Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Tag Archives: CNIL

Posted in International/EU Privacy

CNIL Head of Compliance Explains Approach on Connected Devices, Including Smart Meters

Speaking at a recent conference organized jointly by AmCham and EY on “the Internet of Things, Opportunities and Challenges for the Protection of Personal Data”, Sophie Nerbonne, Head of Compliance at the French data protection authority explained how the CNIL views the opportunities and risks raised by connected devices, focusing particularly on smart meters as a scheme that may apply to other devices.

Posted in Consumer Privacy

French CNIL Enforces Cookie Consent

On June 30, 2015, the French data protection authority, the CNIL, announced that it gave notice to 20 websites to comply with the consent requirements applicable to cookies. After patiently waiting for almost a year to give websites the opportunity to comply with the cookie notice and consent rules explained in its official guidance from December 2013, the CNIL launched a series of audits (27 online audits, 24 on-site audits and 2 hearings) in October 2014.

Posted in International/EU Privacy

Part 7: The New Accountability Regime

Accountability has been described by the Article 29 Working Party as a way of “showing how responsibility is exercised and making this verifiable”. Accountability is far from being a new concept. It was introduced back in 1980 in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”

Posted in International/EU Privacy

CNIL Annual Report Shows Regulatory Interest in Connected Cars and Smart Cities

On 16 April 2015, the French data protection authority, the CNIL, published its annual report for 2014. The CNIL’s annual report is an opportunity for the authority to report on its activities over the previous year as well as set out its priorities for the coming year. Significantly, a number of new technologies such as connected cars and smart cities were included in the list of priorities that the CNIL will tackle in coming months.

Posted in International/EU Privacy

The CNIL Simplifies Formalities Regarding the Implementation of Binding Corporate Rules

On 24 March, the French data protection authority, the CNIL, announced that it will soon make easier the practical implementation of intra-group transfers of data from French entities to entities located outside the European Union where groups of companies have adopted Binding Corporate Rules (BCRs). BCRs are becoming increasingly popular among multinationals as a legal means for providing adequate protection to personal data which are transferred from the European Union to countries that are not considered to provide an adequate level of protection by the European Commission. In the CNIL’s view, the implementation of BCRs shows a strong commitment from multinational organisations to protect personal data. Indeed, the CNIL has been a champion of the emerging “BCR for processors” initiative which is also prompting interest from sophisticated processors who operate globally.

Posted in International/EU Privacy

CNIL Releases BYOD Guidelines

Security concerns and the need to increase cyber security measures have recently boosted the use of Bring Your Own Device policies in France. Recent events have exacerbated fears of data breaches and hacking for IT managers who were not overly concerned before. As a consequence, IT security teams are seeking to apply the same security and device management systems that apply to their own company’s equipment to employees’ devices when employees use their devices for work purposes. The expansion of an employer’s control over its employees’ devices raises concerns for the privacy and protection of employees’ personal data. The CNIL has published new guidelines on BYOD. An unofficial English translation of the guidelines appear in this post.

Posted in International/EU Privacy

New CNIL Accountability Standard May Become European Model

The chairwoman of the French data protection authority (the CNIL), Isabelle Falque-Pierrotin, has long been an outspoken proponent that companies should have internal accountability mechanisms for data protection compliance. On January 13, 2015 the CNIL published a standard defining what accountability means in practice. Companies that demonstrate that they comply with the new standard will be able to obtain an “accountability seal” from the CNIL.

Posted in International/EU Privacy

CNIL International Chief Discusses Safe Harbor and Onward Transfer

Following on the heels of the IAPP Congress in Brussels, the CNIL’s (the French data protection authority) international chief, Florence Raynal, engaged in a dialogue with the members of the American Chamber of Commerce’s Digital Economy Committee in France. Raynal engaged with AmCham members on questions relating to the EU-US Safe Harbor framework, focusing on the practicalities of onward transfers. The discussion involved two kinds of transfers.

Posted in International/EU Privacy

French Insurance Compliance Pack Issued by the CNIL

On November 12, 2014, the CNIL issued a new compliance pack for the insurance sector drafted in collaboration with the sector trade associations. Compliance packs are a new tool that the CNIL has been promoting for the past few months as an operational response to the needs of professionals concerning the application of the French data protection law. The CNIL has previously published compliance packs about electric “smart meters” and about social housing. Two new compliance packs are already announced to be published soon: one about banking activities and one about social services.

Posted in International/EU Privacy

EU Regulation: Article 29 Chief Criticizes Risk-Based Approach

Addressing the French Parliamentary Commission on Digital Rights, CNIL and Article 29 Working Party Chair Isabelle Falque-Pierrotin commented on the current state of negotiations of the proposed European General Data Protection Regulation, warning that excessive reliance on a risk-based approach could undermine fundamental rights. A risk analysis is useful as a guide to allocate resources, but should not affect the underlying rights of the data subject, she said. To illustrate her point, Falque-Pierrotin used the analogy of a home owner who lives in a part of the city where burglaries are frequent. The risk-based approach means that the home owner will buy more locks for doors, and that police authorities may devote more resources to patrolling. It does not mean, however, that home owners have different rights depending on where they live. Falque-Pierrotin is concerned that the current negotiations on the risk-based approach may confuse these two concepts, leading to a situation where individuals’ rights are reduced or ignored for low-risk processing.

Posted in International/EU Privacy

Cookie Consent—What’s Changed?

Almost five years ago, EU legislators shocked the Internet world by changing the legal requirement for the use of cookies and similar device identification techniques from “notice and opt-out” to “notice and consent.” At first, there was a sense of disbelief about whether this sudden legal twist was for real. As the dust settled, it became clear that what had been common practice until then—sticking a generic paragraph about the use of cookies in the privacy policy and referring users to the browser’s menu for further control—was no longer enough to comply with the new requirement.

Posted in International/EU Privacy

CNIL Adds New Consent Requirement for Use of Credit Card Data

The CNIL, France’s data protection authority, published on 25 February 2014 a new recommendation relating to the collection of credit card information, replacing an older 2003 recommendation. The new recommendation, which represents a de facto standard for online merchants and payment services providers who collect data from French consumers, is more prescriptive than the old, particularly regarding how online merchants should seek consent for the retention of credit card information.

Posted in International/EU Privacy

French Data Protection Authority Broadens the Scope of Its Whistleblowing Authorization

The French data protection authority has just published an amended version of its standard authorization for professional whistleblowing helplines which results in a significant broadening of its scope but also tightens the requirements for anonymous reporting. Under French data protection legislation, whistleblowing helplines are subject to prior authorization by the French data protection authority. Indeed, French data protection legislation require that processes which may result in the exclusion of a person from the benefit of a right or a contract are subject to prior authorization, as could be the case when resorting to a whistleblowing helpline (employees may incur sanctions and be terminated).

Posted in International/EU Privacy

IP Tracking: French Authorities Investigate Pricing by Travel Websites

In June 2013, the French National Commission on Information Technology and Liberties announced that, following a question of Member of European Parliament Françoise Castex, it was going to investigate IP Tracking practices that e-commerce sites allegedly used to illegitimately increase their prices. This investigation was carried out in close connection with the French Directorate General for Competition Policy, Consumer Affairs and Fraud Control. In January 2013, MEP Françoise Castex had already alerted the European Commission about this alleged unfair commercial practice. The Commission concluded that national authorities in charge of protecting personal data were competent as the IP address is personal data.

Posted in Consumer Privacy, Cybersecurity & Data Breaches, International/EU Privacy

France Enacts Law to Facilitate Real-Time Collection of Metadata

France’s December 18, 2013 law on military spending contains two provisions that facilitate the collection of data by the French military and intelligence services. The first provision relates to the collection of passenger name records (PNRs) while the second, more controversial provision permits French intelligence and security agencies to collect metadata from telecom operators and hosting providers in real time.

Posted in Consumer Privacy, International/EU Privacy

Article 29 Working Party Issues Guidance on Cookie Consent

On 14 October, the Article 29 Working Party of EU data protection commissioners published a Working Document providing guidance on obtaining consent for cookies, some eighteen months after the effective date of the so-called “cookie consent law” which required EU websites to obtain consent from Internet users before before placing cookies on their devices. The document analyses, to some extent, the practices more commonly used by website operators to obtain the required consent, and attempts to answer the question as to what measures would “be legally compliant for a website operating across all EU Member States.”

Posted in Consumer Privacy, International/EU Privacy

French Government Has Serious Reservations About the Draft EU Regulation, Putting its Adoption in Doubt

On June 11, the French Minister for Digital Economy indicated during questioning by a French Member of Parliament about the status of the draft data protection regulation that the Minister of Justice had rejected, during the meeting of the European Council held last week, the latest version of the draft regulation.