Tag Archives: CNIL

Google Hit with Biggest Ever GDPR Fine

The biggest GDPR fine was recently issued by France’s National Data Protection Commission (CNIL) to Google  for multiple GDPR violations, the regulator recently announced. The fine? A whooping 50 million euros (about $57 million).

Two Types of GDPR Violations

First, CNIL found that Google provided information to users in a non-transparent way, saying, “The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions,” according to the CNIL.

Second, CNIL concluded that Google was not validly obtaining users’ permission for data processing and ads personalization purposes. The users’ consent, CNIL claims, “is not sufficiently informed,” and it’s “neither ‘specific’ nor ‘unambiguous’.”

Confirming Customer Sentiment

The CNIL’s findings echo what many users have felt when dealing with privacy settings of large online companies, such as Google and Facebook; essentially stating that while it may be possible to opt out of various ads personalization and data processing schemes, the process and settings are too convoluted for many users to understand.  Continue reading Google Hit with Biggest Ever GDPR Fine

French Data Protection Authority Reveals 2015 Inspection Program

French Data Protection AuthorityThe French Data Protection Authority (CNIL) released its annual inspection program for 2015. CNIL is able to conduct four types of inspections:

  1. Onsite inspections – CNIL may visit an organization’s facilities and access anything that stores personal data.
  2. Document reviews – CNIL may require an organization to send documents or files upon written request.
  3. Hearings – CNIL may summon representatives of organizations to appear for questioning and provide other information.
  4. Online inspections – CNIL may check whether online privacy notices comply with French data protection law and verify if users provide consent before receiving electronic marketing.

The announcement provides a target of 550 inspections for 2015. This includes 350 onsite inspections, document reviews, or hearings, and 200 online inspections. This is in line with the CNIL’s 2014 program – when they carried out 420 of the planned inspections.

The CNIL inspections will focus on the following technologies or data processing operations:

  • Contactless payment systems – How data is secured and if customers are able to object to data processing.
  • Processing of employee personal data – Verify how organizations conduct staff surveys to assess and combat stress in the workplace.
  • Connected devices for health and well-being – Audits on connected devices to verify if users are provided information on the processing of data and giving consent.
  • Public Wi-Fi connections – Inspections to strengthen rules on the capture of data from mobile devices through public Wi-Fi to send to targeted advertisers.
  • Binding Corporate Rules – Verify if organizations meet the requirements set forth in their BCRs.

CNIL Simplifies International Data Transfer with BCRs

The French data protection authority (CNIL) announced (in French) a new procedure for registration of affiliates of groups that have implemented Binding Corporate Rules (BCRs) under French data protection law. With the current process, CNIL authorization is required for each data transfer outside the EU when done under BCRs. The new process will grant one authorization to each group operating under BCRs, and the group’s affiliates will simply be required to submit one registration for all data transfers outside the EU.

The group’s affiliates, however, will be required to maintain a list of data transfers including the following information:

  • The general purpose of each data transfer covered by the BCRs
  • The categories of data subjects affected by the data transfer
  • The categories of personal data transferred
  • Information relating to each recipient:
    • Name of the company
    • Relevant group that adopted the BCRs
    • Country where the recipient is located
    • Category of data recipient
    • Type of data processing operations performed by the recipient on the transferred data

CNIL Releases BYOD Guidelines

The use of Bring Your Own Device (BYOD) policies in France are increasing, and now the French data protection authority (CNIL) is requesting to be notified before implementing such a policy. CNIL released a set of guidelines (in French) regarding BYOD, taking a conservative approach and advising a balance between security concerns and privacy of employees. The guidelines are not French law, but are indicative of CNIL’s interpretation of what is required under French data protection law.

French DPA Publishes Accountability Standard

On January 13, 2015 the French Data Protection Authority (CNIL) published a new accountability standard (in French). Companies that comply with the new standard will be eligible for an ‘accountability seal’ from the CNIL.

The main purpose of the new standard is to encourage organizations to prepare for a time when accountability will be included in the EU General Data Protection Regulation. The CNIL standard may become a precedent when other regulators develop accountability standards under the future EU Regulation.

The requirements under the CNIL accountability standard address issues such as the internal and external privacy policies, and Data Protection Officer (DPO) responsibilities. It should help organizations develop accountability programs that are likely to be in compliance with the future EU Regulation.