2021, a record year for the CNIL's enforcement action
At the beginning of this year, the CNIL is taking stock of its enforcement action. 2021 was an unprecedented year, both in terms of the number of measures adopted (18 sanctions and 135 orders to comply) and in terms of the cumulative amount of fines, which reached more than 214 million euros.
18 sanctions targeting various sectors of activity
In 2021, the CNIL's restricted committee imposed 18 sanctions, for a total of 214,106,000 euros. 12 of them were made public.
These sanctions included 15 fines (5 of which were imposed with injunctions) and 2 reprimands, issued with injunctions. For the first time, a decision was made to liquidate a penalty payment (i.e. the payment of a sum due to non-compliance with an order issued by the CNIL). In practice, the company concerned, which was initially fined 7,300 euros, had to pay an additional penalty payment of 65,000 euros because it had not made the changes to its data processing that were requested in the sanction decision.
This year's decisions concerned a wide range of sectors and players. Among the most frequent breaches were failure to inform individuals and excessive storage periods (see table). Among these 18 sanctions, the half involved a breach relating to the security of personal data, which illustrates two things:
- the security measures taken by the organizations are often insufficient;
- the CNIL systematically checks the security of information systems when it carries out an inspection.
Finally, four sanctions concerned mismanagement of cookies and other tracers.
Four CNIL decisions were adopted in cooperation with European counterparts as part of the one-stop shop mechanism provided for by the GDPR. At the same time, the CNIL examined 17 draft decisions from European counterparts relating to processing operations involving French citizens.
135 orders to comply and numerous compliance measures
A record number of orders to comply (a decision by the chair of the CNIL ordering an organization to comply within a maximum period of 6 months) was also reached in 2021, with 135 decisions issued, including 2 that were made public (against Clearview and Francetest) and 3 adopted in the framework of European cooperation.
This represents a very substantial increase in the number of orders to comply compared to previous years.
A large proportion of these orders to comply concerned the priority issue of cookies: 89 decisions included a breach relating to the use of cookies (84 of which were fully dedicated to this issue).
At the same time, the CNIL closed 123 cases (procedures related to sanctions or orders) following, in particular, the examination of the actions taken by the organizations to bring their processing into compliance.
