Privacy & Information Security Law Blog

On February 15, 2022, the French Data Protection Authority (the “CNIL”) published its enforcement priority topics for 2022. Each year, the CNIL conducts numerous investigations in response to complaints, data breach notifications and ongoing events, or based on previously established enforcement priorities.

For 2022, the CNIL indicated that it will focus on three major strategic priorities:

• Direct Marketing. The CNIL recently published a new reference framework on “commercial management,” which will be used to monitor unsolicited commercial prospecting practices and related GDPR compliance. The CNIL indicated that it will particularly monitor the practices of data brokers.
• Monitoring Teleworking Employees. With teleworking becoming a norm during the COVID-19 pandemic, numerous employee monitoring tools have been developed. The CNIL urges companies to verify that such monitoring tools comply with data protection rules and ensure a fair balance between privacy at work and legitimate monitoring of employees.
• Cloud Computing. The CNIL considers certain newer technologies, such as cloud computing, as likely to have data protection risks, particularly with respect to the international data transfers these technologies involve or the risks of data breaches they pose when incorrectly configured. Accordingly, the CNIL reports that it will look into cloud-related transfer issues and the contractual framework between data controllers and cloud solution providers. This priority also is part of the European Data Protection Board’s first coordinated enforcement framework, in which the CNIL will participate, along with other EU supervisory authorities, by investigating the use of cloud services by the public sector.

Read the CNIL’s press release.