Category Archives: France

Commission Nationale de l’Informatique et des Libertés (CNIL)

The passing of the Digital Republic Bill: its implications for organizations

On October 2016, the New Digital Republic Bill (hereinafter, the Bill) passed in France and significant changes for organisations have been implemented.

Now, data subjects have the right to access and control their personal information including: how long their data is stored, how will be used and the right to be forgotten or the right to request that personal data be removed without delay in case of minors.

It also contains the provision for any interested person to obtain, free of charge, a copy of any of his data resulting from the use of a online service provided by a service provider, except for data that has been significantly enriched by the service provider.

In addition, sanctions to be taken by the Commission Nationale de l’Informatique et des Libertés CNIL) have increased from €150,000 up to €3 Million euros in accordance with the new General Data Protection Regulation (GDPR) that will come into force in 2018.

Commission Nationale de l’Informatique et des Libertés (CNIL)

Rules for the use of personal data in electoral campaigns

On July 2016, the France’s National Data Protection Commission (CNIL) issued a formal notice to Microsoft Cooperation urging Microsoft to make Windows 10 to comply with French data protection law. The CNIL criticized the company for tree actions:

a) tracking its users web browsing habits without their consent,

b) failing to offer proper security protections, and

c) delivering targeted advertising materials without the user’s consent.

This notification does not seek to prohibit Microsoft from using its services to advertise but seeks to enable users to make their choice freely, having been properly informed of their rights.

Consequently, the CNIL gave the company three months to comply with its orders to stop collecting personal data without the consent of those users concerned. Otherwise, the company may impose any applicable sanctions of up to 150,000 euros.

Commission Nationale de l’Informatique et des Libertés (CNIL)

Guidance on political campaigning

On October 20, 2016, the French Commission Nationale de l’Informatique et des Libertés (CNIL) issued a guidance on political campaigning which regulates how the political parties have to address to electors and to process their personal data according to the French Data Protection Act.

Also, the guidance contains how to process the personal data in a wide range of fields that political parties or candidates uses during the political campaign and specially, communication by phone, text or video message (SMS, MSM), the automatic calling machines and social networks and establishes clearly how to comply with the requirements stated in the national law.

In this regard, the CNIL stresses that political parties who can purchase or lease a customer file or prospects must provide transparency on the processing of personal data. Besides, the CNIL aims to reinforce the following information:

–       When the data are initially collected, the customers and prospects shall be warned from the outset, the potential use of their personal data for purposes of political communication,

–       All political communication messages must include specific mention of the origin of the data used (e.g. consular electoral lists of such year, commercial database in such a society, since such voluntary subscription website, etc.) not only when they receive the first message but also for each communication message.

Apart from that, the guideline sets out in detail the information that must contain the party activities and campaigns (specially the political communication messages) and how to oppose to the reception again political communication via email.

Commission Nationale de l’Informatique et des Libertés (CNIL)

CNIL issues Internet Sweep Outcomes on Connected Devices
On September 23, 2016, the French Data Protection Authority (CNIL) issued the outcomes of the Internet sweep on connected devices that was created last May to evaluate the quality of the information that operators provide to end users but also the level of user empowerment and the degree of security of the personal data.
This initiative, announced by the CNIL last April, organised by the Global Privacy Enforcement Network (GPEN), lies within a coordinated online audit to analyse the impact of ordinary IT- devices.
It was made up of data protection authorities throughout the world and more than 300 connected devices were examined and audited. Specifically in France, 12 connected devices were tested by the CNIL in the field of home automation, health and well-being and this administrative regulatory body concluded that:
1. Users of connected devices are not adequately informed of the processing of their personal data as the product did not provide users appropriate information about how their personal data will be processed.
2. Users have an acceptable degree of control over their personal data as the personal data was subject to the user’s consent.
Like the other DPAs, the CNIL announced that it reserves the right to conduct more inspections in order to assess the compliance of connected devices to the French Data Protection Act.

French Parliament

French Parliament adapts National Law to take into account CJEU ruling and GDPR

On June 30, 2016, representatives of the French Parliament reached a common position of the French “Digital Republic” bill. This new Law that should normally be adopted in October 2016 amend significantly various aspects of the French Data Protection Act.

More specifically, a Joint Committee of both French legislative chambers (National Assembly and Senate) approved amendments that comply with the latest jurisprudence (the “Digital Rights” case) of the Court of Justice of the European Union (CJEU) and anticipates obligations as set out by EU General Data Protection Regulation (GDPR) in article 13.2.a. The amendments include the obligation for companies to inform individuals of the data retention period. If companies are unable to facilitate this information, they are obliged to inform of the criteria used to determine that period. At the present situation in France businesses are not required to specify data retention periods in their privacy notices.

Commission Nationale de l’Informatique et des Libertés (CNIL)

Google appeals to Highest Court CNIL’s order for global “right to be forgotten”

CNIL announced on March 10, 2016 that it was ordering a 100 000 euros fine against Google. The fine was ordered for violation of data subjects’ rights to object to the processing of their personal data and their right to delete their personal data, as interpreted by the Court of Justice of the European (Google Spain decision of July 2014). The Court stated the obligation for Google to remove inadequate or irrelevant information from web results appearing under searches for people’s names. Google appealed on 19 May 2014 the order for the CNIL to remove certain web search results globally.

Background of the case:

After the Google decision in 2014, Google created a procedure for submitting removal requests.  If a removal request was accepted, Google decided to remove links from search results on all EU Google Search domains. For instance, if Google approved a request from a Spanish national, the inappropriate link would not be available in search results from or from searches executed from any other EU domain (,,…). In March 2016, Google announced that it would “use geolocation signals (like IP addresses) to restrict access to the delisted URL on all Google Search domains, including, when accessed from the country of the person requesting the removal.” For instance, if Google delist a URL as a result of a request from Pierre Dupont in France, users in France would not see the URL in search results for queries comprising “Pierre Dupont” when searching on any Google Search domain (including Users outside France could see the URL in search results when they look for “Pierre Dupont” on any non-European Google Search domain.

Commission Nationale de l’Informatique et des Libertés (CNIL)

Launch by the GPEN of the 2016 Global Privacy Sweep in the “Internet of Things”

A Privacy Sweep or international evaluation dedicated to verify the respect of privacy in the Internet of Things was launched the 11 of April 2016. This initiative is coordinated by the Global Privacy Enforcement Network (GPEN), the international network pursuing to strengthen cooperation between the DPAs of different countries around the world, and will examine the data protection documentation and practices related to Internet connect devices.

DPAs are free to choose the categories of products that they will examine, (smart meters, smart watches, internet-connected thermostats…). The French CNIL has declared it wants to focus its investigation that will start in May 2016 in three different categories that could impact privacy in everyday life: Smart Home devices (connected cameras that are able to detect movement or measure the quality of air or smart-fridges that inform about expired products or smart meters), health items (blood pressure or glucose monitors that collect health related data) and wellness related objects (smart watches and bracelets that collect localization data or calculate the number of steps taken daily or the calories consumed). In practice, the CNIL will assess the quality of the delivered information, the security level of the data stream and the degree of user control over the operation of its personal data (consent, the exercise of its rights, deletion of data, etc.). By contrast, the Italian Garante will focus on only one issue: the Smart Home devices. The Irish Data Protection Commissioner, for its part, will review some devices such as smart electricity meters, fitness trackers and telematics. Other topics, like the examination of privacy communications on websites in which devices that relate to smart metering systems are found, will be studied by the Belgian Privacy Commission. Focussing on non-European DPAs, the Office of the Privacy Commissioner of Canada will examine the privacy practices in health devices.

Commission Nationale de l’Informatique et des Libertés (CNIL)

Google fined by French data protection authority over ‘right to be forgotten’

On 10th March 2016, the French data protection authority (CNIL) issued the Decision no. 2016-054 in which it fined Google Inc. €100,000 for failing to properly implement the so-called “right to be forgotten”.

The decision is based on the Judgment of the Court of Justice of the European Union (“ECJ”) in Costeja v. Google which stated that internet users residing in Europe could ask search engines to delist their personal data. Those whose request to delist Internet links on the “Google Search” engine had been turned down lodged a complaint with the CNIL and after a investigation, Google was asked to delist several results.

In some requests, Google carried out the delisting only on the search engine’s European geographic extensions and therefore, the delisted content in France remained accessible in other non-European countries. In May 2015, the CNIL issued a formal order to the company to extend delisting to all of the extensions since the Chair considered that delisting must be carried out on all of the extensions under the CJEU ruling.

Google stated that a global delisting would disproportionately undermine the freedom of expression and information.

The CNIL answered that the commitment of its decision is to guarantee effective and complete protection of data subjects and sanctions procedure against the company was initiated.

Commission Nationale de l’Informatique et des Libertés (CNIL)

CNIL states that Facebook is breaching data protection rules

On 8 February 2016, the Commission Nationale de l’Informatique et des Libertés (CNIL) issued a formal notice to Facebook after an investigation where several actions were violating users privacy under Data Protection French Act.

In this regard, the CNIL identified that Facebook has been collecting the information of Internet individuals who did not have accounts on its platform but who visited public Facebook pages and their cookies were used to track their browsing activities. Therefore, the social network failed to get users consent and did not appropriately inform users of the techniques on which it used their cookies violating their fundamental rights and interests, including their right to respect for private life. Apart from that, Facebook has been collecting sensible data of users such as sexual orientations, political views and affiliations, and religion without the explicit consent of account holders.

Finally, the CNIL also ordered Facebook to stop transferring user data to the US under the Safe Harbor Agreement following the ruling that invalidated data transfer between EU and US and for which a replacement Act called EU-US Privacy Shield has been negotiated.

Commission Nationale de l’Informatique et des Libertés (CNIL)

CNIL releases its guide concerning privacy impact assessments

Following the agreement reached between the Council, Commission and Parliament on the 15 December, new useful mechanisms are starting to release.

The European Union Agency for Network and Information Security (ENISA) issued a document titled Privacy and Data Protection by Design – from policy to engineering which outlines the effort made by EU data protection authorities, specially the the Commission Nationale de l’Informatique et des Libertés (CNIL). In this regard, a guide for carrying out Privacy Impact Assessments (hereinafter PIAs) was published by the Commission Nationale de l’Informatique et des Libertés (CNIL) in accordance with Article 34 of the French Data Protection Act and the forhcoming paragraph 1 of the Article 23 GDPR to help data controllers to implement Privacy by design.

The method aims to help data controllers to implement Privacy by design. To that purpose, the CNIL issued a much more efficient method, which is composed of two guides. On the one hand, the methodological approach document explains how to carry out PIAs describing how to use the EBIOS method in the specific context of personal data protection. On the other hand, the tools (templates and examples) analyses every specific tool such as; tools for context study, tools for controls study, tools for risk study and tools for validating the PIA.

Ultimately, the manual issued by the CNIL stresses two basic pillars regarding to PIAs. Firstly, the fundamental principles and rights, “non-negotiable”, fixed by law and that have to be complied with. Secondly, the Privacy Risk Management, which permits to govern the satisfactory technical and organizational controls to protect personal data.