Privacy & Information Security Law Blog

On April 12, 2016, the French Data Protection Authority (“CNIL”) announced that it will participate in a coordinated online audit to analyze the impact of everyday connected devices on privacy. The audit will be coordinated by the Global Privacy Enforcement Network (“GPEN”), a global network of approximately 50 data protection authorities (“DPAs”) from around the world.

In addition to the CNIL, 29 DPAs that are members of the GPEN will participate in the audit. The joint effort will run during spring 2016. The CNIL also announced that it will conduct its audits during May 2016 and target three categories of connected devices:

• home IoT devices (connected camera systems that can detect movements or measure air quality);
• health connected devices (connected scales, tensiometers and glucometers intended to collect health-related data); and
• connected devices for well-being (connected watches and bracelets that can collect geolocation data and also count the number of steps made per day, the number of calories burned and analyze the quality of sleep).

In practice, the CNIL will verify:

• the quality of the information provided to users;
• the level of security of the data flows; and
• the degree of user empowerment (e.g., user’s consent, exercise of data protection rights, etc.).

The CNIL stressed that it might conduct more formal inspections and launch enforcement proceedings if its initial findings reveal serious breaches of French data protection law. The results of its audits will be issued in fall 2016. The audits will help the CNIL increase user awareness and promote best practices among stakeholders in the sector.