Tag Archives: CNIL

First sanction decision rendered by the CNIL regarding data breaches worth almost 1 per cent of the company’s yearly turnover: the era of tolerance seems to be over

By a new decision of sanction rendered on 28 May 2019, the French data protection authority Commission nationale de l’informatique et des libertés (CNIL) imposed a €400,000 fine on French property management company Sergic for failure to comply with its obligation to maintain the security of and to limit the storage of personal data. This … Continue Reading

The Highest French administrative Court slightly reduces the amount of a penalty imposed by the CNIL: is this the tip of the iceberg ?

A few days before the entry into force of the GDPR, the CNIL imposed a 250,000 euros penalty to the company Optical Center for failure to secure personal data on its website – where a breach occurred, allowing access to invoices and purchases orders containing personal and sensitive data of customers. Further to Optical Center’s … Continue Reading

First sanction decision rendered by the CNIL under the GDPR: GDPR awareness 2.0 has begun

In an interview dated February 2018,[1] Isabelle Falque-Pierrotin, at the Head of the French data protection authority (CNIL), stated that the CNIL would adopt a flexible and pragmatic approach from May 2018 onwards when controlling compliance with data protection requirements. The first decision of sanction rendered by the CNIL on Monday January 21, 2019, which … Continue Reading

The CNIL sets expectations as to the ‘EU-U.S. Privacy Shield’ and starts implementing enforcement measures in case of Safe Harbor remediation default

The CNIL issued a press release February 4, setting expectations concerning the “EU-U.S. Privacy Shield” work-in-progress. In the same time, it has switched to enforcement mode concerning Safe Harbor remediation failure. Click here to read more in the issued Client Alert.… Continue Reading

By jointly tackling Facebook, French regulators set an example to large international digital media companies – First prominent enforcement measure after the Safe Harbor invalidation

On February 8 and 9, 2016, the French Directorate-General for Competition, Consumer Affairs and Prevention of Fraud (the ‘DGCCRF’) and the French Data Protection Authority (the ‘CNIL’), through an obviously concerted action, have publicised regulatory enforcement measures they are undertaking against Facebook. The DGCCRF is requiring Facebook to re-write its Terms and Conditions on the … Continue Reading

The French CNIL officially requires the use of EU Model Clauses as a quick fix for businesses impacted by the recent Safe Harbor ruling of CJEU – Companies must be compliant as of end January 2016

On 19 November, the CNIL released an article in order to provide companies impacted by the recent CJEU ruling on invalidation of Safe Harbor with guidance on the next steps. The article was published at the same time the CNIL sent a mailing to all data controllers relying on Safe Harbor to fix the issue. … Continue Reading

Whistleblowing hotlines in France: a welcome lightening of regulation

This post was written by Daniel Kadar. Implementing whistleblowing hotlines in France has caused significant concern for companies implementing such hotlines globally, as French regulation had considerably narrowed their scope with the major threat of considering non-compliant hotlines as null and void. Times have changed: a couple of months ago, the French CNIL adopted an … Continue Reading

French data protection authority ramps up inspections for 2014 – will it be a knock on the door or a “remote audit”?

At the end of April, the French data protection authority (CNIL) released its inspection schedule for 2014 (the Schedule), promising to carry out some 550 inspections over the course of the year. Approximately 350 inspections are expected to be on-site, a quarter of which will focus on CCTV/video surveillance, and 200 will be carried out … Continue Reading

Maximum administrative fine issued by the CNIL against Google: More to come?

After almost two years of back and forth with Google, the French CNIL has, similarly to the Spanish Data Protection authority (€900,000 fine), sanctioned Google with a €150,000 fine, as Google refused to review its integrated platform and to modify its privacy policy as requested by the Working Party 29. In addition to this fine, … Continue Reading

French Data Protection Authority CNIL Announces New Online Notification Procedure for Reporting Data Breaches

France’s data protection authority, the Commission Nationale De L’informatique et Des Libertés (CNIL), released a new mandatory online notification procedure for French electronic communications service providers (Providers) to rapidly report data breaches to CNIL in compliance with new EC Regulation (No.611/2013) (the Regulation). Any data breach must be reported to CNIL via a new standardized … Continue Reading

CNIL satisfied with draft European Parliament report on the new Data Protection Regulation

This post was written by Daniel Kadar. The French Data Protection Authority (DPA), the CNIL, has expressed its satisfaction on the draft report (the “draft Report”) released by the European Parliament on the new European Data Protection Regulation (the “Regulation”). One of the major points of concern for the CNIL was that the draft Regulation … Continue Reading

CNIL vs. Google, Act V: Six Data Protection Authorities led by the French CNIL are now starting action in order to penalize Google

Pursuant to their common decision 26 February 2013 to engage action in order to penalize Google Inc. for refusing to revise its global privacy policy, six of the European Working Party 29 regulators, led by the French CNIL, have now jointly started to act in their respective jurisdictions and according to their national laws against … Continue Reading

Protection of employee privacy rights in France: measures controlling employees in the workplace must be treated with caution – employers should avoid placing restrictions upon themselves

This post was written by Daniel Kadar. France’s highest court (“Cour de cassation”) ruled 26 June 2012 in Monsieur X v. YBC Helpevia that a company’s internal rules may limit an employer’s access to employee emails. French case-law has traditionally held that employees have a right to privacy at their workplace and that an employer … Continue Reading

CNIL vs. Google, Act IV: Google Against the Rest of the World of the Data Protection Regulators

We have previously reported on the different requests and repeated questionnaires the Commission nationale de l’informatique et des libertés (CNIL) has sent to Google over the past few months regarding the evaluation of Google’s compliance with applicable European Data Protection Regulation concerning its new integrated privacy policy, as well as the new integrated platform launched … Continue Reading

France: The CNIL amends its regulation concerning the processing of client/prospect data and imposes differentiated data retention periods

This post was written by Daniel Kadar. A new regulation of the CNIL, dated 12 June 2012 and published on 13 July 2012, modifies the ways and means of collecting and processing client/prospect-related data. The regulation, issued as an amendment to the “Simplified Norm No. 48” [http://www.cnil.fr/en-savoir-plus/deliberations/deliberation/delib/184/], broadens the possibility for data controllers to make … Continue Reading

France: The CNIL issues its annual ‘Activity Report’ for 2011 detailing a significant increase in its activity

“The CNIL is ready for combat” – this is how Mrs. Falque-Pierrotin, President of the CNIL, described its mission after taking office last year. Introducing a 100-page-long yearly “Activity Report” dated 10 July 2012, fully translated into English, the President of the CNIL outlined what is to be seen as the main action principle of … Continue Reading

Cloud Computing: The French CNIL Issues Partly Binding Guidance

On 25 June 2012, the CNIL published on its website a summary article and a 10 page conclusion paper, along with a 21-page “recommendations” document, which constitute the French Data Protection Authority’s new guidance in that regard. Aimed to target small- to medium-sized companies considering using cloud computing services, and aimed at helping them make more … Continue Reading

France: Electronic Communications Providers Must Now Immediately Notify a Data Breach to the CNIL

This post was written by Daniel Kadar. On 28 May, the French CNIL released new practical guidance related to data violation. A new Article 34 bis has been added to the French Data Protection Act as part of implementing the Telecom Package obliging Electronic Communications Providers (ECPs) to notify “without delay” the French CNIL of … Continue Reading

The French Data Protection Authority unveils its agenda and targets for inspections in 2012

This post was written by Cynthia O’Donoghue. The French Data Protection Authority (the “CNIL”) issued a press release 19 April 2012 detailing its planned enforcement agenda for the coming year. The CNIL announced that it intends to conduct around 450 on-site inspections during 2012, with particular focus on six specific themes. The CNIL will also … Continue Reading

CNIL vs. Google, Act III: CNIL sends Google a 6-page additional Questionnaire on Google’s New Privacy Policy since it is still “impossible to know Google’s processings of personal data”

We have previously reported that the French Data Protection Authority (DPA), the CNIL, had sent to Google 19 March 2012, a 12-page questionnaire divided in not less than 69 main questions on Google’s new privacy policy. The CNIL has been designated by the Working Party 29 to evaluate the compliance to applicable data protection regulation … Continue Reading

More Flexibility on Cookies: the French CNIL Softens Its Views on User Consent

The French CNIL has released an amended version of its guidance regarding the implementation of the “Telecoms Package” concerning the use of cookies. As set forth by the 24 August 2011 Ordinance, user consent is in principle required prior to the placement of cookies on an individual’s computer. Until the revision of its guidance, the … Continue Reading

CNIL vs. Google, Act II: the CNIL Strikes Back – CNIL sends Google a 12-Page Questionnaire on Google’s New Privacy Policy for its Integrated Platform in Order to Verify its Compliance with Applicable European Regulation

This post was written by Daniel Kadar. Google’s CEO, Larry Page, now belongs to the happy few who enjoy direct and regular contact with the CNIL’s president, Mrs. Falque-Pierrotin: he received on 19 March another letter from the French Data Protection Authority’s president pursuant to Google’s decision to launch its new integrated platform 1 March, … Continue Reading

A recent Initiative for a Competitive Online Marketplace (“ICOMP”) Conference on ‘Data Protection and Profiling’ poses difficult questions in relation to Google’s attitude towards the law, exploitation of user information and its new privacy policy

A recent ICOMP Conference on ‘Data Protection and Profiling’ in Brussels focussed primarily on the implementation of Google’s new privacy policy on 1 March 2012. ICOMP provides a discussion forum for organisations and policy makers relating to the online marketplace aimed at supporting principles related to a transparent and competitive Internet. There was some controversy … Continue Reading
LexBlog