On March 26, 2024, the French data protection authority (the “CNIL”) published the 2024 edition of its Practice Guide for the Security of Personal Data (the “Guide”). The Guide is intended to support organizations in their efforts to implement adequate security measures in compliance with their obligations under Article 32 of the EU General Data Protection Regulation. In particular, the Guide targets DPOs, CISOs, computer scientists and privacy lawyers. The Guide is divided into the following five parts, each addressing key security themes: 1) users; 2) information technology and equipment; 3 ..read more

On February 8, 2024, the French Data Protection Authority (the “CNIL”) announced the priority topics for its inspections in 2024.   In 2024, the CNIL will focus its investigations on the following priority topics: Data Collection for the Olympic and Paralympic Games. As millions of individuals are expected to travel to France for the Olympic and Paralympic Games this year, the CNIL will focus on verifying the measures that are deployed for security purposes (e.g., the use of QR codes for restricted areas, access authorizations, and the use of augmented cameras) and their impact on indivi ..read more

On January 8, 2024, the French Data Protection Authority (the “CNIL”) opened a consultation on its draft guidance for the use of transfer impact assessments (“Guidance”). In describing the Guidance, the CNIL references the decision of the Court of Justice of the European Union in Schrems II and states that exporters relying on tools listed in Article 46(2) and Article 46(3) of the EU General Data Protection Regulation (“GDPR”) for personal data transfers are required to assess the level of protection in the designated third country and the need to put in place additional safeguards (i.e., cond ..read more

On November 1, 2023, 29 nations, including the U.S., the UK, the EU and China (full list available here), reached a ground-breaking agreement, known as the Bletchley Declaration. The Declaration sets forth a shared understanding of the opportunities and risks posed by AI and the need for governments to work together to meet the most significant challenges posed by the technology. The Declaration states  that there is an urgent need to understand and collectively manage the potential risks posed by AI to ensure the technology is developed and deployed in a safe, responsible way. The Declar ..read more

October 12, 2023, the French Data Protection Authority (the “CNIL”) announced a €600,000 fine for mass media company Groupe Canal+ for failing to comply with its commercial prospecting obligations applicable under the French Post and Electronic Communications Code and several obligations of the EU General Data Protection Regulation (“GDPR”). Background The CNIL received several complaints from individuals claiming that they had difficulties in having their rights taken into account by Groupe Canal+. As a result of the complaints, the CNIL started an investigation into the privacy and data prot ..read more

On October 11, 2023, the French Data Protection Authority (the “CNIL”) published a new set of guidelines addressing the research and development of AI systems from a data protection perspective (the “Guidelines”). In the Guidelines, the CNIL confirms the compatibility of the EU General Data Protection Regulation (“GDPR”) with AI research and development. The Guidelines focus on the development stage of AI systems. The Guidelines are divided into seven “AI how-to sheets” in which the CNIL guides organizations through the necessary steps to take in order to develop AI systems in a manner compati ..read more

On May 11, 2022, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2021 (the “Report”). The Report provides an overview of the CNIL’s enforcement activities in 2021. The report notably shows a significant increase in the CNIL’s activity. In particular, the Report revealed that: The CNIL received 14,143 complaints in 2021 (+4% compared to 2020) and closed 12,522. The CNIL carried out 384 controls, issued 135 letters of formal notice and imposed 18 sanctions for a cumulative amount of more than €214 million. One of the CNIL’s priorities in 2021 was ..read more

On September 21, 2022, Denmark’s data protection authority Datatilsynet (“Danish DPA”) announced its guidance that Google Analytics, Google’s audience measurement tool, is not compliant with the EU General Data Protection Regulation (“GDPR”), as the tool transfers personal data to the United States which, following Schrems II, does not offer an adequate level of data protection. EU data protection authorities are cooperating through the European Data Protection Board on the treatment of Google Analytics. The Danish DPA’s decision follows similar decisions by EU data protection authorities in A ..read more

On August 5, 2022, French AdTech company Criteo announced that it had received a report from the French Data Protection Authority (“CNIL”) on August 3, 2022, claiming various infringements of the EU General Data Protection Regulation (“GDPR”) and proposing to impose a €60,000,000 fine against Criteo. The proposed fine follows complaints filed by privacy NGO ‘Privacy International’ against Criteo. Under the CNIL’s sanction procedure, Criteo has the right to respond to the report, both with respect to the alleged infringements and the proposed sanction. After a formal hearing, the CNIL Sanction ..read more

On December 31, 2021, the French Data Protection Authority (the “CNIL”) imposed a €150,000,000 fine on Google and a €60,000,000 fine on Facebook (now Meta) for violations of French rules on the use of cookies. Background On October 1, 2020, the CNIL published a revised version of its guidelines on cookies and similar technologies (the “Guidelines”), its final recommendations on acceptable methods for obtaining users’ consent to store or read non-essential cookies and similar technologies on their devices (the “Recommendations”), and a set of FAQs regarding the Rec ..read more