If the number of complaints seems to have reached a “high plateau” at more than 14,000, the year 2021 has been “unprecedented” in terms of sanctions, detailed the Commission in its annual report.
The Cnil, guardian of the privacy of Internet users in France, mobilized on multiple fronts in 2021, from “Cookies” with significant sanctions imposed on the giants of the web to cybersecurity and data sovereignty. An intense activity for which the institution requires more resources.
Read alsoLeak of 500,000 medical files: the Cnil imposes a fine on Dedalus
If the number of complaints seems to have reached a “high plateauto more than 14,000, the year 2021 has beenunprecedented” in terms of sanctions, “both by the number of measures adopted (18 sanctions and 135 formal notices) and by the cumulative amount of fines, which reached more than 214 million euros» (+55%), detailed the Commission in its annual report published on Wednesday 11 May.
After giving companies time to adapt to the subject of “Cookies“, these web tracers widely used by advertising giants, the Cnil was able this time to rely on European GDPR regulations, which provide for fines of up to 4% of turnover. Thus, Google and Facebook were sanctioned in December to the tune of 150 and 60 million euros respectively, because “they did not allow millions of Internet users to refuse +cookies+ as easily as to accept them“, recalled the president of the Cnil Marie-Laure Denis during a press conference. The two giants have since indicated that they have modified their interface, noted the CNIL.
Read alsoNetflix, Meta, Amazon, Google… Alert for tech stars on Wall Street
The regulator reiterated its warning on the traffic analysis tool Google Analytics, on which it announced 3 formal notices. “The recent announcement of an agreement in principle (on data transfers, editor’s note) between the EU and the United States is an important first step, but does not modify the legal framework for transfers at this stage. In the absence of a text which will not be ready for several months, the actors must take measures to ensure compliance with data protection“said Marie-Laure Denis.
Without response from the American company Clearview, formal notice to delete the images of people residing in France from its database used for facial recognition purposes, Marie-Laure Denis said “seriously consider entering the restricted commission of the Cnil in the near futureto launch a sanction procedure.
14 data breaches reported daily
The Commission has also observed a dramatic increase in reports of data breaches, more than 14 per day on average, linked to the awareness by companies of the obligation to report any leak of personal data, but also to the “very strong growth in computer attacks, particularly ransomware attackswhich primarily target businesses, communities and public bodies, particularly in the health sector.
Read alsoThere “double extortion» ransomware increases the pressure on organizations
Some 3,000 breaches, or 59% of reports, were the result of hacking, and more than 2,150 were linked to ransomware, she found. Faced with this growing activity and the prospect of obtaining new missions through the new European regulation on digital technology (DSA, DMA, Data Act, regulation on artificial intelligence, ePrivacy regulation), the Cnil wants to develop its practice.
She counts “take more small penalties” by relying on a simplified procedure allowing the only president of his restricted formation to pronounce fines of a maximum amount of 20,000 euros, and penalties of 100 euros per day maximum. “When, for example, we penalize a dentist’s office, we have found that this makes it possible to bring an entire sector into compliance“, justified Marie-Laure Denis.
“It is a real necessity to consolidate the means of the Cnil“, she continued. The institution will have 270 agents at the end of 2022 for a budget of some 22 million euros, still far from its British and German counterparts, which have nearly 1,000 agents.