Out-Law News 2 min. read

Cloud data transfers and employee monitoring to get CNIL 2022 focus


The arrangements organisations put in place for transferring personal data outside of the EU when using cloud computing services will come under increased scrutiny from the French data protection authority this year, it has confirmed.

The Commission Nationale de l’information et des Liberties (CNIL) said the use of cloud technologies “should be given special attention”. It said cloud services had become “essential” but said they are “likely to entail risks for the protection of personal data”. In particular, it said there is a risk, when cloud technologies are being used, that personal data will be transferred outside of the EU “to countries that do not provide an adequate level of protection” for that data.

“Throughout the year, the CNIL will be looking in greater detail at issues relating to data transfers and the framework for contractual relations between data controllers and cloud solution providers,” the CNIL said.

The CNIL said its work in relation to cloud services is part of broader coordinated enforcement activity it is involved in undertaking under the auspices of the European Data Protection Board. That coordinated action will involve data protection authorities from across Europe opening investigations into the use of cloud-based services by public sector bodies. CNIL said it will focus specifically on the use of cloud services by five government departments.

Paris-based data protection law expert Guillaume Morat of Pinsent Masons said: “Following the various decisions ruled by several data protection supervisory authorities early this year, this announcement by the CNIL confirms that the  transfer of personal data outside the EU and particularly in the US will be under great scrutiny this year.”

The use of cloud computing is just one of three priority topics for investigation that the CNIL has announced it has adopted for 2022.

The CNIL also plans to closely scrutinise the way employers use technology to monitor the activities of their staff, to make sure it is compliant with data protection laws. It pointed to the increase in remote working experienced during the Covid-19 pandemic and how the growth in remote working has spurred many employers to use tools “to monitor more closely the daily tasks and activities of employees”.

The CNIL has previously issued guidance in relation to employee monitoring and said it “now considers it necessary to verify the compliance of employers' practices in the field”.

The third priority area for the CNIL is “commercial prospecting”, where it expects to review the activities of data brokers among others. It described unsolicited commercial prospecting as “one of the irritants of everyday life in France” and highlighted the fact that it is “a recurrent subject of complaints”. The CNIL said it will “check the compliance with the GDPR of professionals in the sector” against a "commercial management" reference framework it published earlier this month.

The CNIL priorities for 2021 were the cybersecurity of websites, the security of health data and the use of cookies.

By announcing its priority topics for 2022, CNIL does not preclude itself from investigating complaints raised by others or proactively raising investigations in other areas.

CNIL’s activities in the priority areas will take the form of ‘controls’. It said it is typical for controls in priority areas to represent about a third of its investigations caseload. In 2021, the CNIL carried out 384 investigations in total.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.