The 2022 annual report of the CNIL
Strengthening support for businesses and administrations, public information campaigns and digital education for young people, complaints and law enforcement, future European rules on data: in this new report, the CNIL reviews the highlights of 2022.
The publication of its activity report enables the CNIL to report on its actions with regard to its four major missions: inform and protect the general public, accompany and advise professionals and public authorities, anticipate and innovate to build the digital of tomorrow, and finally monitor and sanction breaches of the General Data Protection Regulation (GDPR) and the French law.
Informing and protecting
The actions carried out this year reflect a new dynamic of communication between the CNIL is its audiences. Several campaigns aimed at the general public were launched in 2022: “ All together, caution on the Internet!”, a set of resources to accompany children from CE2 (3rd grade) to CM2 (5th grade), as well as two radio spots broadcast during the holidays and which have reached more than 8 million listeners each. The website cnil.fr has recorded a new audience record, with more than 11 million visits, demonstrating the interest of individuals and professionals in the many content offered.
As regards the protection of persons, for the first time since the entry into force of the GDPR, the CNIL has dealt with more complaints than it has received, which has led to a decrease in the stock. It received 12,193 complaints and dealt with 13,160 complaints. This result is the result of two years of efforts that have enabled the opening of a portal offering users the opportunity to follow their file, simplify and secure exchanges with the CNIL.
calls answered during hotlines
visits to CNIL’s websites
Supporting and advising
Supporting professionals in their compliance process is one of the essential tasks of the CNIL. Beyond sectoral support and, in some cases, individual, the CNIL produced new tools in 2022, including guides, benchmarks, and recommendations. The year was also marked by the publication of its position on the deployment of ‘enhanced’ cameras in public spaces.
In addition, the CNIL has published a major update of its MOOC “Atelier RGPD”” (GDPR workshop), a free training course open to all. New modules make it possible to revisit the key concepts of the GDPR and a new one is aimed specifically at local and regional authorities. A series of webinars complemented the CNIL ‘toolbox’ on various themes: health, commercial prospecting, safety, etc.
Among the highlights was also the launch of a regional travel programme, the ‘GDPR Days’. New meetings are planned in 2023 in several cities in the metropolis.
Finally, with a first experiment carried out in 2021 and its success, the CNIL proposed a second edition of its ‘sandbox’ personal data, which helped support 10 innovative digital projects in the field of education (EdTech).
Health Authorisation Files Processed
days of average processing time for applications for health authorisation
projects supported via the EdTech 'sandbox'
Anticipating and Innovating
In order to detect and study technologies or new uses that may have significant impacts on privacy, the CNIL ensures a dedicated monitoring on which it communicated by publishing the research program of the next few years of the LINC (Laboration d’innovation numérique de la CNIL). It thus contributes to the development of technological solutions that protect privacy by advising companies as upstream as possible, in a sense of privacy by design.
In the field of artificial intelligence, the CNIL has paid particular attention to the development of products or services based on algorithms that are data-intensive, often personal, and whose use requires compliance with certain precautions. In this context, it published a set of content for all audiences in 2022 and announced, in early 2023, the creation of a dedicated AI department.
Last year’s review also includes the organisation of the first edition of the Privacy Research Day, which brought together European researchers on data protection and generated numerous scientific contributions.
participants at the air2022 event on digital education
design patterns respectful of personal data on design.cnil.fr
Investigating and issuing sanctions
In 2022, CNIL’s law enforcement activity confirmed the 2021 trends, both in terms of the number of measures adopted (21 sanctions and 147 formal notices), and by the cumulative amount of fines, which exceeds EUR 100 million. Since the GDPR came into force in 2018, the total amount of sanctions imposed exceeds half a billion euros. The organisations involved in these measures are of all sizes, including digital giants, and belong to a wide variety of sectors.
The sanctions procedures have benefited from a major reform, with the creation of a simplified procedure, adapted to cases that do not present any particular legal or technical difficulty, and which will allow the CNIL to act better in the face of numerous complaints. While for the conventional procedure, the amount of fines can be up to EUR 20 million or 4% of global annual turnover, the penalty incurred under a simplified procedure is up to EUR 20 000.
EUR 101 millions
notices of formal notice