CNIL gets new powers to handle GDPR complaints

Out-Law News | 21 Apr 2022 | 2:13 pm | 1 min. read

A recent change to the law in France will facilitate an increase in the number of data protection investigations in the country, an expert has said.

Paris-based Clémence Marolla of Pinsent Masons was commenting after an 8 April decree gave France’s data protection authority new powers to fast-track the handling of minor and low-complexity data protection complaints.

The new “simplified sanction procedure” has been introduced at a time when the number of data protection complaints in France has been growing. Last year alone, more than 14,000 complaints were made to the authority, citing alleged breaches of the EU General Data Protection Regulation (GDPR).

The CNIL president will be responsible for triaging complaints. If they decide that a complaint should be handled in accordance with the simplified sanction procedure, this will not only affect the way the complaint is handled but impact the nature and size of sanctions the authority can impose if it subsequently finds the business concerned responsible for non-compliance too.

In a statement, the CNIL said: “The simplified sanction procedure follows the same steps as the ordinary sanction procedure (for deadlines, adversarial procedure, etc.), but its implementation procedures are simplified: the president of the restricted formation [i.e. the CNIL’s formation in charge of issuing sanctions] (or a member he designates) decides alone and no public hearing is organised, unless the [organisation subject to the procedure] requests to be heard. The penalties that may be imposed in this context are limited to the call to order, a fine of up to €20,000 and an injunction with penalty capped at €100 per day of delay. These sanctions cannot be made public.”

Clémence Marolla of Pinsent Masons said: “This new simplified sanction procedure will allow the CNIL to have a wider scope of action and therefore to increase the number of investigations for less complex or less serious breaches.”

Earlier this year, CNIL confirmed three priority areas for its regulatory focus in 2022. This includes the arrangements organisations put in place for transferring personal data outside of the EU when using cloud computing services, the way employers use technology to monitor the activities of their staff, and “commercial prospecting”, where it expects to review the activities of data brokers among others.