In an interview dated February 2018, Isabelle Falque-Pierrotin, at the Head of the French data protection authority (CNIL), stated that the CNIL would adopt a flexible and pragmatic approach from May 2018 onwards when controlling compliance with data protection requirements. The first decision of sanction rendered by the CNIL on Monday January 21, 2019, which is to date the most severe sanction ever imposed to a web giant (‘GAFA’) under the GDPR, gives a sense of what that flexible approach might be in the eyes of the French regulator.
Background: a wave of awareness among users at the EU level shows a new face of data protection
In a notice dated November 2018, the CNIL reported that the number of claims related to privacy issues had significantly increased (by 34 percent) since the adoption of GDPR in May 2018. The protection of personal data seems therefore to be becoming an ever more important issue, especially since nonprofit associations are able to collectively report breaches and issue claims on behalf of users to EU data protection authorities, pursuant to Article 80 of the GDPR.
The January 21, 2019 decision of the CNIL against Google recalls the admissibility of complaints filed by nonprofit associations, which have a mandate to represent users. The decision thus follows the collective complaints filed a few days after the entry into force of the GDPR, on May 25 and 28, 2018, by the organization None of your business and the French organization La Quadrature du Net.
As reflected by the length and documented character of the decision (31 pages), delivered in an extremely short time frame after an expeditive procedure (barely 10 weeks), the CNIL shows a clear willingness to implement a far-reaching control over GAFAs regarding the information given to users and consent management, highlighting that the GDPR is aimed at fighting any form of “forum shopping.”