On March 28, 2017, the French Data Protection Authority (“CNIL”) published its Annual Activity Report for 2016 (the “Report”) and released its annual inspection program for 2017.
The Report presents the main accomplishments in 2016 and highlights the diversified activity at both the national and EU level with the adoption of two major pieces of legislation, namely:
- The EU General Data Protection Regulation (“GDPR”), which imposes new accountability obligations, including the obligation to (1) keep records of data processing activities, (2) notify data breaches and (3) in some cases, appoint a data protection officer. The CNIL estimates that the GDPR will lead to the appointment of a data protection officer in at least 80,000 to 100,000 organizations in France.
- French Law of October 7, 2016 for a Digital Republic, which created new data protection rights, such as (1) the right for individuals to give instructions relating to the storage, erasure and disclosure of their personal data after their death, (2) the right to be forgotten for minors and (3) the possibility to exercise data protection rights by electronic means. This legislation strengthens the transparency requirements and increases the maximum level of fines from €150,000 to €3 million for data protection infringements.
Against that background, the Report highlights that the CNIL received a high number of complaints in 2016 (7,703 complaints, a similar number to the record number of 7,900 complaints in 2015). These complaints mainly concerned the following issues or sectors:
- dissemination of personal data on the Internet (e.g., blogs, websites or social networks), and in particular, the erasure or rectification of personal data (33 percent of complaints). The Report emphasizes that the CNIL received a total of 410 complaints, following delisting refusals from search engines;
- marketing issues, and in particular, direct marketing by email, telephone or regular mail (33 percent of complaints);
- human resources issues such as excessive video surveillance and refusal to grant access to the employee file (14 percent of complaints);
- bank and credit issues such as failure to cancel the registration in the National Database on Household Credit Repayment Incidents (9 percent of complaints); and
- health and social sector issues such as difficulties accessing medical or social records, and the creation of pharmaceutical records without consent (3 percent of complaints).
The Report further presents the first results of the inspections conducted by the CNIL in 2016, (i.e., 430 inspections, including 100 inspections conducted remotely). The CNIL announced that the inspections for 2017 will focus on the following topics:
- confidentiality of health data processed by insurance companies;
- files of French intelligence services; and
- smart TVs.
Finally, the Report outlines some of the topics that the CNIL will further consider in 2017, including algorithms and the place of citizens in smart cities.