Privacy & Information Security Law Blog

On March 12, 2020, the French Data Protection Authority (the “CNIL”) released its annual inspection strategy for 2020. The CNIL carries out approximately 300 inspections every year. These inspections are initiated (1) following complaints lodged with the CNIL; (2) in light of current topics in the news; (3) after the CNIL has adopted corrective measures (e.g., formal notices, sanctions) in order to verify whether the organization in question adopted the measures or remedied the situation; and (4) as part of the CNIL’s annual inspection strategy.

The CNIL announced that about 20% of its inspections for 2020 will focus on the three following topics as part of that strategy:

• Security of Health Data: Recent developments regarding health data (telemedicine, connected objects, data breaches affecting State health-care institutions) demonstrate that attention should be given to the security of health data processing activities.
• Geolocation for Community or Proximity Services (e.g., recommendation of appropriate transport modes based on a defined route, journey optimization, etc.): Inspections will focus on the proportionality of the personal data collected in that context, the retention periods defined by the organization, the information provided to individuals about the data processing and the security measures implemented to protect the data.
• Use of Cookies and Similar Technologies: On July 18, 2019, the CNIL published new guidelines on cookies and similar technologies (“Guidelines”) that repeal the CNIL’s 2013 cookie recommendations and reconceive the rules applicable to the use of cookies and similar technologies in France, as they take shape from (1) the provisions of the EU ePrivacy Directive as implemented under French law, and (2) the GDPR consent requirements. Further, on January 14, 2020, the CNIL published draft recommendations on the practical modalities for obtaining users’ consent to store or read non-essential cookies and similar technologies on their devices. The draft recommendations were open to public consultation until February 25, 2020. A final version of the recommendations will be published in the coming weeks. The CNIL will then allow for a grace period of six months following the adoption of the final recommendations before enforcing its new Guidelines. Inspections will begin in the fall of 2020 and will continue in 2021.

Read the CNIL’s annual inspection strategy for 2020 (in French).