More than 14,000 complaints filed with the CNIL in 2021
When processing personal data on your website, you must be sure to follow a number of rules and recommendations. If you do not, you expose yourself to fines and procedures.
The Commission Nationale Informatique et Libertés (CNIL) is an independent administrative authority in charge of protecting users personal data. It must ensure that information technology's purpose is to serve the citizens and does not infringe on human identity, human rights, privacy, individual or public liberties.
The CNIL has a monitoring and information role but it also has the power to control and sanction. This authority can monitor proper implementation of the various measures implemented by the General Data Protection Regulation (GDPR).
The CNIL defines 4 main axes to comply with their recommendations:
- Establish a register of your data processing activities
- Sort out your data
- Respect individuals rights
- Secure your data
Some key figures:
Increase in controls in 2021
In 2021, the total number of controls carried out by the CNIL equaled 384 (compared to 247 controls in 2020) including: 173 online controls, 118 on-site controls, 65 controls on documents, 28 controls under hearing. As a result of these controls, the CNIL imposed more than €214 million in financial penalties (compared to €138 million in 2020). More than 14,000 complaints were received by the CNIL, resulting in 18 sanctions and 135 formal notices.
The number of complaints filed and the number of inspections continue to increase, forcing the CNIL to take new corrective measures. The objective of the latest reform of April 8, 2022 is to simplify the repressive actions and to be able to increase the processing capacity of the files. The President of the CNIL can now decide, depending on the complexity of the cases, on a so-called simplified sanctioning procedure.
The President of the CNIL will then refer the matter to the President of the restricted panel and appoint a rapporteur from among the CNIL staff who will be responsible for examining the case. The simplified sanction procedure is simpler than a traditional procedure. The Chairman of the restricted panel, or a member designated by him, will rule alone and no public meeting will be necessary.
Increase in monetary sanctions
The decided sanctions will not be made public and the maximum amount of fines is capped at €20,000. With the GDPR, the amount of the sanctions can go up to 20 millions euros or, if necessary, for a company to 4% of the annual worldwide turnover. For example, a famous social network has been fined €60 million on December 31, 2021 for not respecting the GDPR terms and conditions related to cookie refusal as well as a bad treatment of personal data. Criteo, a global advertising technology company, has also been fined EUR 40 million by the French data protection authority for violating the General Data Protection Regulation (GDPR).
The formal notice procedure has also been adjusted. The president of the CNIL can now issue letters of formal notice without waiting for a written response from the targeted companies. The company will therefore be obliged to comply with the GDPR within a period determined by the President. The company is no longer required to send elements to the CNIL attesting of its compliance but the regulator stipulates that other means will be available for verification (such as a subsequent audit).
In specific situations, the previous 6-months limit disappears to give companies more time to put their compliance programs into action.
The CNIL's intention through these simplified procedures is to significantly increase its controls and sanctions volume.
It should also be noted that the CNIL is the competent French authority for the application of the GDPR. Other entities and other legislations also exist (CCPA for California, LGPD for Brazil, PDPA for Thailand,...). When a company has an audience coming from other countries, it is better to opt for effective international solutions. For example, Secure Privacy uses a technology capable of respecting the different legislations according to the place of connection and offers an interface matching different recommendations in force in the country of connection, all of this in more than 70 languages.
The key takeaway is that no company, no matter how small it is, will be spared from the simplified penalty procedure. A proactive rather than reactive approach will always be valued by the different authorities in case of control. This will allow you to show several actions you did towards transparency and compliance at scale.
Do not hesitate to reach out to us. We will help you in understanding where you are and where you should go.
Guide to the Best Data Privacy Certifications: What Are They, What Are the Best Privacy Certifications, and Do You Need One?
Learn about data privacy certifications for professionals and businesses in this comprehensive guide. Discover the best certifications for privacy professionals and understand how businesses can ensure compliance with privacy laws. Secure Privacy provides essential guidelines and training solutions for data privacy.
- Data Protection
CPPA Releases Draft Automated Decisionmaking Technology Regulations: What Does the Proposed Regulatory Framework for Automated Decision-Making Technology Include?
Explore the proposed regulations by CPPA addressing Automated Decision-Making Technology, risk assessments, and data broker registration to safeguard consumer privacy. Understand the implications, key elements, and compliance measures outlined in this comprehensive framework.
UK Parliament Advances the UK Data Protection and Digital Information Bill for UK GDPR Reform
Discover the latest developments surrounding the UK Data Protection and Digital Information Bill, its potential implications for businesses and individuals, key features replacing the GDPR, and the anticipated impact on data protection in the UK.
- UK DPA