Priority topics for investigations in 2022: commercial prospecting, cloud and telework monitoring
The CNIL carries out checks on the basis of complaints received, current events, but also priority themes that it chooses on its own initiative. This year, the three themes selected are: commercial prospecting, surveillance tools in the context of teleworking and cloud services.
Each year, the CNIL conducts several hundred investigations (384 in 2021). These investigations are carried out in response to complaints and reports of data breaches (one third of investigations) or are linked to current events. In addition, a investigation plan has been drawn up for high-stakes subjects on which the CNIL wishes to have a strategic position. In 2022, three priority topics were chosen by the CNIL College: commercial prospecting, monitoring of teleworking workers and the use of cloud computing.
Usually, the three topics selected as priorities for the current year represent about one third of the controls carried out.
After a long phase of consultation with the various players concerned, the CNIL published a new "commercial management" reference framework in February 2022, which notably provides a framework for commercial prospecting and is accompanied by numerous resources to guide players in their compliance.
Unsolicited commercial prospecting is one of the irritants of everyday life in France and is a recurrent subject of complaints and calls to the CNIL hotline.
Based on the recently published reference framework, the CNIL will check the compliance with the GDPR of professionals in the sector, in particular those who resell data, including the many intermediaries in this ecosystem (also called data brokers).
Monitoring tools for telework
The use of telework has been made compulsory by the different epidemic waves linked to COVID-19. Many employees, agents and employers believe that it will become more widespread and continue, both in companies and in administrations, even when the health situation returns to normal.
The widespread use of telework has led to the development of specific tools, including tools for employers to monitor more closely the daily tasks and activities of employees.
In a constant desire to provide support, the CNIL has communicated widely on the rules and good practices to be respected to ensure a fair balance between privacy at work and legitimate monitoring of workers' activities. It now considers it necessary to verify the compliance of employers' practices in the field.
The use of cloud computing
The use of cloud computing technologies (better known as "cloud") is constantly developing in both the private and public sectors. These new mechanisms are likely to entail risks for the protection of personal data, in particular massive transfers of data outside the European Union to countries that do not provide an adequate level of protection or data breaches in the event of incorrect configuration.
In view of these issues, the CNIL considers that these technologies, which have become essential, should be given special attention. Throughout the year, the CNIL will be looking in greater detail at issues relating to data transfers and the framework for contractual relations between data controllers and cloud solution providers.
Cloud: CNIL's action within a European working group
The priority topic of the cloud is also part of the action of the first coordinated enforcement framework of EDPB. 22 supervisory authorities will, in the coming months, launch investigations into the use of cloud services by the public sector.
This is a key action in the EDPB strategy for the years 2021-2023, which aims at harmonising the effective application of the GDPR and the coordination between supervisory authorities.
At national level, the CNIL will ensure its participation in this European working group through control procedures targeting five ministries.