CNIL announces its enforcement priorities for 2021 | Fieldfisher
Skip to main content

CNIL announces its enforcement priorities for 2021



Enforcement priorities: determining factors of formal proceedings

Similar to previous years, the French Data Protection Authority (CNIL) has just announced its top three enforcement priorities for 2021, namely: cybersecurity, security of health data and cookies.
This year's CNIL enforcement strategy will give rise to more than 50 enforcement proceedings – approx. 20% of its overall yearly enforcement. Formal proceedings can be carried out in the form of on-site or online inspections, formal requests for information or orders to appear in a hearing before the CNIL (see the CNIL's explanation in English here). Where CNIL considers there to be a violation of data protection law, these proceedings may lead to sanction decisions pronounced by the CNIL's sanction committee. The CNIL may also initiate any proceedings based on the complaints or queries it receives from data subjects or on its own initiative, for example when it picks up events that are related in the press. The CNIL will also continue to cooperate with other EU data protection authorities on cross-border enforcement actions, based on the mutual assistance and joint inspection procedures of the GDPR.
Cybersecurity: ensuring the security of websites

According to the CNIL, too many websites fail to properly protect personal data, which has resulted in a rise in data breaches on web platforms. Indeed, 2020 has seen a significant increase in the number of data breaches that were notified to the CNIL – 24% more compared to 2019.

The CNIL intends to assess the level of security of the "most used" websites across sectors. However, it remains unclear how the CNIL will identify these websites and the concerned sectors (e.g. e-commerce, social networks, or newspapers). During its inspections, the CNIL will focus primarily on (1) the security of online forms through which users can directly provide their personal data (e.g. to subscribe to a newsletter or create a user or customer account), (2) the use of the HTTPS protocol and (3) the websites' compliance with the CNIL's recommendation on how to set up robust passwords. Lastly, the CNIL expects organisations to be able to justify that they have put measures in place to prevent ransomware.

It remains uncertain whether this enforcement strategy will primarily target data controllers and/or data processors. As highlighted in a recent decision, the CNIL can pronounce a fine against both a data controller and a data processor (see our previous analysis here).

In any event, this suggests that the CNIL will be more attentive when reviewing the data breach notifications it receives. In particular, it may apply a higher level of scrutiny when assessing the preventive measures that were implemented prior to a data breach and how controllers and processors have acted to remedy the breach and mitigate the risks for individuals.

Security of health data

The security of health data was already on the CNIL's agenda last year. The Covid-19 pandemic – and as a consequence, the ever-increasing volume of health data that are being collected and processed – together with the digitalisation of many health services, make this topic all the more relevant nowadays. To learn more about the recent developments on data security in the health sector, please read our blog post here.

Compliance with cookies rules

The CNIL's Enforcement Strategy for 2020 had already identified compliance with the rules applicable to cookies and online trackers as a top priority. It comes as no surprise that this area continues to be a (high) priority on the CNIL's agenda this year. Following a legal setback in court (see our post on this topic here), the CNIL adopted the final and updated version of its guidance on cookies in September 2020, as previously analysed here. The new guidance repealed its former (somewhat more lenient) guidelines of 2013, which considered further browsing as valid consent for cookies. The CNIL granted organizations a six-month grace period – which comes to an end on 31st March 2021 – to comply with its new cookie guidelines.

Tougher enforcement in sight….

In the meantime, the CNIL already started enforcing those cookie rules that have remained the same since 2013, such as the requirements to obtain user consent prior to setting cookies, to inform users about cookies and to give users the possibility to reject cookies (see our analysis of the sanctions adopted against Google and Amazon here).

Starting from 1st April 2021, the CNIL is expected to start enforcing the French law on cookies in light of its new cookie guidance. Given the more nuanced and practical rules on how to obtain valid consent from users, it is reasonable to expect that the CNIL will review French websites with a lot more scrutiny in the future.

…alongside a more pedagogical approach to encourage compliance

The CNIL has set up an online observatory to monitor and assess the cookie practices of the 1,000 most important websites in France. The observatory recently published a report regarding inter alia the cookies that are automatically set without user consent and the number of third-party cookies used. The CNIL contacted the organisations that it deemed not compliant with cookies rules (200 public entities and a number of private entities setting more than 6 third-party cookies without user consent) asking them to review their cookie practices before the end of March 2021. While these initiatives may not constitute formal proceedings, they should be viewed as a final warning as they clearly indicate that the CNIL has already targeted a number of companies and is getting ready for further enforcement measures.

Online inspections on the rise?

Online processing is clearly a high priority for the CNIL in 2021. In 2019, less than 20% of the CNIL's enforcement action occurred online while on-site inspections accounted for an overwhelming majority.

In this context and given the increased online activities (including those of employees) in the post Covid-19 era, it is clear that the CNIL will be more attentive to online processing activities this year. As a reminder, CNIL agents are authorized by law to access online data and to assess the security measures and cookie practices on an organisation's website. They can copy the webpage source code and save screenshots. In line with the principle of accountability, companies should audit their websites to test the security of their website, including passwords and online forms, as well as scan the cookies used and check the proper implementation of their consent management platform.