What inspection strategy for 2020?
In 2020, in addition to inspections following complaints, recent news topics and corrective measures, the CNIL will focus its inspection action on 3 priority themes related to daily concerns of the French: health data, geolocation of local shops and cookies / other trackers.
As it does every year, in addition to helping professionals to comply with the GDPR, the CNIL will ensure that they meet their obligations by monitoring the implemented processing. In this respect, the CNIL carries out thousands of inspections each year, in particular by investigating complaints, carrying out checks as part of the procedure for indirect access right to some files processed by competent authorities, processing reports of personal data breaches, or initiating formal inspection procedures. These procedures (approximately 300 per year) make it possible to investigate complaints in more depth, to react to topical issues, to ensure that previous corrective measures have been complied with, or to investigate certain topics deemed to be priorities.
Among these formal inspection procedures, more than fifty will be carried out within the scope of three themes selected as priorities for 2020:
Security of health data
The recent health-related news (telemedicine, smart healthcare devices, personal data breaches within public institutions...) prove that health data processing should be closely monitored.
Health data are sensitive data, which are subject to specific protection by the law (GDPR, Informatique et Libertés law, French Public Health Code, etc.) in order to guarantee people's privacy. Through this priority theme, the CNIL wants to focus on the security measures implemented by healthcare professionals or on their behalf.
Mobility and proximity services, the new uses of geolocation data
Numerous solutions are being developed with the expressed purpose of making daily life easier: recommendation of the most suited means of transport for a defined route, travel route optimization, etc. These solutions often use geolocation data, and may cause breach of privacy right concerns. Inspections will therefore focus on proportionality of the collected data, the defined retention periods, the information provided to individuals and the security measures implemented.
Compliance with the provisions applicable to cookies and other trackers
This theme, which has already been announced by the CNIL during the summer of 2019, aims to ensure full compliance of professionals with their obligations regarding Internet users tracking through cookies or other trackers in the context of advertising and user profiling.
Indeed, for many years, article 82 of the Informatique et Libertés law, which transposes into French law the ePrivacy Directive of July 12th, 2002, has been enforcing a certain number of basic requirements (obligation to obtain prior consent, obligation to inform the user of the purposes of the placed cookies, etc.). Throughout 2020, the CNIL will continue to make sure that these basic requirements are complied with.
However, the application of the GDPR has reinforced certain requirements, for instance on the manner of obtaining consent, which must now be free, informed, explicit and unambiguous. Therefore, simply continuing to browse a website can no longer constitute valid user consent to the placing of cookies. The CNIL thus adopted new guidelines in July 2019 to clarify the new state of the law. In 2020, it will issue a recommendation to guide operators through the operational application of the new requirements. It will allow a period of 6 months after the publication of this recommendation for organizations to comply with the new obligations resulting from the GDPR.
These three themes were chosen by the CNIL because of their impact on the daily lives of citizens. They concern processing implemented during interactions with health professionals or when using new tools to help with daily procedures (choosing a means of transport, looking for a local store, etc.) or, lastly, when surfing the Web.
These three themes will account for around 20% of the formal inspection procedures carried out by the CNIL in 2020. Indeed, as in previous years, inspections will also be initiated following:
- complaints and claims addressed to the CNIL ;
- topical issues requiring the inspection of processing operations;
- corrective measures (formal notices, sanctions, etc.) requiring new checks.
Finally, following the course of the last two years, the CNIL will continue to cooperate with other European data protection authorities for cross-border processing. It will thus use the two forms of cooperation provided for in the GDPR: mutual assistance, which enables the CNIL to share all relevant information with its counterparts, and joint operations, which enable it to carry out controls in France or in other European Union Member States in the presence of officials from the competent authorities.