3
The Cnil pronounced 18 sanctions and 135 formal notices during the past year. Of the 18 sanctions imposed by the personal data gendarme, 15 resulted in fines for a total amount of 214.1 million euros.
Since the entry into force of the RGPD, the regulations on the protection of personal data of the European Union, the activity of the National Commission for Computing and Freedoms (Cnil) has known no respite. Confirmed in 2021, “an unprecedented year” for the personal data constable, who issued 18 sanctions and 135 formal notices over the past year (14 sanctions and 49 formal notices in 2020). As for the cumulative amount of fines imposed, it reached 214.1 million euros, compared to 138.5 million euros in 2020 and barely 51.4 million euros in 2019.
Of the 18 penalties imposed by the CNIL, 15 resulted in fines. They should be more numerous in 2022 with even more impressive amounts… And for good reason, the heaviest sanction ever pronounced by the French regulator intervened at the beginning of the year, with Google which was fined 150 million euros. euros for non-compliance with the legislation on cookies. Facebook was also fined 60 million euros for the same reason, or 210 million euros in just two sanctions. The Cnil had already imposed a fine of 100 million euros on Google, already on the subject of cookies, in December 2020. This sanction was moreover definitively validated by the Council of State on January 28, 2022, during the Day data protection world.
Beyond Google and Facebook, the “priority cookie theme” found itself at the heart of 89 of the 135 formal notices issued by the CNIL in 2021. As for the 18 sanctions imposed, half “has a breach in relation to the security of personal data”, the organization headed by Marie-Laure Denis considering in particular that “the security measures taken by organizations often remain insufficient”. The personal data policeman also denounces “lack of information of persons and excessive retention periods” among the most frequent shortcomings noted during its inspections.
A collaboration with Luxembourg for a historic fine against Amazon
This report marks the rise of the Cnil, a little less than four years after the entry into application of the GDPR. It is this regulation that gives the regulatory authorities of the Member States of the European Union the power to sanction companies that do not comply with European rules on the protection of personal data, with fines of up to 4% of their global turnover.
In the context of the GDPR, the CNIL also examined 17 European files and took four decisions in cooperation with other European authorities last year. The Cnil notably worked with its Luxembourg counterpart to lead to a fine of 746 million euros imposed on Amazon last summer. This is the heaviest financial penalty imposed to date under the GDPR. If most European countries, like France, play the game, this is not the case for some, like Ireland, which does not want to offend the technological giants it hosts. Google, Meta (Facebook), Apple, Microsoft, Twitter or even TikTok have chosen to set up their European headquarters in the land of Guinness.