CNIL: The French Data Protection Authority Publishes 2021 Priorities
In March 2021, the French data protection authority, the ‘CNIL’, revealed its top priorities for audits and enforcement in 2021. In addition to its usual activities, this year the CNIL will therefore focus on cybersecurity, the security of health data and the use of cookies and other similar technologies.
In accordance with the GDPR, data controllers (and processors) are obliged to respect certain rules and principles when processing personal data. In order to ensure compliance and to stay up to date with the latest guidance from the supervisory authorities on personal data, it is important to review the latest publications from supervisory authorities across Europe.
Indeed, the CNIL's focus can also guide the strategy of various organisations processing personal data wherever they are based, given the GDPR’s international scope and the EU and UK’s commitment to respect GDPR-standards in a post-Brexit world in our era of Digital Trade.
Of course, it is essential that all companies that process personal data ensure that they implement sufficient compliance practices. Organisations must be vigilant and accountable to the principle of accountability, and in the event of a CNIL inspection, it is important to have a procedure in place that is appropriate to the processing activities and any potential CNIL investigation. You can read more about this in our recent article on this subject.
It is in this context and thanks to the CNIL's recent publication of its 2021 strategy that in this article we thought that we would share the CNIL's main focus points for the coming year!
Focus on cybersecurity
Cybersecurity has been an increasing concern of the CNIL. In February 2021, in a press release, the CNIL pointed out that website security breaches are now among the most common defaults found during audits. In 2020, it witnessed an important rise in the number of data breaches notifications (+24% since 2019).
In its announcement, the CNIL said it intends to ensure the security of the most used websites in France across various sectors, focusing on, among other things, the collection of personal data, the use of HTTPS and the compliance with its recommendations on passwords.
Security of health data
This comes with no surprise in the context of the current Covid-19 pandemic and the diverse legal issues raised by the digitalisation of the health sector.
In fact, in 2020, the CNIL witnessed three times more violations linked to cryptolocker attacks on healthcare institutions such as hospitals, clinics, healthcare institutions, laboratories, etc (12 breaches in 2019 compared with 36 in 2020).
Moreover, recent media reported the massive leak of the medical data of over 500,000 people. In this respect, yesterday, the Paris court of justice adopted a decision requiring the main Internet service providers to block access to the website hosting the data file. The CNIL has stated that it will remain alert to the need for potential additional measures, and will continue its investigations.
Crack-down on the use of cookies and other similar technologies
Initiated in 2020, the CNIL’s goal to ensure compliance with obligations in terms of advertising targeting and profiling of Internet users is getting wider : controls will now also cover the rules relating to the collection of consent as informed by the guidelines adopted by the CNIL on October 1st, 2020 (coming into effect April, 2021). In light of this, the CNIL noted that it will continue its cooperation with European supervisory authorities for the monitoring of cross-border processing activities.
Conclusion
On the whole, these issues are in line with the topics focused on by the CNIL in 2020, since of the three topics selected as priorities in 2021, the only one did not feature in last year's priorities was in respect of cybersecurity. In our view, the approach of the CNIL is logical, especially in view of the current pandemic climate and the growing success of digital and online business.
Of course, as usual, if you have any questions about this article or if you want to review your GDPR or data protection practices, please do not hesitate to contact us!
Article by Evane Alexandre @ Gerrish Legal, March 2021
Sources:
Cybersecurity, health data, cookies: priority control topics in 2021, CNIL, 02 March 2021 (https://www.cnil.fr/fr/cybersecurite-donnees-de-sante-cookies-les-thematiques-prioritaires-de-controle-en-2021)
Health data breach: CNIL reminds organisations of their obligations following a massive data leak announced in the media, CNIL, 24 February 2021 (https://www.cnil.fr/fr/violation-de-donnees-de-sante-la-cnil-rappelle-les-obligations-des-organismes-la-suite-dune-fuite-de)
Health data leak: the Paris judicial court requests the blocking of a website, CNIL, 04 March 2021 (https://www.cnil.fr/fr/fuite-de-donnees-de-sante-le-tribunal-judiciaire-de-paris-demande-le-blocage-dun-site-web)