to conduct remote inspections online.
These inspections will determine whether or not there has been a breach of French Data Protection law, including whether users have given consent to cookies and marketing communications. To date, the CNIL has been able to employ its powers of inspection only when the processing or use of processed data leads to a violation of human rights, human identity, privacy or individual or public liberties and was limited to onsite inspections. This new power is a further weapon to add to the CNIL’s arsenal of investigative powers, which already includes: on-site inspections, document reviews, hearings, injunctions and fines. Furthermore, where it considers a criminal offence has been committed, the CNIL can notify France's Public Prosecutor and can make public any sanctions imposed. According to the CNIL "[i]f an infringement has occurred, the CNIL's President can decide whether to issue an injunction or not. This injunction will compel the organization to take the necessary measures within a determined period of time.” The CNIL vows that its new powers will only be used with regard to publicly available data, and that the new law does not allow them back door access to information systems. The new law will no doubt increase the number of investigations the CNIL carries out per year, with new investigations due to start over the course of the next few weeks.
There has been considerable international debate surrounding the investigative powers of these institutions and other state bodies. The Dutch government made a controversial proposal in May 2013, for example, in response to hacking which included spying on users, deleting data and even extended to devices abroad. Similarly, a previous French proposal linked to HADOPI (copyright infringement laws) planned compulsory spyware on PCs and optional blacklist applications, whilst in the UK, users are compelled to hand over encryption keys to the police on demand. Do laws such as this latest from the French risk granting these institutions too much power or are they a necessary tool of defence in the fight against data and privacy breach?