On April 23, the French data protection authority, the CNIL (Commission Nationale de l’Informatique et des Libertés), published its annual report for 2012, emphasizing a significant increase in complaints, audits, and sanctions. We review each of these topics addressed by the CNIL’s report.
- Consumer complaints: The CNIL says it processed the largest amount of complaints in its history in 2012—over 6,000. Those complaints were received principally from private individuals regarding their right to access, rectify, or oppose data processing. Close to one third of the complaints involved telecommunications operators, with more than 1,000 complaints involving the “right to be forgotten.” The two other main fields in which complaints were filed are those of commerce and retail (21% of complaints) and employment (15%).
- CNIL steps-up audits: The CNIL conducted 458 audits in 2012, an increase of almost 20% in comparison to 2011. The audits were triggered as a result of the CNIL’s annual programme of audits (approximately 40%), in reaction to public events (approximately 25%), or to complaints (23%). The CNIL underlined its audits of video-surveillance systems (over 170 audits in 2012) which have resulted in several warnings and cease-and-desist letters, and one financial sanction.
- Sanctions: While the number of financial sanctions was relatively stable (4 versus 5 in 2011), the total amount of financial sanctions decreased. The highest monetary sanction in 2012 was only €10,000. However, the CNIL has increased substantially the number of public sanctions, taking advantage of a new provision which allows it to order the publication of its cease-and-desist letters.
- French DPOs and trust labels: The CNIL underlined the development of its trust labels granted to companies that provide privacy training and audits as well as the increase in the number of data protection officers (called “CILs” in France) that French companies voluntarily have appointed: over 11,000 to date.
- Regulating big data: The CNIL’s report dwells on the challenges of regulating big data, and argues that privacy protection does not necessarily have to create costs in terms of innovation and economic development. Given the international nature of big data and cloud computing, the CNIL is conscious that the French and European humanist vision of data protection needs to win the battle of ideas on the world stage in order for a consistent regulatory approach to emerge.
- Proposed EU Regulation: On the proposed European Data Protection Regulation, the CNIL reiterated its concern that the so-called “one-stop-shop” concept designating one European data protection regulator for each regulated entity would lead to forum-shopping and decrease the ability of French citizens to look to the CNIL for effective protection of their rights. The CNIL also recommended that the draft Regulation enhance the “right to be forgotten” by giving individuals a right to require de-indexation from search engine results, a suggestion that raises tricky freedom of expression issues. Finally, the CNIL said it is against any form of self-certification for cross-border transfers to non-adequate countries. The CNIL says DPAs should continue to verify that the conditions for those transfers are satisfied.
- Co-regulation; BCR interoperability: The CNIL highlighted its work with stakeholders in developing standards for use of biometrics in the workplace, and standards for smart meters. The CNIL is also supporting efforts to make binding corporate rules (BCRs) interoperable with APEC cross-border privacy rules (CBPRs).
- Data breach notifications: Although France has implemented new data breach notification requirements for telecom operators, the CNIL said it received only 18 notifications in 2012.