Tag Archives: France

Cookies: CNIL provides clarification on its position through three major decisions impacting worldwide online service providers

The French data protection authority (CNIL) rendered three major decisions impacting worldwide online service providers following online controls and investigations performed on the companies’ websites. These decisions highlight the obligations of data controllers when using cookies and other trackers, notably regarding the way the user’s consent shall be collected, and the level of information that … Continue Reading

A French approach to disclosing a pending IP dispute

Unlike other countries, such as the US, France has a conservative approach of when and how IP right holders are entitled to disclose a pending infringement dispute to their clients and investors, under the legal concept of “disparagement”. France takes this step in order to limit the negative impact on the competitor resulting from disclosure … Continue Reading

It’s time to reassess cookie compliance in France

Companies have been challenged with respect to their cookie policies and their implementation due to the entry into force of the GDPR earlier than the proposed ePrivacy Regulation  Given the delay in the adoption of an EU-wide regulation on e-privacy, national data protection authorities have taken the initiative in publishing guidelines on cookies requirements. The … Continue Reading

The USTR responds to French Digital Services Tax with large tariff proposal

In response to France’s Digital Services Tax (DST), the Office of the U.S. Trade Representative (USTR) proposed additional ad valorem duties of up to 100 percent on certain products from France. The USTR issued a Section 301 Investigation Report on the DST, concluding that the DST discriminates against U.S. companies, is inconsistent with prevailing principles … Continue Reading

By jointly tackling Facebook, French regulators set an example to large international digital media companies – First prominent enforcement measure after the Safe Harbor invalidation

On February 8 and 9, 2016, the French Directorate-General for Competition, Consumer Affairs and Prevention of Fraud (the ‘DGCCRF’) and the French Data Protection Authority (the ‘CNIL’), through an obviously concerted action, have publicised regulatory enforcement measures they are undertaking against Facebook. The DGCCRF is requiring Facebook to re-write its Terms and Conditions on the … Continue Reading

Whistleblowing hotlines in France: a welcome lightening of regulation

This post was written by Daniel Kadar. Implementing whistleblowing hotlines in France has caused significant concern for companies implementing such hotlines globally, as French regulation had considerably narrowed their scope with the major threat of considering non-compliant hotlines as null and void. Times have changed: a couple of months ago, the French CNIL adopted an … Continue Reading

Maximum administrative fine issued by the CNIL against Google: More to come?

After almost two years of back and forth with Google, the French CNIL has, similarly to the Spanish Data Protection authority (€900,000 fine), sanctioned Google with a €150,000 fine, as Google refused to review its integrated platform and to modify its privacy policy as requested by the Working Party 29. In addition to this fine, … Continue Reading

The implementation of the French transparency regulation: first good news?

This post was written by Daniel Kadar. French health care companies have faced hard times over the past months with their new transparency obligations. They have been required to declare the equivalent of 18 months (!) of agreements and benefits in a very short period of time. They were scheduled to disclose this information to … Continue Reading

French Data Protection Authority CNIL Announces New Online Notification Procedure for Reporting Data Breaches

France’s data protection authority, the Commission Nationale De L’informatique et Des Libertés (CNIL), released a new mandatory online notification procedure for French electronic communications service providers (Providers) to rapidly report data breaches to CNIL in compliance with new EC Regulation (No.611/2013) (the Regulation). Any data breach must be reported to CNIL via a new standardized … Continue Reading

France requires all bodies hosting personal medical data to apply for official accreditation or to work with an officially accredited data host

This post was written by Daniel Kadar. France has established itself as a leader in the protection of personal data. Not only does its regulation define broadly the concepts of personal and medical data, France has also implemented a specific set of policies regarding the hosting of personal medical data, requiring all bodies hosting this … Continue Reading

CNIL satisfied with draft European Parliament report on the new Data Protection Regulation

This post was written by Daniel Kadar. The French Data Protection Authority (DPA), the CNIL, has expressed its satisfaction on the draft report (the “draft Report”) released by the European Parliament on the new European Data Protection Regulation (the “Regulation”). One of the major points of concern for the CNIL was that the draft Regulation … Continue Reading

CNIL vs. Google, Act V: Six Data Protection Authorities led by the French CNIL are now starting action in order to penalize Google

Pursuant to their common decision 26 February 2013 to engage action in order to penalize Google Inc. for refusing to revise its global privacy policy, six of the European Working Party 29 regulators, led by the French CNIL, have now jointly started to act in their respective jurisdictions and according to their national laws against … Continue Reading

Protection of employee privacy rights in France: measures controlling employees in the workplace must be treated with caution – employers should avoid placing restrictions upon themselves

This post was written by Daniel Kadar. France’s highest court (“Cour de cassation”) ruled 26 June 2012 in Monsieur X v. YBC Helpevia that a company’s internal rules may limit an employer’s access to employee emails. French case-law has traditionally held that employees have a right to privacy at their workplace and that an employer … Continue Reading

CNIL vs. Google, Act IV: Google Against the Rest of the World of the Data Protection Regulators

We have previously reported on the different requests and repeated questionnaires the Commission nationale de l’informatique et des libertés (CNIL) has sent to Google over the past few months regarding the evaluation of Google’s compliance with applicable European Data Protection Regulation concerning its new integrated privacy policy, as well as the new integrated platform launched … Continue Reading

France: The CNIL amends its regulation concerning the processing of client/prospect data and imposes differentiated data retention periods

This post was written by Daniel Kadar. A new regulation of the CNIL, dated 12 June 2012 and published on 13 July 2012, modifies the ways and means of collecting and processing client/prospect-related data. The regulation, issued as an amendment to the “Simplified Norm No. 48” [http://www.cnil.fr/en-savoir-plus/deliberations/deliberation/delib/184/], broadens the possibility for data controllers to make … Continue Reading

France: The CNIL issues its annual ‘Activity Report’ for 2011 detailing a significant increase in its activity

“The CNIL is ready for combat” – this is how Mrs. Falque-Pierrotin, President of the CNIL, described its mission after taking office last year. Introducing a 100-page-long yearly “Activity Report” dated 10 July 2012, fully translated into English, the President of the CNIL outlined what is to be seen as the main action principle of … Continue Reading

Cloud Computing: The French CNIL Issues Partly Binding Guidance

On 25 June 2012, the CNIL published on its website a summary article and a 10 page conclusion paper, along with a 21-page “recommendations” document, which constitute the French Data Protection Authority’s new guidance in that regard. Aimed to target small- to medium-sized companies considering using cloud computing services, and aimed at helping them make more … Continue Reading

France: Electronic Communications Providers Must Now Immediately Notify a Data Breach to the CNIL

This post was written by Daniel Kadar. On 28 May, the French CNIL released new practical guidance related to data violation. A new Article 34 bis has been added to the French Data Protection Act as part of implementing the Telecom Package obliging Electronic Communications Providers (ECPs) to notify “without delay” the French CNIL of … Continue Reading

CNIL vs. Google, Act III: CNIL sends Google a 6-page additional Questionnaire on Google’s New Privacy Policy since it is still “impossible to know Google’s processings of personal data”

We have previously reported that the French Data Protection Authority (DPA), the CNIL, had sent to Google 19 March 2012, a 12-page questionnaire divided in not less than 69 main questions on Google’s new privacy policy. The CNIL has been designated by the Working Party 29 to evaluate the compliance to applicable data protection regulation … Continue Reading

More Flexibility on Cookies: the French CNIL Softens Its Views on User Consent

The French CNIL has released an amended version of its guidance regarding the implementation of the “Telecoms Package” concerning the use of cookies. As set forth by the 24 August 2011 Ordinance, user consent is in principle required prior to the placement of cookies on an individual’s computer. Until the revision of its guidance, the … Continue Reading

CNIL vs. Google, Act II: the CNIL Strikes Back – CNIL sends Google a 12-Page Questionnaire on Google’s New Privacy Policy for its Integrated Platform in Order to Verify its Compliance with Applicable European Regulation

Google’s CEO, Larry Page, now belongs to the happy few who enjoy direct and regular contact with the CNIL’s president, Mrs. Falque-Pierrotin: he received on 19 March another letter from the French Data Protection Authority’s president pursuant to Google’s decision to launch its new integrated platform 1 March, despite the CNIL’s strong warning to postpone … Continue Reading

French CNIL Urges Google to Postpone the Launch of its Integrated Platform and Raises Serious Doubts about Google’s Compliance with European Data Privacy Directive

February 2012 will last as a milestone of an unprecedented fight between the Working Party 29, which comprises the European Data Protection Agencies, and Google. Google has highly publicised the forthcoming launch of an integrated platform that is deemed to allow a better tracking of the user’s personal data and in particular to advertise with … Continue Reading