The Commission Nationale Informatique et Libertés (CNIL) is an independent administrative authority in charge of protecting users personal data. It must ensure that information technology's purpose is to serve the citizens and does not infringe on human identity, human rights, privacy, individual or public liberties.

The CNIL has a monitoring and information role but it also has the power to control and sanction. This authority can monitor proper implementation of the various measures implemented by the General Data Protection Regulation (GDPR).

 The CNIL defines 4 main axes to comply with their recommendations: 

• Establish a register of your data processing activities
• Sort out your data
• Respect individuals rights
• Secure your data

When violations or breaches are detected, the CNIL can decide to give formal notice to the companies concerned or to sanction them financially. In order to avoid this, you should not stay alone in the GDPR compliance process. Some technological solutions allow an automatic execution of different actions towards compliance such as: management and storage of consent, cookies banner matching different regulations, privacy policy / cookies generator, periodic scanning,... 

You can find more details on this article on what a cookie banner is, how to make sure it is GDPR compliant and why you need one.

Some key figures:

Increase in controls in 2021

In 2021, the total number of controls carried out by the CNIL equaled 384 (compared to 247 controls in 2020) including: 173 online controls, 118 on-site controls, 65 controls on documents, 28 controls under hearing. As a result of these controls, the CNIL imposed more than €214 million in financial penalties (compared to €138 million in 2020). More than 14,000 complaints were received by the CNIL, resulting in 18 sanctions and 135 formal notices. 

New procedure

The number of complaints filed and the number of inspections continue to increase, forcing the CNIL to take new corrective measures. The objective of the latest reform of April 8, 2022 is to simplify the repressive actions and to be able to increase the processing capacity of the files. The President of the CNIL can now decide, depending on the complexity of the cases, on a so-called simplified sanctioning procedure.
The President of the CNIL will then refer the matter to the President of the restricted panel and appoint a rapporteur from among the CNIL staff who will be responsible for examining the case. The simplified sanction procedure is simpler than a traditional procedure. The Chairman of the restricted panel, or a member designated by him, will rule alone and no public meeting will be necessary. 

Increase in monetary sanctions

The decided sanctions will not be made public and the maximum amount of fines is capped at €20,000. With the GDPR, the amount of the sanctions can go up to 20 millions euros or, if necessary, for a company to 4% of the annual worldwide turnover. For example, a famous social network has been fined €60 million on December 31, 2021 for not respecting the GDPR terms and conditions related to cookie refusal as well as a bad treatment of personal data. Criteo, a global advertising technology company, has also been fined EUR 40 million by the French data protection authority for violating the General Data Protection Regulation (GDPR).

Recurrent controls

The formal notice procedure has also been adjusted. The president of the CNIL can now issue letters of formal notice without waiting for a written response from the targeted companies. The company will therefore be obliged to comply with the GDPR within a period determined by the President. The company is no longer required to send elements to the CNIL attesting of its compliance but the regulator stipulates that other means will be available for verification (such as a subsequent audit).

In specific situations, the previous 6-months limit disappears to give companies more time to put their compliance programs into action.

The CNIL's intention through these simplified procedures is to significantly increase its controls and sanctions volume. 

It should also be noted that the CNIL is the competent French authority for the application of the GDPR. Other entities and other legislations also exist (CCPA for California, LGPD for Brazil, PDPA for Thailand,...). When a company has an audience coming from other countries, it is better to opt for effective international solutions. For example, Secure Privacy uses a technology capable of respecting the different legislations according to the place of connection and offers an interface matching different recommendations in force in the country of connection, all of this in more than 70 languages. 

The key takeaway is that no company, no matter how small it is, will be spared from the simplified penalty procedure. A proactive rather than reactive approach will always be valued by the different authorities in case of control. This will allow you to show several actions you did towards transparency and compliance at scale.

Do not hesitate to reach out to us. We will help you in understanding where you are and where you should go. 

Sources

https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000044840532?isSuggest=true

https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000045067923

https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000045538006