The French data protection authority (CNIL) has published its annual investigation program for 2018, which is the first since the GDPR came into force on May 25, 2018. The report indicates that the CNIL intends to conduct over 300 investigations (onsite, online or per request of documentation or formal hearing) and will focus on the areas noted below.
- Verifying GDPR Compliance
The CNIL explicitly announced that it would investigate whether organizations are in compliance with the new obligations of the General Data Protection Regulation (GDPR) including the right to portability and DPIAs. The report indicates that the CNIL will be more lenient towards companies that show dedication to implementing a compliance program.
The CNIL will also verify compliance of the organization with the preexisting data protection rules and principles under the French data protection regulation and notably the principle of the fairness, adequacy of the data, limited retention, security, etc. This seems to imply that, there will be little, if any, excuse for being non-compliant on rules that existed prior to the implementation of the GDPR.
Finally, the CNIL announced that certain investigations on cross-border processing would be made “jointly” with other European supervisory authorities.
- Instigation of Inspections
As in the past, the investigations are the result of
- Complaints addressed to the CNIL
- Follow-up on past inspections, formal notice or sanctions
- Information reported in the press or that is available to the CNIL
- Chosen annual topics
- The Investigation Topics for 2018
- Processing for recruitment activities
The CNIL takes interest in the processes used in the context of recruitment. It refers to methods using “big data” and “algorithms”, and that these methods aim “to predict the candidate performance on the job, based on a set of predetermined criteria”; devices analyzing the candidate’s “speech velocity” or “facial expression” during an interview, with a view to “evaluating the emotions” and “determining the capacity to occupy a position”.
Investigation will notably focus on:
- Means used for identifying the candidate
- Assessment tools used by HR teams
- Selection criteria (possibly, in relation to the proportionality and data minimization principles)
- Other aspects of the processing activity (possibly, retention period and data recipients)
We can also assume that the investigations will bear on fair processing notices.
- Adequacy and proportionality of documentation required by real estate agencies from applicants
This is a typical example of investigation in a field of public interest and for the purpose of acting against abusive practices.
According to the CNIL, “difficulty of access to housing is a major preoccupation of our time”. The CNIL intends to verify that real estate agencies do not collect more data than what is required by decree No 2015-1437 of 5 November 2015. This is in reaction to the existing practice of requesting “many additional documents” such as “medical records”.
The CNIL will verify lawfulness of the collection, the proportionality of collected data, the retention period and the security of documents.
- Outsourcing to private companies of the fining for paid parking services in public areas
Local authorities in charge of managing paid parking on public roads may outsource to private companies the management of parking fines. There have been recent scandals on how the private companies were carrying out such services.
The investigation will aim to ensure that the intervention of the private providers does not prejudice the citizens. The CNIL will investigate in particular the adequacy of the data provided and collected, the information of users, the way in which data is stored and retained, as well as security measures.
Given that French public authorities have increased the outsourcing of their activities to the private sector, this type of investigation will be increasing.
We will monitor and report on the outcome of this first post-GDPR investigation program.