CNIL to step up privacy audits

Out-Law News | 08 May 2014 | 9:59 am | 1 min. read

The data protection authority in France is to increase the number of privacy audits of organisations it conducts by a third this year.

The Commission nationale de l'informatique et des libertés (CNIL) said it hopes to conduct 550 privacy audits during 2014, up from the 414 it conducted last year.

Paris-based data privacy expert Annabelle Richard of Pinsent Masons, the law firm behind Out-Law.com, said that the increase in CNIL's privacy audits target may be attributed to new powers the authority was handed earlier this year which now allows it to conduct such assessments remotely. CNIL said that it is planning 200 remote audits compared with 350 on-site inspections this year.

"The previous powers only extended to conducting on-site inspections, which made the system of auditing overly complicated, onerous and in some cases impossible," Richard said. "This is notably because CNIL was limited to conducting on-site inspections within French territory only. The new powers mean that CNIL can now assess whether the privacy practices of e-merchants operating in France but based outside of the country are in line with French data protection laws."

Richard said that the remote audit powers do not mean that CNIL have access to internal IT systems or secured information on those systems, but that they instead allow for it to inspect information freely available online.

"In practice, this means that CNIL is likely to check businesses' websites to make sure that they are obtaining appropriate consent to the processing of consumers' personal data, as well as assess company privacy policies," Richard said.

"As part of the checks CNIL may decide to test the functionality of websites. It has identified certain areas of focus such as online payment systems and online dating services and so may decide to conduct test purchasing or registrations so as to plant seeds of data. CNIL could then use subject access request rights to check what type of information is being recorded and stored by the businesses and whether the companies are sufficiently open with consumers about that data collection and have appropriate consent," she said.