No More Games! The CNIL Publishes its 2018 and 2019 Activity Report

The CNIL blows the whistle for the end of the transition period.  For the first time, the CNIL’s 2019 investigation program is not specific to an industry and potentially impacts controllers and processors throughout all sectors of business. Going forward, the CNIL will also be more thorough and less lenient.

2019 Program

Investigation program

CNIL’s yearly investigation programs account for approximately one quarter of its investigations. This year’s program will focus on three major areas:

  • The complaints it receives (either collective or individual). These complaints, or the exercise of data subjects rights, represented about 73.8 % of all complaints received in 2018.
  • The sharing of responsibilities between processors and subcontractors, which is a cross-sector topic.
  • The data of children (including what data is collected, i.e., photos, biometric data and CCTV in schools, as well as parental consent for children under 15).

As in previous years, the CNIL will also:

  • Investigate complaints and the reports sent to the CNIL.
  • Follow up on past procedures.
  • Gather information from various news sources.

Finally, the CNIL will continue the cooperation initiated in 2018 with its other national Supervisory authorities, such as joint control operations.

Read more about CNIL’s investigation program for 2019.

Sanction policy

The CNIL treated 2018 as a transition period, allowing data controllers to understand and progressively assimilate the requirements of the GDPR.

From 2019 onwards, the CNIL will investigate compliance more thoroughly (including impact analysis, data portability, maintenance of a register of processing and of data breaches, etc.) and draw on, if necessary, all the consequences in case of gaps. It will nevertheless continue to assess, on a case-by-case basis, the most appropriate sanction. This will depend on the gravity of the breaches and the good faith of the organization and its cooperation. In January 2019 the CNIL issued a €50 million fine to a major tech company for alleged GDPR violations.

2018 Report

Complaints and data breach notifications

In 2018, the CNIL registered 1,170 data breach notifications. It received a record of 11,077 complaints, which represents a 32.5 %  increase compared to 2017. About 20% of these complaints fell under the GDPR cooperation program with other Supervisory Authorities.

These complaints primarily related to the publication of data on the internet (373 requests for delisting). Individuals massively requested their data to be deleted from the internet (names, contact details, comments, photographs, videos, accounts, etc.). These kinds of complaints reveal how difficult it can be for individuals to manage their digital life, and in particular, their online reputation.


In 2018 the CNIL carried out over 300 investigations which consisted of onsite, online, document requests and hearings.


The following is a breakdown of sources that triggered the investigation.

Formal notice to remedy

In most cases, the notices issued by CNIL resulted in the organizations remedying the identified compliance gap(s).  Formal notices to remedy are not considered sanctions per say as they are issued before an actual “fair trial” procedure. Forty-nine formal notices to remedy were adopted in 2018 out of which 13 were publicized. Two sectors, in particular, were targeted.

  • Insurance (5) for the use of insurance data for marketing purposes without legal basis
  • Companies specializing in targeted advertising via a technology (SDK) installed in mobile apps. (4)


The CNIL issued 11 sanctions, out of which:

  • Ten financial fines (including 9 made public and 7 in relation to security breaches), amongst which the following fines were issued €400,000, € 250,000 (twice) , € 100,000, €75,000, €50,000 and €30,000 (twice)
  • One non-public warning;
  • One closed

Sanctions were based on the regulation before GDPR under which the maximum fines were raised in 2016 from €150,000 to €3 million.

The CNIL’s 2018 report and 2019 plan summary are available here.

Our data protection and cybersecurity team in France and elsewhere around the globe can assist you in your compliance program or relations with the CNIL.

Have You Paid Your Data Protection Fee?

The ICO has issued a penalty notice to over 100 organisations for failing to pay their data protection fee. Failing to pay this fee due to an innocent mistake may not be accepted as a viable excuse, as demonstrated by the recent judgement in Farrow & Ball Limited v The Information Commissioner (Dismissed) [2019] UKFTT 2018_0269 (GRC).

Under the Data Protection (Charges and Information) Regulations 2018, UK organisations are required to pay the ICO an annual data protection fee unless they are exempt. The fee payable depends on the tier of the organisation, and ranges from £40 to £2,900. Continue Reading

The Un-healthiness of the Australian Health Sector’s Data Security

More than twelve months after the commencement of the Australian Notifiable Data Breach Scheme,[1] statistics published by the Office of the Australian Information Commissioner (OAIC) have begun to reveal trends present in the 812 notifiable data breaches recorded in Australia between 22 February and 31 December 2018. One key trend is the clear susceptibility of the health care industry, which suffered one fifth of all data breaches recorded in Australia throughout 2018, the highest number on an  industry scale.
Continue Reading

The Czech Republic: GDPR Adaptation Legislation Becomes Effective

On Wednesday, April 24, 2019, the new data protection legislation was published in the Czech Collection of Laws and became effective. In doing so, the Czech Republic remedied its legislative deficiency, as it was one of the last EU states lacking the data protection adaptation legislation. (The overview of the current state of GDPR implementation in the Member States can be found here).

Continue Reading

Join Us– Webinar: Understanding and Preparing for the California Consumer Privacy Act

Effective January 1, 2020, the California Consumer Privacy Act (CCPA) will impose burdensome GDPR-like transparency and individual rights requirements on almost every company that handles “personal information” regarding California residents, regardless of where the business is based. The Act will impact information regarding not only consumers, but also employees and business contacts.

Join us for a webinar on May 7, 2019, when Elliot GoldingPhil Zender and Ivan Rothman will provide an overview of the CCPA and discuss the act’s:

  • Scope and applicability (e.g., what companies, data and processes will be impacted)
  • Key requirements (e.g., privacy statement, individual rights, etc.)
  • Contextual comparisons to existing US law and GDPR
  • Suggested steps to build a CCPA compliance program efficiently and effectively
  • Practical tips to manage risk and leverage existing compliance processes where possible

Attendees will have the opportunity to ask questions during the program, with a full Q&A session to follow.

If you would like to attend, or have colleagues who would, please register any interested parties.

Can Police Require Individuals to Unlock Their Smartphones?

Recently Chase Goldstein and Thomas Zeno contributed to our Anticorruption Blog. Their article reviews whether police can force individuals to unlock their smartphones. To unlock or not to unlock? Different rules apply depending on where you are located, as the states of Massachusetts and have seen conflicting rulings. There is also an international dimension, illustrated by a recent decision from Israel. In short, travelers must beware.

Read the full post online.


European Commission Announces Provisional Agreement on Whistleblower Directive

In a press release published on March 12, 2019, the European Parliament and its member states reached a provisional agreement on new rules that will guarantee a high level of protection for whistleblowers who report breaches of EU law. The draft establishes a three-tier reporting system (that potentially allows the whistleblower to inform publicly or through media the information) and robust measures against potential retaliation.

Continue Reading

Senators and Witnesses Debate a Federal Data Privacy Framework in the United States

On February 27, 2019, the Senate Commerce Committee held a hearing to examine what Congress should do to address risks to consumers and implement data protections for all Americans. The hearing was titled “Policy Principles for a Federal Data Privacy Framework.” It focused on six topics, including: (1) federal preemption; (2) privacy values; (3) corporate transparency; (4) trust and informed consent; (5) the Federal Trade Commission (“FTC”) and State Attorneys General enforcement authority; and (6) special protections for children. Senators on both sides of the aisle generally expressed optimism about working together to address the challenges of developing a federal privacy data framework. We anticipate a continuing debate and proposed legislation in Congress over data privacy. Below is a high-level summary of some of the issues discussed. Continue Reading