The CNIL had a turbulent year. The Web policeman notes a sharp increase in reports in 2021, in particular due to ransomware attacks, and has imposed more than 200 million euros in fines for the misuse of cookies.
The Cnil has never had so much work to do, as evidenced by its annual activity report for 2021. After having left some ballast to companies in terms of cookies, these famous advertising trackers on websites, the was on sanction. In 2021, the CNIL carried out 384 checks on this subject, received more than 14,143 complaints and closed 12,522. It also received more than 5,000 notifications of data breaches. The shortcomings noted during some of the investigations led the body to issue 135 formal notices and 18 sanctions, for a cumulative amount of historic fines which exceeds 214 million euros. Two fines were particularly commented on: that against Google for a total amount of 150 million euros and that against Facebook for 60 million euros. The two American giants did not make it as easy to refuse cookies as to accept them.
The plague of ransomware
The Cnil lists 5,037 breach notifications received in 2021, compared to 2,821 in 2020, i.e. a significant increase of 79%. On average, nearly 14 notifications are received per day, or 420 per month. It notes a very strong growth in computer attacks, in particular ransomware attacks, constituting the first cyber threat for companies, local authorities and public bodies. This malware locks down the contents of a computer, for example, demanding the payment of a ransom to hypothetically regain access to data and the device. According to the CNIL, this increase would require better appropriation of the notification obligation, resulting from better consideration of cybersecurity issues within organisations, as well as the definition and implementation of internal processes making it possible to detect and react to personal data breaches.
SMEs and micro-enterprises also represent 69% of notifications, which are mainly the subject of computer hacking (68%). The CNIL also notes that the science and health sectors have been particularly affected, with a respective increase in complaints of 191 and 195% compared to the previous year, hackers probably surfing on the Covid-19 epidemic and the generalization of telework.
A role of political and public advisor
The CNIL also had an intense year politically. The body was approached 121 times, most often by the government or Parliament, for legislative proposals, draft laws or orders, or draft decrees or orders. A time-consuming mission because in addition to its advisory role, the Cnil, through its opinions, can lead to significant changes to the texts. She particularly advises the government, which must ask her opinion for certain projects.
The Cnil also informs and advises individuals and professionals on their rights and obligations, during dedicated hotlines. In 2021, it received 161,475 calls, i.e. 33% more than the previous year, and this “despite the health crisis and the partial closure of telephone hotlines during confinement”. Requests which mainly concern cookies and other tracers, the steps to be taken to request delisting from search engines and to exercise their rights with websites. More surprisingly, the CNIL also mentions the use of employee data by employers, in particular video surveillance and geolocation at work, which is worrying to say the least. Internet users are finally concerned about the data processed by the banking sector, or even the collection of data carried out as part of the fight against Covid-19 and the guarantees taken to ensure their confidentiality.