On April 15, 2019, the French Data Protection Authority (CNIL) published its 2018 activity report and announced its 2019 enforcement agenda. The CNIL’s message is clear: if some leniency was tolerated in 2018, this transitional period for GDPR enforcement is now over. Going forward, the CNIL will adopt a stricter approach when investigating companies’ GDPR compliance and make full use of its enforcement powers, including the power to fine.
As of May 25, 2018, the EU General Data Protection Regulation (GDPR) imposes new and strict obligations on companies processing personal data. Most EU privacy regulators adopted a somewhat lenient approach when enforcing the new rules. Beside the €50 million fine against Google in early 2019, the CNIL has not made broad use of its enforcement powers since the GDPR became effective. All in all, 2018 was a transition year to allow companies to bring their practices into compliance.
Increased GDPR Enforcement Expected in 2019
According to the CNIL, leniency is over: the CNIL will now use the full range of its enforcement powers, including fines of up to €20 million or four percent of the global annual turnover, whichever is higher. Under the new rules, the CNIL can also conduct online investigations under an alias or invite members of other EU privacy regulators to participate in investigations. When imposing sanctions, the CNIL will take into account (i) the severity of the violation of the GDPR; (ii) the sector and size of the company; and—importantly—(iii) the company’s attitude and readiness to cooperate with the regulator.
Areas of Focus on the CNIL’s 2019 Enforcement Agenda
The CNIL will focus on three main areas when reviewing companies’ privacy practices in 2019:
- Individuals’ Rights. First, the CNIL plans to verify how companies comply with their obligations in relation to individuals’ rights. Under the GDPR, individuals have the right to be informed of how their personal data is processed, the right to access, rectify or delete their personal data, restrict or object to its processing, and a right to data portability. Companies have, in principle, 30 days to respond to such requests.
- Controller – Processor Relationship. The CNIL announced that it will pay particular attention to the repartition of obligations between the controller and the processor, and to the direct responsibility of the processor under the GDPR. The GDPR imposes some obligations directly on processors (e.g., to keep internal records of processing), and requires the controller and processor to conclude a data processing agreement that must include some specific provisions.
- Children’s data. Specific rules apply to the processing of personal data related to children. The threshold is set at 16 years old, but national rules may set the bar as low as 13 years old. The French legislator set the bar at 15 years old. The CNIL announced that it will investigate how companies processing children’s data obtain parental consent, where such consent is required.
Although not on the top three list, data security also remains an important area of concern for the CNIL. In particular, the CNIL stated that it will verify whether companies have implemented internal processes to mitigate and log personal data breaches. The CNIL clarified that it may take action and impose sanctions against a company even if the company notified the CNIL of the personal data breach within the 72-hour timeframe.
May 25, 2019, will mark one year since the GDPR became fully applicable. So far, the number of enforcement actions that have become public is relatively limited, although a number of key decisions are due in the next few months. The year 2018 has been a transition period for both companies and EU privacy regulators. As time progresses, we expect regulators to take a stricter stand on GDPR compliance, bring more enforcement actions, and make use of their full powers over the coming months and years.