CNIL publishes its 2020 activity report
Impact of the health crisis, new rules on cookies, cybersecurity and digital sovereignty: in its 41st activity report, the CNIL looks back at the highlights of the year and its assessment, marked by a still high number of complaints and a considerable increase in data breaches, three years after the GDPR came into force.
COVID-19: protection of personal freedoms and data at the heart of public debates
Throughout the year, the CNIL actively advised the public authorities to help ensure that the implementation of health information systems (StopCovid-TousAntiCovid, SI-DEP, Contact Covid, Vaccin Covid) respects the rights of the persons concerned. The CNIL's participation in European cooperation has also made it possible to reach important common positions, particularly on contact monitoring applications or the processing of health data for scientific research purposes in the fight against the virus.
In order to answer a large number of questions from individuals and professionals, the CNIL has been able to offer new content on its website, such as information on educational continuity, remote working, the distribution of masks by local authorities and TousAntiCovid.
In addition, the CNIL has prioritized the processing of complaints related to COVID-19 as well and investigated on the devices implemented. Il also carried out investigations on subjects as diverse as « COVID-19 callback register » or the use of drones equipped with cameras to monitor compliance with lockdown measures.
The mobilisation of the CNIL during the health crisis
to the Government
8 parliamentary hearings
of the Chair of the CNIL
89 research authorisations
on COVID-19 (63% of cases processed in less than a week)
in relation to the pandemic between May and November 2020
New rules for cookies: a turning point for internet users and online advertising industry
This change in the applicable rules was accompanied by the publication of many information for professionals (making your site compliant, solutions for audience measurement tools, questions and answers, etc.) and for individuals (everyday changes, advice to have control on your browser, CookieViz software, etc.).
As the deadline for adapting to the guidelines expired on 31 March 2021, the CNIL now ensures that all public and private players comply with these rules.
A stronger protection for people in their digital lives
In 2020, the CNIL considerably increased its editorial offer with practical information or advice related to current events. It has mobilised all the means at its disposal to better communicate with its various audiences on social networks or via its switchboard.
As a result, almost 10 million visits were recorded across all its websites, an increase of 21% compared to 2019, including more than one million visits to the « Besoin d’aide » (Need Help) section.
The CNIL also received 13,585 complaints, i.e. a 62.5% increase since the implementation of the GDPR. This figure, which is still high and constant compared to 2019, confirms that the French are becoming increasingly aware of their rights. Of these complaints, 4,528 were followed by a rapid response and 9,057 required further investigation.
Data security, a major investigation issue for the CNIL
In 2020, the CNIL received 2,825 notifications of personal data breaches, 24% more than in 2019. For more than 500 of these, the origin was a ransomware attack, which the CNIL noted an increase in 2020 and notably in 2021 for health establishments.
In 2021 and beyond, the CNIL will pay particular attention to compliance with the security rules concerning health data, the loss, alteration or unauthorised access of which may have particularly serious consequences for the persons concerned.
More support and advice for professionals and public authorities
While each organisation is responsible for its compliance with the GDPR and the French Data Protection Act, the CNIL offers a complete toolbox to help them understand and apply the various rules. Support for professionals has been provided at two levels, with general and sector-specific tools.
Among the general support tools, the CNIL has published a guide to authorised third parties and a guide to help professionals define data retention periods, as well as numerous contents on cookies and other trackers. Other content on compliance tools provided by the GDPR has also been made available to professionals. New explanatory information for understanding and mastering codes of conduct (to harmonise practices at the level of a sector of activity) or binding company rules (intra-group data protection policy for transfers of personal data outside the European Union), but also certification (of a product, service, process or data system) are thus available on cnil.fr.
The CNIL has also strengthened its sectoral support by publishing new guidelines, taking into account the requirements of the GDPR, for the management of medical and paramedical practices, for the management of human resources as well as a consultation on a draft guideline for rental management.
With regard to the public authorities, the CNIL took part in 20 parliamentary hearings and replied to 8 questionnaires sent to parliamentarians. In 2020, it adopted 96 opinions on draft texts, particularly in connection with the health crisis or concerning the PASP, GIPASP and EASP files. Without constituting an "authorisation" or a "refusal", these opinions make it possible to enlighten the public authorities on the issues of data processing and liberties.
Numerous investigations and a total of €138 million fines
In 2020, the CNIL conducted 247 investigations:
These investigations are carried out following complaints or reports (40% of cases), at the initiative of the CNIL according to current events (32%) or in connection with annual priority issues (15%), or following formal notices or sanctions (3%).
In 2020, the CNIL's restricted commitee issued 14 penalties, including 11 fines totalling 138,489,300 euros (sometimes accompanied by an injunction with periodic penalty payment), 2 warnings and one injunction under penalty not associated with a fine. Only one case was dismissed.
The year was also marked by a first sanction decided in cooperation with the other European data protection authorities in the framework of the so-called "one-stop shop" procedure.
The Chair of the CNIL, Marie-Laure Denis, also issued 49 orders to comply, including three public notices and four in cooperation with other European data protection authorities. She also issued 38 reminders and 2 warnings, notably following complaints.
Intensified European cooperation in 2020
More than 1,000 European cooperation cases concerned complaints or investigations. The CNIL was the lead authority (when the main establishment of the organisation concerned is located in France) in around 100 cases and the authority concerned in almost 400 cases.
14 draft European sanctions were examined by the CNIL, including 6 decisions adopted by the restricted committee containing relevant and reasoned objections or comments.
Anticipation of privacy issues
In addition to its support and control missions, the CNIL pursues, on a daily basis, its objective of anticipating technological innovation and the issues at stake for privacy and individual freedoms.
In 2020, the CNIL notably led debates on the right to data portability, with an event organised in November which contributed to the publication of a new comprehensive practical sheet for professionals. It also published a firstwhite paper, Listening to You, on voice assistants. In response to the ethical mission entrusted to it by the « loi pour une République numérique » (Law for a Digital Republic), the CNIL also proposed a new format for its annual "air" (avenir (future), innovations, revolutions) event on the theme of "changes in the world of work".
A "sandbox" for specific support
As part of its support strategy, the CNIL has launched a first "personal data sandbox" session, in the form of a call for projects in the field of health: ten projects will thus benefit from CNIL support in 2021, four of which will receive enhanced support in order to come up with a solution that respects the privacy of individuals.
Anticipating new digital uses after the health crisis
In its annual report, the CNIL presents some initial ideas to better understand the uses of digital technology during the various confinements and anticipate future innovations.
A future white paper on payment data
Payment data, its circulation and protection are an integral part of society's challenges. In 2020, the pandemic brought this issue to the forefront, accelerating certain transformations at work in the field of payments. The CNIL intends to address this issue in a graduated manner and will soon publish a white paper on the subject.
Research on the profile of complainants
On 13 April 2021, the CNIL published its 8th Innovation and Prospective booklet, Scenes from Digital Life (in French), devoted to the protection of data by individuals in their daily lives. This publication explores the historical construction of the law around personal data protection, the diversity of individual practices in this area, the social situations that determine recourse to the CNIL and the stages prior to recourse.
Data as an environmental issue
Global warming and the environmental transition are at the heart of the challenges to be met, both now and in the years to come. The link between data protection and the environment will be the subject of prospective work by the CNIL's Digital Innovation Laboratory (LINC) from 2021.