CNIL Releases 2019 Annual Activity Report
5 Minute Read
Categories: European Union, International
On June 9, 2020, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2019 (the “Report”).
The Report provides an overview of the CNIL’s enforcement activities in 2019. In particular, the Report revealed that:
- The CNIL received 14,137 complaints in 2019, which represents a 27 percent increase in complaints compared with 2018 and a 79 percent increase in five years. The complaints mainly concern the following issues:
- Publication of personal data on the internet, including on search engines, social networks, online media and directories (nearly one third of the complaints). In particular, the CNIL received 422 complaints following individuals’ requests to delist information from search results (“right to be forgotten” requests), which represents a 13 percent increase compared to the number of complaints in 2018. The situation was settled in 98 percent of the cases transmitted by the CNIL to search engines;
- Direct marketing, non-profit and political marketing activities by telephone, post, email or text message (14.7 percent of complaints). Individuals mainly complained that they did not give consent and/or succeed in stopping unwanted marketing communications;
- Employee monitoring activities (CCTV, geolocation, call recording, etc.) (10.7 percent of complaints);
- Failure to comply with individuals’ requests to exercise their data protection rights (about 400 complaints in the employment context); and
- Failure to protect personal data, e.g., because the data was available on the internet or disclosed to unauthorized third parties, the passwords were transmitted in clear text or were not sufficiently robust, etc.
- The CNIL received 2,287 data breach notifications in 2019. The vast majority of them were due to confidentiality breaches.
- 64,900 organizations have appointed a data protection officer (“DPO”), bringing the DPO total to 21,000 (as a single DPO may be appointed for several organizations), which represents a 31 percent increase compared to the number of DPO appointments notified to the CNIL in 2018.
- The CNIL carried out 300 inspections in 2019, including 169 on-site inspections (when the CNIL visits a company’s facilities and accesses anything that stores personal data); 53 online inspections; 45 document reviews (when the CNIL requires an entity to send documents or files upon written request); and 18 hearings (when the CNIL summons representatives of organizations to appear for questioning and provide other necessary information). In 41 percent of cases, the CNIL’s inspections were initiated following complaints or claims. The inspections revealed several poor practices such as excessive delays in meeting individuals’ requests to exercise their data protection rights, lack of an unsubscribing link in direct marketing emails and the fact that customers could not delete their online account on their own. Conversely, the inspections revealed best practices such as the development of template responses for customer service to handle the exercise of individuals’ data protection rights and the tracking of individuals’ requests to exercise those rights in a specific tool. On March 12, 2020, the CNIL released its annual inspection strategy for 2020.
- The CNIL served 42 formal notices to companies in 2019. Formal notices are not sanctions. If a company does not comply with the formal notice within the time limit imposed in the notice, the CNIL will impose a sanction. Overall, only eight sanctions were imposed by the CNIL’s Restricted Committee in 2019, including seven fines totaling €51,370,000 and five additional injunctions subject to a financial penalty. Those sanctions mainly were imposed for failure to protect personal data, to provide notice to individuals, to define and apply adequate data retention periods and, in one case, for failure to comply with the individuals’ right of access to their personal data under the EU General Data Protection Regulation.
The Report also outlines some of the actions that the CNIL will further undertake in 2020, including:
- Publication of the final version of the CNIL’s recommendations on how to get users’ consent for non-essential cookies (the “Recommendations”). This is part of the CNIL’s action plan for 2019-2020 on online targeted advertising, covering cookies and similar technologies. This action plan consists of the following main components:
- The publication of new cookie Guidelines on July 18, 2019, which introduced two main novelties: (1) continuing to browse a site (or app) can no longer be considered valid consent for the use of non-essential cookies; and (2) website operators must be able to demonstrate they have obtained valid consent; and
- The publication of the Recommendations. On January 14, 2020, the CNIL published draft Recommendations, which were open to public consultation. The final version of the Recommendations will be published shortly.
- The CNIL’s participation in future facial recognition experiments. From 2018, the CNIL has called for a discussion on facial recognition, with the intent to fully contribute to the discussion. On November 15, 2019, the CNIL released its main objectives regarding the subject, namely: (1) presenting facial recognition from a technical point of view and, in particular, the diversity of potential uses; (2) highlighting risks; (3) reminding public and private organizations of the rules applicable to facial recognition devices; and (4) specifying the role of the CNIL in future experiments with or deployments of facial recognition devices.
- The CNIL’s COVID-19 guidance and inspections of France’s mobile tracing app (StopCovid) and of the data files put in place by the French Government in the context of lifting containment measures.
Tags: CNIL, Consent, Cookies, Coronavirus/COVID-19, Data Protection Authority, Facial Recognition Technology, France, GDPR, Mobile App, Personal Data, Right to Be Forgotten
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code