More than 14,000 complaints filed with the CNIL in 2021
When processing personal data on your website, you must be sure to follow a number of rules and recommendations. If you do not, you expose yourself to fines and procedures.
The Commission Nationale Informatique et Libertés (CNIL) is an independent administrative authority in charge of protecting users personal data. It must ensure that information technology's purpose is to serve the citizens and does not infringe on human identity, human rights, privacy, individual or public liberties.
The CNIL has a monitoring and information role but it also has the power to control and sanction. This authority can monitor proper implementation of the various measures implemented by the General Data Protection Regulation (GDPR).
The CNIL defines 4 main axes to comply with their recommendations:
- Establish a register of your data processing activities
- Sort out your data
- Respect individuals rights
- Secure your data
Some key figures:
Increase in controls in 2021
In 2021, the total number of controls carried out by the CNIL equaled 384 (compared to 247 controls in 2020) including: 173 online controls, 118 on-site controls, 65 controls on documents, 28 controls under hearing. As a result of these controls, the CNIL imposed more than €214 million in financial penalties (compared to €138 million in 2020). More than 14,000 complaints were received by the CNIL, resulting in 18 sanctions and 135 formal notices.
The number of complaints filed and the number of inspections continue to increase, forcing the CNIL to take new corrective measures. The objective of the latest reform of April 8, 2022 is to simplify the repressive actions and to be able to increase the processing capacity of the files. The President of the CNIL can now decide, depending on the complexity of the cases, on a so-called simplified sanctioning procedure.
The President of the CNIL will then refer the matter to the President of the restricted panel and appoint a rapporteur from among the CNIL staff who will be responsible for examining the case. The simplified sanction procedure is simpler than a traditional procedure. The Chairman of the restricted panel, or a member designated by him, will rule alone and no public meeting will be necessary.
Increase in monetary sanctions
The decided sanctions will not be made public and the maximum amount of fines is capped at €20,000. With the GDPR, the amount of the sanctions can go up to 20 millions euros or, if necessary, for a company to 4% of the annual worldwide turnover. For example, a famous social network has been fined €60 million on December 31, 2021 for not respecting the GDPR terms and conditions related to cookie refusal as well as a bad treatment of personal data.
The formal notice procedure has also been adjusted. The president of the CNIL can now issue letters of formal notice without waiting for a written response from the targeted companies. The company will therefore be obliged to comply with the GDPR within a period determined by the President. The company is no longer required to send elements to the CNIL attesting of its compliance but the regulator stipulates that other means will be available for verification (such as a subsequent audit).
In specific situations, the previous 6-months limit disappears to give companies more time to put their compliance programs into action.
The CNIL's intention through these simplified procedures is to significantly increase its controls and sanctions volume.
It should also be noted that the CNIL is the competent French authority for the application of the GDPR. Other entities and other legislations also exist (CCPA for California, LGPD for Brazil, PDPA for Thailand,...). When a company has an audience coming from other countries, it is better to opt for effective international solutions. For example, Secure Privacy uses a technology capable of respecting the different legislations according to the place of connection and offers an interface matching different recommendations in force in the country of connection, all of this in more than 70 languages.
The key takeaway is that no company, no matter how small it is, will be spared from the simplified penalty procedure. A proactive rather than reactive approach will always be valued by the different authorities in case of control. This will allow you to show several actions you did towards transparency and compliance at scale.
Do not hesitate to reach out to us. We will help you in understanding where you are and where you should go.
Do You Really Need A Cookie Preference Center? Here's What You Should Know
- Cookie Consent
Understanding the Key Differences Between GDPR And CPRA
As the world of data security and privacy evolves, it is important to stay abreast of the latest developments. This article will examine the key differences between the EU's General Data Protection Regulation (GDPR) and California's Consumer Privacy Rights Act (CPRA). Learn how these two privacy regulations interact with each other and how their requirements might affect your business.
- Data Protection
Prepare for a Cookie-Free Future: A Look at Third-Party Cookies in 2023
This blog post will look at third-party cookies in 2023 and how marketers can prepare for the upcoming shift. We'll talk about the effects of browsing without cookies, new technologies that could replace them, and ways to keep your marketing efforts effective in a world without third-party cookies.
- Cookie Consent