In the current context, what is the CNIL's control strategy for 2020?

The publication of the CNIL’s annual control program is always an important element that the companies should take into consideration to be prepared for it. While the CNIL's on-site inspections will necessarily be postponed in the immediate future due to COVID-19, this program covers the entire year, and also concerns its other inspection methods, which are carried out online, on the basis of documents or by mail. The CNIL indicates on its website that it carries out thousands of investigations each year.

Whatever its method, an audit may follow a complaint (customers, employees, Internet users, association, trade union, etc.), a topic revealed in the news, a data breach, or be part of the CNIL's annual program.

The control strategy for 2019 was characterized by the authority’s will to put an end to the post-GDPR transition period, the CNIL considering that the companies now had sufficient time to complete their compliance program with the new regulation.

3 themes in 2020 that target the everyday life of the French people

For 2020, the French authority declared that it will concentrate about 20% of its action on 3 main areas:

• Security of health data,
• New uses of geolocation data,
• Cookies and other tracking devices.

In 2019, the subject matters of the CNIL’s program were data subjects’ rights, children’s personal data, and the allocation of responsibilities between data controllers and data processors.

Processing involving geolocation data and cookies use large volumes of data; the CNIL considers such processing to be particularly intrusive in the everyday life of the French people.

In all respects, the CNIL wishes to address the privacy issues and concerns raised by these new uses now affecting all aspects of everyday life and impacting the relation to health, mobility and online services.

The CNIL has already addressed the processing of geolocation data in the Ad Tech sector over the last few years. This year, the authority will also monitor local and mobility services that use geolocation (optimisation of travel routes, exchange platforms for example or other services). The authority states that it will in particular monitor the proportionality of the data collected, the data retention periods, the information provided to the data subjects and security measures.

However, it should be noted that the CNIL has already initiated several investigations on major online advertising companies, encouraging them to acknowledge the new draft recommendation and to help online users to keep control over their personal data. The CNIL has also already launched other inspections since the beginning of the year on the themes of its inspection program for 2020.

In the current context, on-site inspections will most likely be postponed at the end of the sanitary crisis that France is going through or at least after the containment measures announced by the French government on 16 March 2020. Nevertheless, the CNIL agents remain in operation, remotely, which means that the other types of inspections could be implemented (or even replace certain inspections initially planned on the spot).