What control strategy for 2020?

In 2020, in addition to controls following complaints, issues revealed in the news or corrective measures, the CNIL will focus its control action on 3 priority themes linked to the daily concerns of the French:

• Health data,
• Geolocation for local services as well as
• Cookies and other trackers.

As every year, in addition to supporting professionals in the application of the GDPR, the CNIL will ensure compliance with their obligations through the control of the processing implemented.

In this capacity, it carries out thousands of investigative acts each year, in particular by investigating complaints, carrying out checks as part of the procedure for indirect right of access to certain government files, processing reports of personal data breaches or opening formal control procedures.

These latter, numbering 300 per year, allow for the investigation of complaints to be further investigated, to react to current issues, to ensure compliance with previous corrective measures or to investigate certain themes deemed to be priorities.

Among these formal control procedures, more than fifty will be carried out within the framework of three themes selected as priorities for 2020:

Health data security

Recent news in the health sector (telemedicine, connected health devices, personal data breaches in public institutions, etc.) demonstrates the attention that must be paid to the security of health treatments.

Health data is sensitive data, which is subject to specific protection by texts (GDPR, Data Protection Act, Public Health Code, etc.) in order to guarantee respect for the privacy of individuals.

Through this priority theme, the CNIL wishes to focus more particularly on the security measures implemented by healthcare professionals or on their behalf.

Mobility and local services: new uses for geolocation data

Many solutions are being developed with the stated aim of making daily life easier: recommending suitable modes of transport based on a defined route, optimizing travel routes, etc.

These solutions most often use geolocation data, and potentially raise privacy risks.

The controls will therefore focus in particular on the proportionality of the data collected in this context, the defined retention periods, the information provided to individuals and the security measures implemented.

Compliance with the provisions applicable to cookies and other tracers

This theme, which was already announced by the CNIL in the summer of 2019, aims to ensure full compliance by professionals with their obligations regarding the monitoring of Internet users based on cookies or other trackers, notably used for advertising targeting and user profiling.

Indeed, Article 82 of the Data Protection Act, which transposes the ePrivacy directive of 12 July 2002 into French law, has imposed a number of fundamental requirements for many years (obligation to obtain prior consent, obligation to inform the user of the purposes of the cookies placed, etc.)

The CNIL will continue to verify compliance with these basic requirements throughout 2020.

The entry into force of the GDPR, to which the ePrivacy Directive refers, has, however, reinforced certain requirements, in particular on the manner of obtaining consent, which must now be free, informed, explicit and unequivocal.

In particular, simply continuing to browse a site can no longer constitute valid consent from the user to the deposit of cookies.

The CNIL was thus led to adopt guidelines last July to clarify the new state of the law.

In spring 2020, it will issue a recommendation to guide operators in the operational implementation of the new requirements.

It will give organizations a period of 6 months, from the publication of this recommendation, to comply with the new obligations resulting from the GDPR.

Controls on these new obligations will begin in autumn 2020 and continue in 2021.

These three themes were chosen by the CNIL because of their impact on the daily lives of citizens.

They target, in fact, treatments implemented during interactions with health professionals or when using new tools to help with daily procedures (choice of a means of transport, search for a local service, etc.) or, finally, when browsing the Web.

These three themes will represent approximately 20 % of the formal control procedures carried out by the CNIL in 2020.

Indeed, as in previous years, checks will also be initiated to follow up on:

• Complaints and claims addressed to the CNIL;
• Current issues requiring control of the treatments implemented;
• Corrective measures (formal notices, sanctions, etc.) requiring new checks.

Finally, following on from the previous two years, The CNIL will continue cooperation with other European data protection authorities for cross-border processing.

It will thus use the two methods of cooperation provided for by the GDPR:

• Mutual assistance, which allows you to share all useful information with your counterparts, and
• The carrying out of joint operations, which allows checks to be carried out in France or within other Member States of the European Union in the presence of agents of the competent authorities.