Privacy & Information Security Law Blog

On April 29, 2014, the French Data Protection Authority (“CNIL”) disclosed its annual inspections program, providing an overview of its inspections in 2013 and a list of the inspections it plans to conduct in 2014. Under French data protection law, the CNIL is authorized to collect any useful information in connection with its investigations and access data controllers’ electronic data and data processing programs. Since March 2014, the CNIL also is permitted to collect such information online through remote investigations.

The CNIL reportedly conducted 414 inspections in 2013. Of those, 134 inspections related to closed-circuit television (“CCTV”) monitoring. According to the CNIL, these inspections revealed regular violations of French law concerning the operation of CCTV systems, including the absence of prior notification to the CNIL or authorization by the prefect of the relevant French department, incomplete information provided to individuals, insufficient security measures, and an excessive level of intrusiveness of certain CCTV systems (e.g., where the camera zoom allows an entity to record the inside of a building). The inspections relating to CCTV monitoring resulted in a dozen formal notices issued by the CNIL. In one instance, the CNIL referred the case to the French Public Prosecutor.

The CNIL announced that a target of 550 controls was set for 2014, including 350 on-site inspections and 200 online inspections. These inspections will focus on the following activities:

• The processing of personal data in the context of the operation of the National Database on Household Credit Repayment Incidents;
• The management of personal data breaches by telecommunication service providers; -The processing of personal data by online social networks;
• The processing of personal data relating to the payment and recovery of national income tax;
• The processing of personal data in the context of online payments to combat fraud as well as the retention of banking data; and
• The processing of personal data in the context of the National Register of Perpetrators of Sexual and Violent Offences.

The CNIL also announced that it will continue to conduct investigations in cooperation with other data protection authorities. In May 2013, the CNIL participated in an initiative of the Global Privacy Enforcement Network called “Internet Privacy Sweep Day,” during which time 19 data protection authorities reviewed online information notices. A similar action will be taken this year, focusing on “Mobile Privacy” (i.e., privacy on mobile terminals).

Finally, the CNIL confirmed its involvement in the future European inspections campaign organized by the Article 29 Working Party regarding the use of cookies. This campaign aims to provide a European overview of cookie practices and to harmonize the positions taken by the European data protection authorities with respect to such practices.