The last months have seen a number of changes to the data protection landscape in France. This includes new enforcement activity and changes to the governance and powers of the French Data Protection Authority (the “CNIL”). This article provides a short refresher on these changes.
CNIL’s new enforcement strategy
As part of its investigation programme for 2011, the CNIL indicated that it will greatly increase the number of audits it conducts.
This includes working much more closely with the General Directorate for Competition Policy, Consumer Affairs and Fraud Control (Direction générale de la concurrence, de la consommation et de la répression des fraudes). The two agencies signed a cooperation agreement on 6 January 2011 under which the DGCCRF will inform the CNIL of any personal data related offence it becomes aware of. This should significantly increase the CNIL’s reach.
The CNIL annual audit program, adopted in March 2011, also reveals its strategy for the coming year. Its investigations have already trebled from 2005 and 2010 (100 inspections were held in 2005, whereas 300 in 2010), and its goal is to conduct even more audits, with 400 audits planned in 2011. In the medium term, the CNIL would like to increase this further to 800 audits per year. The audit program highlights five priority areas:
- International Data Transfers - The CNIL plans to investigate companies located in France as well as those located abroad receiving data about French nationals. It intends, amongst other things, to audit U.S. firms operating under the Safe Harbor programme.
- Health Data - The CNIL will continue to audit this sector with a particular focus on firms who store and process health data as well as firms who conduct medical research. This will include insurance companies, data hosts and health care service professionals.
- Video Surveillance - France adopted a National Security Act on 14 March 2011 (La Loi d'orientation et de programmation pour la performance de la sécurité intérieure) which regulates public authorities’ video surveillance powers with respect to both public and private areas. This law gives the CNIL authority to inspect CCTV devices. The CNIL plans to perform 150 such inspections.
- Private Detectives and Collection Agencies - The CNIL consider there is a need to look more closely at this sector, in which breaches to data protection seem to happen frequently.
- Marketing - The CNIL intends to review this expanding area of business. Its review should encompass devices used to measure viewership (advertisement devices, direct marketing by electronic means) and behavioural analysis (social networks, websites, etc.).
Practical examples of enforcement
In July 2011, the CNIL indicated that it imposed a €50,000 fine to a company which denied individuals their right to object to the collection of personal data. The company had been collecting personal data on individuals who wanted to benefit from their gift certificates but had not notified the individuals of their right to object to the collection of such data. This violation of data laws allowed the company to compile a significant prospect database. The identity of the company has not been published.
In March 2011, the CNIL was the first data protection authority to formally sanction Google for the collection of Wi-Fi data by its Google Street View cars. The CNIL held a series of on-site audits to verify whether Google’s practice was in compliance with the French Data Protection Act. This revealed Google had collected Wi-Fi data without the knowledge of the data subjects and recorded important information such as IDs, email exchanges, passwords, etc. As a result and after an attempt to cooperate with Google, the CNIL fined Google €100,000. The CNIL stated that Google: “didn’t give us all the information we asked for … and were not always very transparent”.
Amendments to the CNIL’s powers and governance
The CNIL investigatory powers have recently been modified by the Law no. 2011-334 of 29 March 2011 (Loi relative au Défenseurs des droits) amending the French Data Protection Act. There are four key points arising from these amendments.
Firstly, amendments to the French Data Protection Act have been made to comply with the basic right to privacy and the right to a fair trial as laid out in Articles 6 and 8 of the European Convention on Human Rights (see TMT News: France - Enforcement authorities must be mindful of human rights). For instance, the proprietor of the companies’ premises has a right to object to an audit by the CNIL and, where such an objection is made, the CNIL must obtain prior authorisation of a judge to the audit. The amendments now require the CNIL to clearly inform the proprietor of his right to object prior to conducting the audit. However, the CNIL may nevertheless conduct an inspection without giving the proprietor the right to object in cases where the emergency, the gravity of the facts at issue or the risk of destruction or dissimulation of documents justify the authorisation of the judge.
Secondly, the new provisions also prevent members of the CNIL with powers to impose sanctions from holding any prosecuting or investigative powers (i.e. to separate its role as a tribunal from its investigative role). Therefore, the composition of the Restricted Committee (Formation Restreinte), which is in charge of sanctions, will be modified so that the President and Vice-Presidents of the CNIL are no longer allowed to sit on such Committee.
Thirdly, the Restricted Committee is now authorised to publish the sanctions it imposes and may request their publication in newspapers and the like at cost of the infringing data controller.
Finally, under the new rules, the CNIL’s President will be barred from any professional activity or holding any elected national office from 1st September 2012. This rule intends to guarantee the independence of the CNIL, as it has the status of an Independent Administrative Authority (Autorité Administrative Indépendante). The current President is a Senator, so he indicated that he will resign at the end of September 2011.
By Sylvie Rousseau, Pierre-Olivier Ally and Flore Colnet, Paris