The Cnil (Commission Nationale Informatique et Liberté) is hitting harder and harder, and in all sectors. The Commission claims to have issued 21 sanctions and 147 formal notices last year. The total amount of fines exceeds 100 million euros. Note that only 13 sanctions have been made public.
“Among the most frequent shortcomings are the lack of information for people, the non-respect of their rights and the lack of cooperation with the CNIL” indicates the Commission. In detail, these are breaches in connection with the security of personal data, poor management of cookies and other tracers and breaches in connection with commercial prospecting.
Cnil sanctions by example
Two recent examples illustrate the action of the CNIL. Last December, the operator Free, already fined 300,000 euros in January 2022 on its mobile telephony activity, was fined the same amount on the fixed telephony market. In question, the reluctance of the operator to comply with the rule of the GDPR in terms of rights of access, erasure and security of personal data. The amount of the sanction pronounced corresponds to 0.004% of the consolidated turnover of the Iliad group, the parent company of Free.
In November 2022, EDF was fined 600,000 euros for in particular not having been able to prove that it had obtained the prior valid consent of the recipients of a commercial prospecting campaign by electronic means.
The CNIL has the option of pronouncing, for the most serious breaches, an administrative fine of up to 20 million euros, or 4% of the annual worldwide turnover.
A European job
On the formal notice side, 147, a record, this concerns non-compliance with the obligation to appoint a DPO, the illegal transmission of data to commercial partners, the transfer of data to the United States with the Google Analytics tool, or website security measures.
At the European level, since the entry into force of the GDPR, the fines imposed by the various European data protection authorities exceed the total amount of 2.5 billion euros. It is the Irish authority which is the figurehead of this action, since the tech giants most often domicile their European subsidiaries in this country.
Meta was therefore fined two times (a total of 475 million euros against Facebook and 585 million euros against Instagram). In 2021, it was the Luxembourg authority, which decided against Amazon to impose a fine of 746 million euros.
Last November, the CNIL called for a law to specify under what conditions supplementary health insurance organizations can collect the health data of policyholders in compliance with the GDPR and medical secrecy.