On May 25, 2015, the French Data Protection Authority (“CNIL”) released its long-awaited annual inspection program for 2015. Under French data protection law, the CNIL may conduct four types of inspections: (1) on-site inspections (i.e., the CNIL may visit a company’s facilities and access anything that stores personal data); (2) document reviews (i.e., the CNIL may require an entity to send documents or files upon written request); (3) hearings (i.e., the CNIL may summon representatives of organizations to appear for questioning and provide other necessary information); and (4) since March 2014, online inspections.
The CNIL announced that a target of 550 inspections was set for 2015, including 350 on-site inspections, document reviews or hearings and 200 online inspections. The CNIL had set the same number of targets last year but carried out only 421 inspections in 2014 (including 58 online inspections from October to December 2014) due to the time it took to set up the online inspections procedure.
The CNIL further announced that a quarter of the on-site inspections will focus on closed-circuit television (“CCTV”) monitoring, which has always been a charged issue for the CNIL. In addition to CCTV monitoring, the CNIL’s inspections will focus on the following technologies or data processing operations:
- Contactless payment systems: In particular, the CNIL will verify how data are secured and whether customers’ right to object to the data processing is taken into account;
- Companies’ processing of employee personal data for the management of psycho-social risks at the workplace: The CNIL will verify how companies have conducted staff surveys to assess and better combat stress at the workplace;
- National Register of driving licenses held by the French Ministry of the Interior: This includes sensitive data related to registered driving licenses (e.g., administrative sanctions imposed on drivers and convictions or offenses against them). In this respect, the CNIL will verify, among other things, whether data is updated, how drivers can access their data, and how their data is secured;
- Connected objects for “well-being and health:” The CNIL will audit connected objects and related online services for health and well-being to verify whether users are provided with specific information on the data processing and their consent is obtained;
- Public Wi-Fi connections: The CNIL will conduct inspections to strengthen its doctrine on the capture of data from customers’ mobile devices through publicly available Wi-Fi hotspots (e.g., in shopping malls) to track customers, and in particular, to send them targeted advertisements;
- Data processing operations covered by Binding Corporate Rules (“BCRs”): To date, 68 companies have adopted BCRs and no ex-post control has been carried out by Data Protection Authorities (“DPAs”) in the EU. The CNIL intends to control some of these companies (most likely those that chose the CNIL as the lead DPA for the review of their BCRs) in order to verify whether these companies meet the commitments made in their BCRs and assess the impact of BCRs on data protection and privacy within their group. It is expected that the CNIL will conduct online inspections to verify BCR commitments (e.g., whether a summary of the BCRs is available on the company’s website).
Similar to 2014, the CNIL announced that it will continue to conduct investigations in cooperation with other DPAs, such as the recent audits targeting child-directed websites and apps that the CNIL conducted in coordination with 28 other DPAs within the Global Privacy Enforcement Network.