The French Data Protection Authority published new Guidelines on December 10, 2019 applicable to whistleblowing schemes, following a public consultation process. The Guidelines replace the former Single Authorization AU-004, which has not applied since arrival of the General Data Protection Regulation. The CNIL has also published a useful Frequently Asked Questions webpage regarding the Guidelines. The CNIL’s new Guidelines import certain aspects of its former position on whistleblowing schemes.
The French Data Protection Authority has made targeted online advertising a priority topic in its 2019-2020 agenda and has changed its position on cookie consent. Although the ePrivacy Regulation is still being debated by EU legislators and is far from being finalised, the CNIL has withdrawn its 2013 cookie recommendation and announced that it will publish new guidelines (announcements are available in English on the CNIL’s website here and here). These explicitly rule out the use of implied or “soft” consent to place cookies on users’ devices.
The French Data Protection Authority (the CNIL) published its assessment of the first four months of GDPR and several guidelines, including one on how to make a GDPR compliant blockchain. Since the Data Protection Act’s implementation, the CNIL has been very active in guiding French citizens on how to comply with the new legal framework and warning them about threats from new technologies.
A bill, passed by the French National Assembly on 26th January 2016, and now before the French Senate, would amend Article 47 of the French Data Protection Act to give the French Data Protection Authority (the CNIL) the power to impose penalties for breaches of data protection law of up to 20 million euros or up to 4% of an organization’s total worldwide annual turnover (the Digital Republic Bill). Up until now, the CNIL could only issue penalties of up to 150 000 euros.