On May 19, 2014, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2013 (the “Report”) highlighting its main accomplishments in 2013 and outlining some of its priorities for the upcoming year.
The Report discusses the proposed EU General Data Protection Regulation, and reiterates the CNIL’s main concerns with the proposal, namely:
- The one-stop-shop mechanism: according to the CNIL, it needs to provide better protection for individuals and allow for oversight by the data protection authority of the EU Member State where the individuals reside;
- Pseudonymous data: in the CNIL’s view, pseudonymous data should not benefit from a specific derogatory regime; and
- The risk-based approach: the approach should not exempt the data controller of its general obligation to comply with the Regulation.
The Report further discusses the French government’s proposed new Digital Act, which was announced in February 2013. The Report includes several recommendations for French lawmakers to consider, such as allowing individuals to request access to their personal data electronically, and increasing the CNIL’s maximum fines.
The following are some of other highlights from the Report:
- In 2013, the CNIL received 5,640 complaints (a number which is slightly down from 2012). 34% of these complaints concerned the Internet/telecoms sector and related to issues such as erasing texts, photographs, videos, contact details and comments on the Internet; 19% of the complaints focused on issues like the right to object to receiving marketing emails, the retention of banking data, etc.
- In 2013, the CNIL conducted 414 inspections. More than 130 of these inspections were related to video surveillance systems (CCTV systems). In most cases, the CCTV systems were composed of several CCTV cameras, some of which captured images of public areas (and thus are regulated by the French Code of Internal Security), while other CCTV cameras captured sites not open to the public (and thus are subject to the French Data Protection Act). According to the Report, the main infringements were related to (1) failure to notify the CNIL of the CCTV system or obtain authorization from the appropriate authorities; (2) a lack of information or insufficient information to individuals; (3) retaining personal data for longer period than authorized by the prefect or recommended by the CNIL; and (4) failure to implement adequate security measures.
- Since 2011, the CNIL has received 31 data security breach notifications (15 in 2013 and 2 in 2014). The CNIL already served 10 formal notices and adopted 8 sanctions related to these breaches. The Report reiterates that the CNIL’s inspections in 2014 will focus on how telecommunications service providers manage data security breaches.