Cnil delivers an annual report of its activities showing various elements. Complaints hit a record high in 2021, as did data breach notices related to cyberattacks. The regulator also aims to continue its support and educational role on the GDPR and other topics.
After two years of remote presentation, mandated by the pandemic, Marie-Laure Denis, the president of the CNIL presented the Commission’s 2022 annual report. Looking at last year’s activities, he judged 2021 as “extreme”. And the numbers prove him right on a number of complaints that reached a record 14,143 complaints that led to 384 checks, 135 formal notices and penalties for a total amount of 214 million euros. To explain the high level of these complaints, Xavier Delporte, former head of the rights enforcement and complaints department at Cnil, stressed the “continued impact of the GDPR” and to identify the top 3 complaints, ” deleting data on the Internet, searching by e-mail or mobile, tracking employees, especially through video ”.
Cybersecurity and cookies drive Cnil into 2021
Still in terms of intensity, Cnil teams are strongly mobilized on cybersecurity topics and in particular data breach notifications. In 2021, more than 5,000 notifications were sent, an increase of 79% compared to 2020. “It is an awareness of this obligation by companies and organizations to also be placed in tandem with the strong increase in cyber-attacks,” said Armand Heslot, head of Cnil’s technological expertise department. These attacks generated 3,000 notifications (+128% compared to 2020) and 43% of them were related to ransomware. For the manager, “all sectors and types of business, even in 2021 the health sector will be severely attacked in the context of the health crisis”.
Another area that mobilized the CNIL last year: cookies. “There was clarification of the legal framework by conducting discussions with all players, a transitional period to comply, a campaign of controls, 89 formal notices and financial penalties”, said Marie- Laure Denis. Of course, the € 210 million fines imposed on Facebook and Google last January show the impact of regulations on this topic. Both players are obligated to include on their page cookies, a “reject cookies” button to comply. One thing is certain, the methodology used for cookies will be applied to the next CNIL work for 2022-2024, such as “enlarged or so-called smart cameras, data collection through mobile applications and data transfer in the cloud ”said the president.
Google Analytics, Clearview AI and enhanced program support
The independent administrative authority also discussed the topics to be discussed in the coming months. So in Google Analytics, Cnil put some sites on notice to stop using this service. “There were 3 complaints and the formal notice left 1 month that could be renewed to comply”, Marie-Laure Denis said. Therefore, the Commission will look at whether this compliance is effective, “but beyond that, we must support websites, particularly e-commerce sites, in implementing alternative solutions and compliance.” At the origin of this case, the transfer of data between the EU and the United States remains uncertain despite the announcement of an agreement in a text replacing the Privacy Shield. “Today, there is no legal framework,” the president recalled. Finally, a formal notification procedure against the Clearview AI company was launched last December and “we have not received a response from the company, a restricted training meeting is therefore expected,” the manager announced. with potential penalties.
If sanctions and controls are the most public part of Cnil, it also wants to emphasize the inclusion of companies and professionals who specialize in protecting personal data with tools and services. Among the tools, the Commission inaugurated in 2021 a “sandbox” in health data with at least 12 projects, 4 of which benefit from reinforced support (e.g., Lille University Hospital and Inria in studies combined with artificial intelligence applied to clinical studies). In 2022, this sandbox model will be renewed and allocated to digital educational tools. Finally, to assist DPOs, Cnil is reorganizing to create a data protection support service and delegates, specifically to missions in the regions to promote the GDPR. The CNIL president will launch the new GDPR MOOC before the summer.