Paris, July 24, 2019 – The GDPR has been in force for one year. Many companies have initiated compliance processes.
The CNIL has made some notable decisions, mainly sanctioning the non-respect of key principles (existing under the previous Computer and Freedom law).
The CNIL continues its work in verifying that the principles of these texts are respected, while announcing in parallel a new text regarding cookies.
May 25, 2019 marked the anniversary of the entry into force of the GDPR.
The principles and content of the GDPR are now known, mainly:
Some notable decisions
Since May 2018, the CNIL, the French authority in charge of the regulation and control of personal data processing, has issued a number of decisions of formal notice or sanction. Most of these decisions were rendered under the aegis and principles of the Data Protection Act.
Among the most significant decisions, it can be noted that the breaches of data security obligations were particularly sanctioned (including Uber: 400,000€ fine, Optical Center:
250,000€ fine reduced to 200,000€ by the Council of State, SERGIC: 400,000€ fine).
The non-respect or the misappropriation of the purposes for which data had been collected were also the subject of decisions (Rennes Public Housing Office (OPH) decision: 30,000€ fine, formal notice to Humanis and Malakoff-Médéric to stop processing data initially collected for a mission to implement supplementary pension plans for commercial prospection).
The decision, made under the GDPR, imposing Google with a 50 million euro fine sanctions Google’s failures regarding:
Beyond the sanction, this decision is informative for the drafting of these two types of documents (in particular with regard to what not to do). It contains a detailed analysis of the conditions for obtaining consent and information for individuals (including the granularity of information, its accessibility, and its comprehensibility).
For most companies, this first year has been marked by intense compliance activity with significant investments being made, in particular for IT and digital service providers.
From a contractual point of view, discussions between clients and their service providers have mainly focused on the adjustment of contracts (or the establishment of new contracts) to take GDPR provisions into account and, in particular Article 28 thereof.
It should also be noted that the division of responsibilities between the controller and subcontractors is part of the CNIL’s control strategy for 2019-2020 (see § below).
The CNIL took advantage of this anniversary to communicate its control strategy for the coming year. Control will be focused around three themes:
In parallel, the CNIL will continue to support professionals in applying the GDPR and monitor compliance with their obligations.
Finally, the CNIL has placed the issue of targeted online advertising in its 2019-2020 action plan, which covers the following points:
The CNIL has announced the publication of new guidelines for July 2019. The “cookies” recommendation of 2013 – which allowed consent to be obtained by simply continuing navigation – will therefore be repealed.
These new guidelines will specify in particular the conditions for obtaining consent.
A 12-month transitional period will be provided to companies for their application of the new principles.
A new recommendation, developed in concertation with professionals by December 2019 – early 2020, will propose operational modalities for obtaining consent.
The CNIL will verify compliance with this final recommendation 6 months after its definitive adoption.
One year after the entry into force of the GDPR, the legislative environment is gradually stabilizing.
The implementation phase has been completed; the CNIL now announces a vigilant approach to monitoring compliance with the GDPR. If it has not already been done, the different parties concerned, companies, public organizations and associations, must imperatively tackle this issue head-on.
