Every year, the French data protection authority, the CNIL, issues an annual report containing information and statistics on the past year and outlining its priorities for the next year. CNIL’s recently published its 32nd Annual Report for 2011.
In 2011, the CNIL:
- Conducted nearly 400 controls and audits (+ 25% versus 2010).
- Received nearly 6,000 complaints (+ 19% versus 2010).
This demonstrates a high increase in the CNIL’s control and sanction activities.
Highlights of 2011
CNIL’s extended scope of competence for:
- Video-surveillance systems installed on the public highway (150 video-surveillance systems were audited in 2011);
- Report of breaches of personal data protection by providers of electronic communications services.
CNIL’s newly-assigned power of certification:
- Possibility for the CNIL to grant certification labels to data protection training programs (intended to deliver and develop the knowledge and know-how necessary to ensure compliance with the Data Protection Act) and data processing audit procedures (intended to assess the legal compliance of personal data processing operations).
- The Alain Bensoussan law firm is proud to have been granted the CNIL certification label for its data privacy training programs.
CNIL’s 32nd report particularly focuses on issues directly impacting business and global groups:
Whistleblowing: Amended scope of the Single Authorization AU-004
- The scope of the Single Authorization AU-004 designed to simplify procedures for companies implementing ethical business alert systems has been amended to be in line with actual business practices. This was a “necessary clarification to provide for enhanced legal security”;
- Nearly 400 notifications of compliance with the Single Authorizations have been filed with the CNIL in 2011;
- In 2011, for the first time, the CNIL authorized two companies to implement an ethical business alert system dedicated to complaints and claims about discrimination topics.
Cloud Computing: Public consultation
- The boom of cloud computing in small businesses and multinationals is a challenge for personal data. In 2011, the CNIL launched a public consultation designed to collect the opinions of Cloud stakeholders on the issue of personal data protection and security in the Cloud. The consultation led to the publication by the CNIL of practical recommendations on measures to be adopted.
Revision of EU Data Protection Rules
- The CNIL is closely involved in the EU new legal framework for the protection of personal data and in particular the proposal for a General Data Protection Regulation.
- Such proposal includes inter alia the application of data protection by design requirements applicable across sectors, products and services (Privacy by Design).
The 2012-2013 period promises to be an action-packed year based on the CNIL’s future auditing plan. The CNIL intends to increase its controls, focused on key sectors such as:
- Video-surveillance (systems used by towns and public establishments);
- Telephones (smartphones and related applications);
- Health (personal medical records, storage of health data using cloud computing solutions);
- Security (ISPs and data breach).
Companies are therefore strongly recommended to implement relevant actions to guarantee their compliance with the French data protection rules and anticipate the revision of the legal framework on the protection of personal data.