On May 11, 2022, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2021 (the “Report”). The Report provides an overview of the CNIL’s enforcement activities in 2021. The report notably shows a significant increase in the CNIL’s activity.

In particular, the Report revealed that:

  • The CNIL received 14,143 complaints in 2021 (+4% compared to 2020) and closed 12,522. The CNIL carried out 384 controls, issued 135 letters of formal notice and imposed 18 sanctions for a cumulative amount of more than €214 million.
  • One of the CNIL’s priorities in 2021 was to verify companies’ compliance with the new cookies rules. The CNIL received more than 250 complaints concerning non-compliant cookies practices, which resulted in the issuance of 89 letters of formal notice and four sanctions.
  • The CNIL continued focusing on the security of health data, particularly in relation to processing activities related to the COVID-19 pandemic, and conducted 30 new control missions aimed at medical testing laboratories, hospitals, health data brokers and service providers. Some of these investigations remain ongoing to date.
  • The CNIL also focused its activities on the topic of cybersecurity. The Report indicates that the CNIL received 5,037 data breach notifications in 2021, amounting to an increase of approximately 79% in comparison to 2020.

In addition to its investigatory and sanctioning power, the CNIL continued collaborating closely with other European and international supervisory authorities on various topics, including:

  • The CNIL participated in work aimed at strengthening EU digital sovereignty. As part of this effort, the CNIL contributed to the efforts of the European Data Protection Board regarding the EU Data Governance Act, the Digital Services Act, Digital Market Act and the Artificial Intelligence Regulation (the “AI Regulation”).
  • The CNIL continued its efforts regarding the Schrems II judgement by the Court of Justice of the European Union.
  • The CNIL also took part in the 43rd annual meeting of the Global Privacy Assembly. During the meeting, five important resolutions were adopted, two of which the CNIL co-authored: one on the regulation of government access to data held by private sector entities, and another on the protection of minors’ digital rights.

According to CNIL President Marie-Laure Denis, in 2022, the CNIL will focus on continuing its collaborative regulation strategy and coordinating its efforts with stakeholders involved in the privacy field.

Download a copy of the Report (only available in French).