On March 17, 2010, the French Data Protection Authority (the “CNIL”) published a report concerning on-site inspections and outlined its objectives for the coming year. In the report, which was adopted on February 18, 2010, the CNIL indicated that it intends to conduct at least 300 on-site inspections throughout France in 2010, with a special focus on the following issues:
- ensuring compliance with CNIL decisions, in particular the CNIL’s standards for simplified notifications;
- verifying that data controllers comply with the technical recommendations defined in their registration forms; and
- assessing the effectiveness of data protection officers within organizations.
The CNIL also intends to focus on certain business sectors and concerns, such as:
- the airline industry, including customer relations (customer databases, mileage programs, “no-fly” lists, passenger name record data), airport security (body scanners, cameras in airports) and biometric passports;
- the real estate industry, including the collection of personal data by real estate agencies, test screenings, blacklisting and discriminatory practices;
- the protection of minors, including verifying the collection of personal data about minors, particularly in the context of direct marketing to minors by online merchants; and
- the use of closed-circuit television (“CCTV”) for video surveillance, including verifying that such surveillance systems comply with the Data Protection Act and respect the privacy rights of individuals.
In 2009 the CNIL conducted 270 on-site inspections, representing a 27% increase over 2008. According to the CNIL, this increase in inspections and more effective enforcement is a result of a strengthening of the CNIL’s powers in 2004. Of the 270 inspections, 22% led to warnings or sanctions and 85% of the inspections targeted private sector entities. The CNIL also noted that 92% of the organizations it inspected had not appointed a data protection officer.