Presentation of the 2018 Activity report and 2019 issues of the French Data protection authority

15 April 2019

An exceptional year for the French data protection authority (CNIL) marked by the entry into force of the GDPR


The essentials for 2018

An exceptional year for the French data protection authority (CNIL) marked by the entry into force of the GDPR

  • The entry into force of the General Data Protection Regulation (GDPR) unprecedentedly raised professionals and individuals’ awareness of data protection issues.
  • One of the results has been a considerable increase in complaints.
  • Also companies and businesses addressed CNIL with a significant influx of enquiries on how to comply with the GDPR. Clearly identified as a go-to player, CNIL advised various organizations on their obligations.

CNIL at the service of citizens

The media impact of the GDPR led to a record number of complaints and an increased awareness among citizens

In 2018, CNIL received a record of 11 077 complaints (+ 32,5% compared to 2017). About 20% of these complaints are tackled in the framework of  European cooperation with other Supervisory Authorities.

These complaints relate mainly to :
Dissemination of data on the internet (373 requests for delisting , a right now consecrated by the GDPR). People massively request their  data to be deleted from the internet (names, contact details, comments, photographs, videos, accounts, etc.).

These kinds of complaints show how difficult it can be for individuals to manage the digital life, and in particular their online reputation: 35.7%

  • marketing / business: 21%;
  • human resources: 16.5%;
  • banking and credit: 8.9%;
  • health and social sectors: 4.2%.

CNIL  identified several emerging trends:

  • Remote viewing of CCTV images;
  • Installation of cameras in care units;
  • Use of the right to data portability by banks customers and online content services users;
  • Increased awareness among  citizens regarding the security of their personal data in all sectors;
  • Individuals show concern about the kind of data mobile applications access on their smartphones.

Change in the procedures for the exercise of rights for specific State files

The decree of 1 August 2018 implementing the Data Protection Act now provides a direct principle of the exercise of rights for some specific State files.. Beforehand, as most of the State files were previously subject to the regime of the right of indirect access, CNIL was the main contact for individuals.

CNIL is no longer the primary contact for State files.

4264 requests for indirect access rights were addressed to CNIL in 2018, mainly concerning the TAJ and the FICOBA file.

CNIL advises public authorities

The CNIL Board issued 120 opinions on Government’s draft legislation related to the protection of personal data or to new processing; as well as 110 authorizations.

CNIL also participated in some thirty parliamentary hearings.

CNIL helps professionals to own the GDPR

CNIL : an authoritative information source  for companies and businesses

Companies and businesses rely on the numerous tools for GDPR compliance CNIL has been developing and makes available on its website (Data Protection Impact Assessment software, MOOC online training, etc.).

"The GDPR effect", already felt in 2017, was accentuated in 2018:

  • 189 877 calls werereceived (+ 22% compared to 2017);
  • 283 742 consultations of the GDPR Q & A section (+ 59% compared to 2017);
  • 8 million visits on (+ 80% compared to 2017).

New tools for compliance

  • The Data Protection Officer (DPO):
    • 51 000 organizations opted for a DPO, creating a population of 17 000 officers (pooling effect) ;
    • 16 000 are public bodies;
    • 2 adopted DPO certification standards.
  • 1,170 data breach were notified in 2018, a significant number concerned data privacy breach.

The enforcement at the service of data security


CNIL carried out 310 investigationsin 2018, divided into:

  • 204 onsite investigations (including 20 investigations of CCTV systems).
  • 51 online investigations
  • 51 investigations on the basis of documentation
  • 4 hearings

Orders and sanctions

In most cases, the orders issued by CNIL resulted in the organizations’ compliance.
49 orders were adopted in 2018. Two sectors were particularly targeted:

  • 5 orders in the insurance sector;
  • 4 orders concerned companies specialized in advertising targeting via a technology (Software Development Kit) installed in mobile applications. These orders are closed now.

11 sanctions were pronounced by the restricted committee:

  • 10 monetary sanctions (including 9 public and 7 which concerned breaches of the security of personal data);
  • 1 non-public warning;
  • 1 nonsuit.

Topics for 2019

The 2019 challenges will be to successfully implement the GDPR, to deepen its capacity for expertise on digital infrastructures and platforms and to continue to weigh in European and international discussions.

  1. Mastering GDPR, a keystone of a trusted digital environment

2019 will be decisive in giving credibility to the new legal framework and turning this ambitious European gamble into operational success. The expectations of the civil society and the economic actors are very strong and this model generates interests around the world. CNIL will articulate its action around two main lines of action: pedagogy and deterrence.

The 2019 investigations program
CNIL wants to focus this year on complaints and three main themes:

  • An investigation strategy based on the complaints CNIL receives (either collective or individual) in order to stay in touch with the expectations of citizens. The investigations will include the practical exercise of rights, which represents about 73,8% of the complaints received.
  • Investigations on main and cross-sector themes, rather than specific processing: the sharing of responsibilities between processors and subcontractors, the data of children (photos, biometric data and CCTV in schools, parental consent for children under 15).
  1. CNIL as an expert on infrastructures and digital platforms

In order to continue to be an effective and pragmatic digital regulator, CNIL must constantly reinvent itself to be able to always master subjects that require advanced technological expertise. In a context of permanent innovation, CNIL makes sure to anticipate what’s ahead..

  1. Diplomacy of personal data, at European and international level

CNIL intends to maintain a leading role at European level by defending French positions in the European Data Protection Board (EDPS), particularly in the framework of the 2019-2020 work program. It will participate in initiatives aimed at developing operational cooperation with its non-European counterparts and a convergence of data protection principles worldwide.


Document reference


Keywords associated to this article