Paris, July 24, 2019  - The GDPR has been in force for one year. Many companies have initiated compliance processes.

The CNIL has made some notable decisions, mainly sanctioning the non-respect of key principles (existing under the previous Computer and Freedom law).

The CNIL continues its work in verifying that the principles of these texts are respected, while announcing in parallel a new text regarding cookies.

May 25, 2019 marked the anniversary of the entry into force of the GDPR.

The principles and content of the GDPR are now known, mainly:

- confirmation of key principles and conditions of lawfulness of processing operations,

- strengthening the rights of individuals and of compliance obligations of companies and organizations processing personal data,

- significant increase in penalties (fines of up to 20 million euros or 4% of annual global turnover).

For more information, see our article of May 25, 2018

Some notable decisions

Since May 2018, the CNIL, the French authority in charge of the regulation and control of personal data processing, has issued a number of decisions of formal notice or sanction. Most of these decisions were rendered under the aegis and principles of the Data Protection Act.

Among the most significant decisions, it can be noted that the breaches of data security obligations were particularly sanctioned (including Uber: 400,000 fine, Optical Center:

250,000 fine reduced to 200,000 by the Council of State, SERGIC: 400,000 fine).

The non-respect or the misappropriation of the purposes for which data had been collected were also the subject of decisions (Rennes Public Housing Office (OPH) decision: 30,000 fine, formal notice to Humanis and Malakoff-Mdric to stop processing data initially collected for a mission to implement supplementary pension plans for commercial prospection).

The decision, made under the GDPR, imposing Google with a 50 million euro fine sanctions Google's failures regarding:

- the obligation to inform users: information relating to treatments performed by Google and,

- the conditions for obtaining individual consent.

Beyond the sanction, this decision is informative for the drafting of these two types of documents (in particular with regard to what not to do). It contains a detailed analysis of the conditions for obtaining consent and information for individuals (including the granularity of information, its accessibility, and its comprehensibility).

A first year marked by strong compliance activity

For most companies, this first year has been marked by intense compliance activity with significant investments being made, in particular for IT and digital service providers.

From a contractual point of view, discussions between clients and their service providers have mainly focused on the adjustment of contracts (or the establishment of new contracts) to take GDPR provisions into account and, in particular Article 28 thereof.

It should also be noted that the division of responsibilities between the controller and subcontractors is part of the CNIL's control strategy for 2019-2020 (see below).

What is the CNIL's control strategy for 2019-2020?

The CNIL took advantage of this anniversary to communicate its control strategy for the coming year. Control will be focused around three themes:

  • the respect for the rights of individuals: information, right to access, to correction, to be forgotten, right to limitation of treatment, right of opposition, right to data portability;
  • the treatment of the rights of minors, particularly regarding the publication of content on social networks for which the CNIL receives complaints;
  • the division of responsibilities between controllers and subcontractors, including the existence and respect of the subcontract agreement.

In parallel, the CNIL will continue to support professionals in applying the GDPR and monitor compliance with their obligations.

Cookies and targeted advertising: a year of transition

Finally, the CNIL has placed the issue of targeted online advertising in its 2019-2020 action plan, which covers the following points:

- problems relating to commercial prospection (or "opt-in partner")

- cookies and other trackers.

The CNIL has announced the publication of new guidelines for July 2019. The "cookies" recommendation of 2013 which allowed consent to be obtained by simply continuing navigation will therefore be repealed.

These new guidelines will specify in particular the conditions for obtaining consent.

A 12-month transitional period will be provided to companies for their application of the new principles.

A new recommendation, developed in concertation with professionals by December 2019 early 2020, will propose operational modalities for obtaining consent.

The CNIL will verify compliance with this final recommendation 6 months after its definitive adoption.

One year after the entry into force of the GDPR, the legislative environment is gradually stabilizing.

The implementation phase has been completed; the CNIL now announces a vigilant approach to monitoring compliance with the GDPR. If it has not already been done, the different parties concerned, companies, public organizations and associations, must imperatively tackle this issue head-on.