On 12 March 2020, the French Supervisory Authority (the CNIL), published its control strategy for the year 2020.
For the year 2020, the CNIL has decided to focus on the following three themes:
- health data
- geolocation for local services
- cookies and other tracking devices
According to the authority, these three themes are not exclusive of other types of controls as they will account for about 20% of the total formal control procedures carried out by the CNIL.
The other types of control focusing on other themes will also be initiated following complaints, subjects revealed in the news or corrective measures.
Security of health data
Due to recent news in the field of health, in particular, relating to health data breaches but also following Google’s proposed takeover of Fitbit, a health application provider, which has prompted the EDPB to react (see here), the CNIL will initiate controls on organisations processing health data. Its controls will focus, in particular, on the security measures implemented by health professionals or on their behalf.
Thus health data hosts, health application providers and hospitals can expect to be audited, especially if they have to notify health data breaches.
Geolocation data used for mobility and proximity services and any new usages
Many solutions use geolocation data to facilitate daily life such as transportation applications (e.g. Waze, Google map, City Mapper etc.).
The CNIL is particularly interested in controlling the proportionality of the data collected in this context, the retention periods, the information provided to individuals and the security measures implemented.
Compliance with the provisions applicable to cookies and other tracers (from autumn 2020)
This theme aims to ensure full compliance by professionals with their obligations in terms of Internet users tracking using cookies or other trackers.
The CNIL adopted guidelines last July to clarify its position on the use of cookies and other trackers (particularly for targeted advertising purposes) following the adoption of the GDPR, which implies obtaining free, informed, specific and unambiguous consent. In this recommendation, the Commission had indicated that it would give professionals a period of one year to comply.
However, a new and more operational/practical recommendation will be published in the spring of 2020, which will also include a six-month deadline before being subject to sanctions.
Controls on these new obligations will, therefore, start in autumn 2020 and continue in 2021.
This post is also available in fr_FR.