On May 25, 2015, the French data protection authority (CNIL) published its annual inspection program¹ for 2015, unveiling its objectives and priorities for the year. This alert highlights the main priorities of the CNIL for 2015. Companies that operate in one of the sectors identified by the CNIL and that have an establishment in France or provide products or services to French individuals should review whether their activities comply with the French Data Protection Act.

Background

The CNIL has strong investigation powers under French law. In particular, it has the right to conduct on-site investigations (e.g., facilities inspections, document reviews, investigational hearings of company representatives) and, since 2014, online inspections (e.g., reviewing any publicly available information such as online privacy policies, online consent mechanisms, compliance with cookies requirements). The CNIL is not required to give prior notice to companies before an inspection, either on-site or online, except in very specific circumstances (i.e., if such inspection is requested by a data protection authority from another EU Member State). Hindering the CNIL's inspection may result in fines of up to €15,000 and up to one year of imprisonment. Violation of the French Data Protection Act may be sanctioned by fines of up to €150,000 and may cause important reputational damages.

CNIL Priorities for 2015

Each year, the CNIL publishes a new inspection program in which it specifies its enforcement priorities in terms of industries, technologies, products, services, and types of data processing activities.

In 2015, the CNIL plans to significantly increase the number of inspections (the CNIL anticipates an increase of about 30 percent; from 421 inspections in 2014 to 550 inspections in 2015). According to the CNIL's previsions, around 350 of the inspections will be conducted on-site, and 200 will be conducted online.

The CNIL's announced priorities for 2015 cover a broad range of technologies and data processing activities:

• Contactless payments.² Investigations into contactless payment systems will focus on data security issues and the effective implementation of opt-out systems.
• Offline retailers and public space analytics.³ The CNIL will look at in-store frequentation analytics tools and will examine how retailers and advertisers use consumers' device information and WIFI networks to analyze consumers' behavior in stores, shopping malls, and other public spaces. In particular, the CNIL will review how companies comply with the notice and consent requirements.
• eHealth.⁴ The CNIL plans to investigate how companies providing lifestyle and well-being smart devices and services comply with French data protection law. In particular, the CNIL will look at companies' data sharing practices and how they provide notice and obtain individuals' consent.
• Binding Corporate Rules (BCRs). The CNIL has been at the forefront of the development of BCRs (which are a tool for legitimizing international data transfers). So far, the CNIL has not reviewed any approved BCRs ex-post. This will change in 2015, as the CNIL intends to begin inspecting companies with approved BCRs. Companies that have (or are obtaining) approvals for their BCRs should be prepared for on-site inspections and other requests from the CNIL regarding their BCRs this year.
• Surveys on psychosocial risks at the workplace. The CNIL will review the use of surveys on psychosocial risks at the workplace; surveys which are often conducted to evaluate and reduce employees' stress at the work. However, the CNIL received various complaints from employees about privacy issues related to such surveys.
• International cooperation. Besides its cooperation at the EU level, the CNIL intends to pursue its international cooperation efforts. In this context, it takes part in the "Sweep Day" initiatives organized by the Global Privacy Enforcement Network. For instance, the CNIL took part in the "Sweep Day" for children's privacy from May 12 to May 15, along with 28 other data protection authorities worldwide.

Conclusions

Over the past years, the CNIL has developed into one of the strictest data protection authorities when it comes to enforcement practices. This has been re-enforced by legislative changes allowing the CNIL to perform online inspections. The CNIL's inspection program for 2015 demonstrates that the CNIL intends to further step up its inspections in the coming years. Companies located in France or that provide services in France should thus anticipate inspections by the CNIL and verify their compliance practices.

The CNIL plays an important role in the development and enforcement of data protection rules at the European level as it currently leads the Article 29 Working Party (i.e., an advisory body composed of representatives from all EU data protection authorities). Therefore, the CNIL's inspection program can be seen as a good indication of what will be the priorities of other data protection authorities across the EU.

¹ CNIL’s inspection program for 2015, available electronically at: http://www.cnil.fr/linstitution/actualite/article/article/programme-des-controles-2015/ (in French).

² CNIL’s article on contactless payment from May 21, 2015, available electronically at: http://www.cnil.fr/documentation/fiches-pratiques/fiche/article/carte-de-paiement-sans-contact-mode-demploi/ (in French).

³ CNIL’s article on in-store frequentation measuring and consumer tracking from August 19, 2014, available electronically at: http://www.cnil.fr/les-themes/conso-pub-spam/actualite/article/mesure-de-frequentation-et-analyse-du-comportement-des-consommateurs-dans-les-magasins/ (in French). 

⁴ CNIL’s article on quantified self and connected objects from May 18, 2014, available electronically at: http://www.cnil.fr/linstitution/actualite/article/article/quantified-self-m-sante-le-corps-est-il-un-nouvel-objet-connecte/ (in French).