“The CNIL is ready for combat” – this is how Mrs. Falque-Pierrotin, President of the CNIL, described its mission after taking office last year.

Introducing a 100-page-long yearly “Activity Report” dated 10 July 2012, fully translated into English, the President of the CNIL outlined what is to be seen as the main action principle of the CNIL for years to come -“enforcement and oversight” of data protection compliance, rather than simply monitoring it.

As our blog has highlighted, the CNIL over the past months has taken several actions, demonstrating its growing position as a powerful regulatory authority:

  • It has issued new regulation principles with regard to data security and cookies, and conducted a broad consultation that led to the partly binding “recommendations” on cloud computing issued two weeks ago.
  • It increased its power of sanction. Google has been fined €100,000 for its Google Street application, and is also under scrutiny by the CNIL because of its new integrated platform which allows “intelligent advertising”. Facebook is also under the CNIL’s watch.
  • It is also a front-runner in challenging the projected new data protection regulation with regard to the issue of jurisdiction and the broadening of exemptions. Under the new regulation, the European Data Protection Authority of the country in which a data controller has its ‘main establishment’, would have sole jurisdiction to rule on complaints against such a data controller, which would reduce the CNIL’s power to control proceedings.

2011 showed a 19 percent increase in the complaints directed to the CNIL by the public (5,738), and 385 controls were implemented (an increase of 25 percent in relation to 2010).

Interestingly, the complaints linked to the “right to be forgotten” were up 42 percent versus the previous year (1,000 complaints), and complaints linked to HR data processing represented 12 percent of the total volume of complaints. Complaints linked to the so-called “cyber-surveillance” tools (monitoring the use of electronic communications by employees) were up 59 percent compared with the previous year. Complaints linked to HR-data breaches were up 27 percent.

The CNIL issued 65 formal notifications, 13 warnings (which are to be considered as sanctions), and five financial penalties, with the largest penalty being €100,000.

The CNIL’s increased activity over the past year and in the first semester of 2012 suggests that last year’s numbers will be exceeded in 2012.