On 9 June 2020, the CNIL published its 2019 activity report.
This 100-page report provides a retrospective of the CNIL activities during 2019 by:
- recalling key dates and events such as the 50 million euro sanction against Google LLC or the many recommendations it has published ;
- providing statistics on controls, sanctions and the numerous requests or complaints it receives (up 27% over the year); or
- detailing its action and/or position on several subject matters such as the cooperation at European and international level, the use of data for research purposes, facial recognition experiments and its action plan on cookies.
The highlights of its 2019 report are summarised below.
Key figures on complaints, controls and sanctions
14,137 complaints, an increase of 27% over 2018 (11,077) and 79% in five years;
2,287 notifications of personal data breaches;
300 audits carried out including :
- 169 on-the-spot checks ;
- 53 on-line checks;
- 45 documentary checks;
- 18 hearings.
42 formal notices were served, 2 of which were made public;
2 orders and 2 warnings; and
8 sanctions for a record total amount of €51.375 million, including €50 million for the Google decision alone, as well as 5 injunctions subject to periodic penalty payments and 2 dismissals.
Furthermore, 79 final decisions were adopted under the European one-stop-shop framework in 2019. The CNIL was the lead authority in 10 cases and participated in 32 other decisions.
In view of the statistics at the national level, we understand that the CNIL continues its policy of supporting compliance rather than repression and sanctions.
The most common breaches are security-related and are systematically audited by the CNIL as part of its inspections
The CNIL points out that 2/3 of the sanctions since 2017 include a breach of security, and more than 40% of sanctions are taken on this basis alone.
However, the amounts of sanctions based solely on a breach of security remain relatively low, ranging from 15,000 to 400,000 euros.
Sanctions are imposed in particular for the following security breaches:
- data freely accessible through URL modification (lack of authentication, predictable URL);
- a non-compliant password policy;
- the transmission of data via an unencrypted connection (HTTP);
- the absence of automatic locking of workstation sessions;
- a lack of testing protocol to guarantee the absence of vulnerability before a new development is put into production (…)
The CNIL stresses the fact that security is systematically verified in the 300 formal control procedures it carries out each year.
It checks compliance with basic principles (passwords, database and network security, etc.), but also by checking the existence of a data breach record, a new RGPD obligation.
The CNIL declares that it will continue to sanction the most obvious breaches of the security obligation in order to ensure that a minimum level of data security is achieved.
The CNIL cookies action plan
The CNIL will continue to follow its action plan proposed on 28 June 2019 and has two objectives:
– respond to individual and collective complaints (La Quadrature du Net, Privacy International, NOYB); and
– accompany professionals in the digital marketing sector in their compliance.
Following the publication of guidelines in 2019 and its public consultation launched in January 2020, the CNIL will publish a recommendation proposing operational procedures for collecting consent.
A reminder of the EU position on the Cloud Act (US law)
The CNIL dedicates a whole section to the international legal/investigation cooperation and more particularly on the impact of the US Cloud Act on the EU data protection framework.
This law allows the US authorities, in the context of legal proceedings, to address access requests directly to digital companies subject to US law, including when the data is stored outside the US.
The CNIL and the European authorities, in a position taken in July 2019, considers that such requests from the US authorities, when made outside of any international agreement or mutual legal assistance treaty, cannot be considered lawful.