Cloud Hosting

The French data protection authority, the CNIL, has published its annual report for 2021 (in French) which contains some useful information and figures notably on complaints, investigations and sanctions as well as standards of references issued by the CNIL in relation to specific processing activities.

Complaints

In 2021, the CNIL received 14,143 complaints (an increase of 7% compared to 2020 but similar to 2019) out of which:

Some complaints have been transferred to another lead authority under the one stop shop and cooperation rules.

The CNIL has also received 5,882 indirect data subject action requests (the indirect action is the only one available for certain data basis such as the one for the police or secret services).

The CNIL reports that many complaints have been made about organizations that are established outside of the EU (UK, Switzerland, United States of America, Canada, Russia, Australia, South Korea and China) mainly in relation to the publication of data on the Internet.

Investigations

It carried out 384 investigations, 31% of which followed from complaints or reports.

The CNIL highlights:

Cookie compliance has been one of the priority themes set by the CNIL for 2021 and the CNIL has launched an unprecedented control campaign.

The CNIL also continued its control activities on the security of health data by investigating 30 medical analysis laboratories, hospitals, service providers and data brokers, notably in relation to COVID-19 pandemic related data. Some of these procedures are still ongoing.

It controlled 22 organizations, 15 of which are public with respect to the level of internet security. The investigations revealed obsolete cryptographic suites making websites vulnerable to attacks, shortcomings concerning passwords and, more generally, insufficient means with regard to current security issues.

Sanctions

The CNIL issued:

Out of the 18 sanctions,

The most frequent breaches include:

The CNIL also issued two public sanctions against the Ministry of the Interior, concerning the illicit use of drones and poor management of the automated fingerprint file (FAED).

Investigation program for 2022

In February, the CNIL published its priority focuses for investigation in 2022 investigation program, which accounts for around one third of its investigations, on the following three major topics:

This follows the numerous complaints received on this topic and the publication in February 2022, a new commercial management reference framework, in particular framing the carrying out of commercial prospecting. The CNIL intends to investigate data brokers and other intermediaries.

The significant shift to teleworking has led to the development of specific tools, including tools allowing employers to ensure closer monitoring of the daily tasks and activities of employees. The CNIL considers it necessary to check the employers practices in this field.

The CNIL intends to explore issues relating to data transfers and the management of contractual relations between data controllers and cloud solution provider subcontractors.

The CNIL has received 5,037 data breach notifications (a 79% increase compared to 2020) out of which, 63% were due to an external cause (accident or malicious act). The CNIL considers that this figure is still too low compared to actual data breaches which may have occurred.

The CNIL responded to 22 parliamentary hearings and issued 121 opinions on bills and decrees. 16 of these opinions concerned how data processing was implemented in the context of the fight against the COVID-19 pandemic.

The CNIL also handled 576 health authorization applications in 2021 and issued 54 research authorizations on COVID-19.

In 2021, the CNIL adopted several standards of reference and sectorial recommendations. These included:

It has also developed tools to enable the development of virtuous digital innovation, in particular through its start-up strategy deployed in 2017. This year, this has resulted in the implementation of a first personal data sandbox for health. As a result, 12 projects have been supported by the CNIL, including 4 in a reinforced way.

Read this article:
Noteworthy Information in the French Data Protection Authority's (CNIL) Newly Published 2021 Annual Report - Lexology