The CNIL blows the whistle for the end of the transition period.  For the first time, the CNIL’s 2019 investigation program is not specific to an industry and potentially impacts controllers and processors throughout all sectors of business. Going forward, the CNIL will also be more thorough and less lenient.

2019 Program

Investigation program

CNIL’s yearly investigation programs account for approximately one quarter of its investigations. This year’s program will focus on three major areas:

• The complaints it receives (either collective or individual). These complaints, or the exercise of data subjects rights, represented about 73.8 % of all complaints received in 2018.
• The sharing of responsibilities between processors and subcontractors, which is a cross-sector topic.
• The data of children (including what data is collected, i.e., photos, biometric data and CCTV in schools, as well as parental consent for children under 15).

As in previous years, the CNIL will also:

• Investigate complaints and the reports sent to the CNIL.
• Follow up on past procedures.
• Gather information from various news sources.

Finally, the CNIL will continue the cooperation initiated in 2018 with its other national Supervisory authorities, such as joint control operations.

Read more about CNIL’s investigation program for 2019.

Sanction policy

The CNIL treated 2018 as a transition period, allowing data controllers to understand and progressively assimilate the requirements of the GDPR.

From 2019 onwards, the CNIL will investigate compliance more thoroughly (including impact analysis, data portability, maintenance of a register of processing and of data breaches, etc.) and draw on, if necessary, all the consequences in case of gaps. It will nevertheless continue to assess, on a case-by-case basis, the most appropriate sanction. This will depend on the gravity of the breaches and the good faith of the organization and its cooperation.

2018 Report

Complaints and data breach notifications

In 2018, the CNIL registered 1,170 data breach notifications. It received a record of 11,077 complaints, which represents a 32.5 %  increase compared to 2017. About 20% of these complaints fell under the GDPR cooperation program with other Supervisory Authorities.

These complaints primarily related to the publication of data on the internet (373 requests for delisting). Individuals massively requested their data to be deleted from the internet (names, contact details, comments, photographs, videos, accounts, etc.). These kinds of complaints reveal how difficult it can be for individuals to manage their digital life, and in particular, their online reputation.

Investigations

In 2018 the CNIL carried out over 300 investigations which consisted of onsite, online, document requests and hearings.

The following is a breakdown of sources that triggered the investigation.

Formal notice to remedy

In most cases, the notices issued by CNIL resulted in the organizations remedying the identified compliance gap(s).  Formal notices to remedy are not considered sanctions per say as they are issued before an actual “fair trial” procedure. Forty-nine formal notices to remedy were adopted in 2018 out of which 13 were publicized. Two sectors, in particular, were targeted.

• Insurance (5) for the use of insurance data for marketing purposes without legal basis
• Companies specializing in targeted advertising via a technology (SDK) installed in mobile apps. (4)

Sanctions

The CNIL issued 11 sanctions, out of which:

• Ten financial fines (including 9 made public and 7 in relation to security breaches), amongst which the following fines were issued €400,000, € 250,000 (twice) , € 100,000, €75,000, €50,000 and €30,000 (twice)
• One non-public warning;
• One closed

Sanctions were based on the regulation before GDPR under which the maximum fines were raised in 2016 from €150,000 to €3 million.

The CNIL’s 2018 report and 2019 plan summary are available here.