The 2020 activity report published by the CNIL earlier this week provides an overview of the CNIL's mission to support various actors in their compliance with the personal data laws and regulations over the past year.
The data protection authority outlines its plans for 2021, such as the development of a white paper on payment data or the implementation of prospective work by the CNIL's digital innovation laboratory (LINC) to reconcile data protection and environmental protection.
This report also provides valuable information about the scope of the Commission's control and sanctioning missions.
Most of the time, CNIL controls are carried out following the receipt of complaints (40% of controls in 2020). Those carried out spontaneously by the authority (32%) are generally related to current events (e.g., the use of drones by law enforcement agencies or a data breach in a healthcare institution). Some controls allow for a follow-up of a formal notice or sanction procedure (3%).
In 2020, in 10% of the cases, the CNIL used its verification power in the fight against COVID-19 (e.g.: launch of the government application StopCovid).
Finally, the CNIL defines each year several annual priority themes, which represented 15% of its controls last year.
During the year 2020, 247 controls were carried out. The CNIL issued 14 sanctions, including 11 fines, sometimes accompanied by an injunction under penalty, two reminders and one injunction under penalty not associated with a fine.
In the most severe scenario, the administrative fine can amount to up to EUR 10,000,000 or up to 2% of the total annual worldwide turnover (Article 83 of the GDPR).
Although this is a maximum risk that concerns the most serious breaches, the verification action carried out by the CNIL targets all types of business sectors and a wide variety of breaches.
2021: what’s the plan?
Based on this assessment of the situation in 2020, the CNIL has determined three sectors that will be targeted as a priority by its compliance actions in 2021. These themes are:
The year 2020 was marked by unprecedented fines in the area of personal data protection at the European Union level (100 million euros against Google and 35 million against Amazon), due to breaches of the laws and regulations on cookies.
A period of 6 months has been granted to the concerned actors to comply. Thus, since April 2021, cookies have been one of the CNIL's target themes for its control activities.
- Data sovereignty
Several major events in 2020 placed the issue of digital sovereignty at the heart of the CNIL's concerns. First, the invalidation of the Privacy Shield, which governed the transfer of data between Europe and the United States, but also the government's commitment to transfer the hosting of the national health data platform Health Data Hub to a secure solution within two years and the various European legislative initiatives such as the Digital Governance Act, the Digital Services Act and the Digital Markets Act.
According to the CNIL, the implementation of data hosting in a sovereign cloud would be the most effective protection solution to face foreign legislation that is sometimes too intrusive. In its report, the authority specifies that this approach will not be limited to health data.
In 2020, the CNIL recorded a record number of notifications of personal data breaches, up by 24% compared to 2019. Among these notifications, there is a clear increase in cases of ransomware.
At the same time, the authority points out in its report the considerable impact of the health crisis on the processing of personal data in 2020, as the various public and private actors have resorted to new technologies that are sometimes intrusive for privacy and involve sensitive data (e.g. contact tracking applications and thermal camera devices at the entrance of business premises) and digital practices have been revolutionized by the massive implementation of teleworking, telemedicine and distance learning.
In 2020, these observations led the CNIL to pay particular attention to compliance with the requirements for obtaining consent and the level of security implemented.
In this context, following the reports of data breaches sent to it that year, the CNIL carried out 56 inspections that resulted in the cessation of data breaches.
In 2021 and beyond, the CNIL is committed to working harder to ensure compliance with security rules.
To consult the CNIL report : https://www.cnil.fr/sites/default/files/atoms/files/cnil_-_41e_rapport_annuel_-_2020.pdf