Should we be afraid of the CNIL?

Partager sur facebook
Partager sur twitter
Partager sur linkedin
Partager sur email

The General Data Protection Regulation (GDPR) has been applicable in Europe since May 25, 2018. Until April 2021, the CNIL has been conciliatory. Indeed, it was necessary to give companies some time to comply with this new regulation which is not always easy to understand and apply. The Commission therefore essentially had an advisory role and accompanied companies on the sometimes long road to compliance, and remained comprehensive. 

But a new, tougher guideline has been put in place as of April 1, 2021. The adaptation period is over, and the tolerance is gone. Companies must now make a difference in terms of data regulation. Because, as the eminent philosopher Gilles Deleuze reminded us in 1969, « the difference is first in everything ».

The CNIL, which still retains its advisory and support roles, is now moving on to controls and financial penalties for non-compliance with the RGPD. And since then, the CNIL has not been idle.

In 2021, the CNIL received 14,143 complaints and closed 12,522. It has carried out 384 inspections and the failures found during some of the investigations carried out have led to the issuing of 135 formal notices and 18 sanctions, for a cumulative amount of fines never before reached that exceeds 214 million euros.

Of the 135 formal notices, 89 related to cookies, one of the priority issues set by the CNIL. 

In addition to these formal notices, penalties were imposed for the most serious cases, concerning actors who did not allow millions of Internet users to refuse cookies as easily as to accept them.

At the same time, the CNIL also continued its control activities on health data security: it conducted 30 new control missions at medical analysis laboratories, hospitals, and health data providers, in particular on processing related to the COVID-19 epidemic. Some of these procedures are still under investigation.

It also paid particular attention to the cybersecurity of the French web by auditing 22 organizations, 15 of which are public. 

During its investigations, the CNIL noted obsolete cryptographic suites making websites vulnerable to attacks, inadequacies concerning passwords, and, more generally, insufficient resources in relation to current security issues.

Finally, the CNIL issued two public sanctions against the Ministry of the Interior, concerning the illicit use of drones and poor management of the automated fingerprint file (FAED).

To meet these challenges, the CNIL’s new strategic directions for the period 2022 to 2024 are divided into three priority areas: fostering control and respect for people’s rights in the field, promoting the RGPD as a confidence-building asset for organizations, and prioritizing targeted regulatory actions on subjects with high privacy stakes.

As Marie-Laure Denis, president of the CNIL, stated, « The implementation of this action plan must enable the CNIL to act in an agile manner, alongside citizens, companies, associations, and administrations, to build a digital society of trust. »

The year 2022 is coming to an end and it will soon be time to take stock again of this year full of twists and turns, will the cumulative amount of fines have exceeded that of 2021?

Évaluez votre niveau
de conformité

En quelques clics,
lancez sans engagement
et en toute conformité un
audit flash !

Pour recevoir votre audit flash gratuit et sans engagement, merci de bien vouloir remplir ce formulaire :