Privacy & Information Security Law Blog

On April 19, 2012, the French Data Protection Authority (the “CNIL”) issued a press release detailing its enforcement agenda for 2012. In a report adopted March 29, 2012, the CNIL announced that it will conduct 450 on-site inspections this year, with particular focus on the specific themes described below. The CNIL also indicated that it will continue the work started in 2011 with at least 150 additional inspections related to video surveillance, especially with respect to surveillance in locations that are frequented by large numbers of individuals.

In particular, the CNIL’s inspections will focus on a number of issues including:

• Smart phones: The CNIL intends to continue exploring new uses of smart phones by focusing on data collection both (1) when a customer registers with a mobile operator and (2) through monitoring of the customer’s usage (e.g., use of online services, download and use of applications). Scrutiny will focus on the data collection practices of both mobile operators and mobile application providers.
• Health data security: Following up on the efforts initiated in 2011, the CNIL will pay close attention to the development of personal medical records, and also will scrutinize medical research, online health-related applications and healthcare providers. The storage of health records using cloud computing solutions will be of particular interest.
• Data breaches: The CNIL’s focus on data breaches in 2012 follows naturally from the introduction of a regulation, which came into effect on August 24, 2011, that imposes a data breach notification requirement on electronic communications service providers. Providers of publicly available electronic communications services are now required not only to notify the CNIL of data breaches, but also to notify the individuals concerned when the data breach “affects their personal data or private life.”
• Sports and hobbies: The CNIL has decided to further examine how personal data are processed within the main French sports federations, including with respect to issues related to the disclosure of data to third parties and blacklisting.
• Police records: Following a parliamentary report on the topic, the CNIL will organize a series of data protection inspections to examine the internal operating services of the police.
• Databases related to day-to-day activities: The CNIL finally will address a general call for transparency by conducting a broad survey of data processing by large-scale companies that handle millions of citizens’ personal data on a daily basis (e.g., water, electricity, gas, highway operators).