French Data Protection Authority (CNIL) Releases its 2019 Annual Activity Report

On June 9, 2020, the French data protection authority (the "CNIL") published its Annual Activity Report for 2019 (the “Report”), highlighting its enforcement activities in 2019 and its plans for 2020.

Some of the highlights of the Report include the following:

• In 2019, the CNIL received 14,137 complaints, an increase of 27% compared to 2018 (11,077 complaints) and a 79% increase in five years. 

  • Almost a third of the complaints relate to the publication of personal data (including photos and videos) on the Internet (e.g. on search engines, online media and directories, social networks and other websites).

  • 422 complaints related to de-listing of personal information from search results. The CNIL reported that it was successful in 98% of the cases transmitted to search engines.

  • The CNIL received nearly a hundred complaints relating to requests for the erasure of content relating to media articles published online (e.g. withdrawal of an article, anonymization, de-listing).

  • Employee monitoring activities at their workplace or during their working time (e.g. by using tools such as video surveillance, geolocation, telephone tapping, etc. generated 10.7% of the complaints received by the CNIL in 2019. In particular, the CNIL noted that the use of CCTV is the cause of most complaints received.

  • Direct marketing, non-profit and political marketing activities by phone, mail or email amounted to 14.7% of complaints received. Individuals mainly complained that they did not give consent and/or succeed in stopping unwanted marketing communications.

  • The volume of security-related complaints has steadily increased over the years and is now a recurring complaint received by the CNIL. The most common issues include the possibility to easily retrieve and access personal data on the Internet, the communication of personal data to unauthorized third parties, as well as passwords being transmitted in clear text or not sufficiently robust.

• In 2019, the CNIL received 2,287 notifications of personal data breaches. The CNIL indicated that this would "allow the CNIL to better orient its advisory action as well as its enforcement actions and, ultimately, to facilitate its role in the cybersecurity ecosystem".

• In 2019, 64,900 organizations appointed a data protection officer (“DPO”).

• In 2019, the CNIL thus carried out 300 inspections, including 169 on-site inspections, 53 online inspections, 45 document reviews and 18 hearings. In 41% of the cases, the CNIL's inspections were initiated following complaints and claims submitted to the CNIL. In particular, the Report indicates that the inspections revealed poor practices such as excessive delays in responding to data subject requests, the lack of a link in direct marketing emails allowing recipients to unsubscribe and the fact that customers are unable to delete their online account themselves. Conversely, the inspections revealed best practices, such as the development of template responses for the customer service team that handles data subject requests ("DSR"), the use of a dedicated email address and the tracking of received DSRs within a specific tool.

• In 2019, the CNIL imposed 8 sanctions, including 7 fines for a total amount of € 51,370,000 and 5 injunctions subject to a financial penalty. The sanctions related primarily to issues relating to the security of personal data, the failure to provide proper notice to individuals, issues relating to data retention periods and, in one case, the failure to comply with a data subject's right of access. In addition, the CNIL issued 42 formal notices to companies, including 2 public notices, 2 orders and 2 warnings.

The Report also outlines some of the actions that the CNIL intends to undertake in 2020:

• In relation to the use of cookies and other tracking technologies, the CNIL intends to continue its action plan announced in June 2019 by further building its response to complaints and helping organizations understand their obligations under the GDPR. Back in July 2019, the CNIL published its guidelines in relation to cookies and other tracking technologies, which, among other things, provide that the mere fact that a user is continuing to browse a website cannot be deemed a valid consent to the use of cookies. The CNIL indicated in the Report that the final version of the CNIL’s recommendations on the use of cookies and other tracking technologies will be published shortly.

• The Report indicates that the CNIL will continue participating in facial recognition experiments and pursuing the following key objectives which were previously announced in 2019:

  • Presenting facial recognition from a technical point of view and, in particular, the diversity of potential uses;

  • Highlighting potential risks;

  • Reminding organizations of the applicable rules for facial recognition; and

  • Clarifying the role of the CNIL in future experiments relating to facial recognition.

• The CNIL will continue to issue COVID-19 related guidance and related content. In this respect, it published on June 3, 2020 an opinion on the French “contact tracing” application known as "StopCovid", and on June 27, 2020, it published a statement warning against “smart cameras” and thermal cameras that are being increasingly adopted by organizations in the context of the COVID-19 epidemic. Regarding thermal imaging cameras in particular, the CNIL expressed reservations about such devices, such as the risk of not locating infected people since some are asymptomatic and the possibility of circumvention by using antipyretic drugs (which reduce body temperature without treating the causes of fever).