On 2 March 2021, the CNIL announced its control programme for the year 2021.
In addition to the inspections that the CNIL carries out following complaints or in connection with the news, the CNIL will focus its inspection activities on three priority themes in 2021:
- the cybersecurity of websites;
- the security of health data; and
- the use of cookies.
In 2020, the CNIL carried out 6,500 acts of investigation, including 247 formal control procedures.
In 2021, more than fifty of these formal control procedures will be devoted to the three priority themes.
The CNIL control strategy is in line with its 2020 control strategy insofar as the security of health data and the use of cookies were already two of its priority theme last year.
Cybersecurity of websites
As previously reported by the Commission, website security flaws are among the most frequent breaches during checks and the number of data breach notifications is up 24% between 2019 and 2020, i.e. 2825 notifications received.
The CNIL will focus on the level of security of the most visited French websites in different sectors and in particular :
- personal data collection forms ;
- the use of the HTTPS protocol; and
- the compliance of actors with the CNIL recommendation on passwords
The audited organisations will also be questioned about their strategy to protect themselves from ransomware attacks. (see the article on EDPB practical recommendations on data breaches ).
Security of health data
In the current health context and in view of the increasing digitalisation of the health sector (e.g. online medical appointment scheduling platforms, etc.), the CNIL wishes to continue its inspections begun in 2020.
According to the CNIL, the controls carried out should help to further increase the level of security of personal health data.
Compliance with the rules applicable to cookies and other trackers
In 2020, the CNIL focused particularly on meeting obligations in terms of advertising targeting and user profiling.
In 2021, the CNIL will extend the scope of its controls to include compliance with the rules relating to the collection of consent.
