French data protection authority outlines 2024 priority investigation topics

The CNIL recently announced its priority investigation topics for 2024. The authority will focus on data relating to minors, files linked to the Olympic and Paralympic Games, electronic sales receipts and loyalty programmes, and people’s right of access.

In the wake of the Olympic and Paralympic Games, the CNIL will scrutinise the data collected as part of ticketing services and security measures, including the use of QR codes for restricted areas and augmented cameras, it said. Given the number of people involved and the potential for data sharing with event partners, the CNIL aims to ensure that data collection complies with the legal framework.

The CNIL will also investigate the data collected from minors through social networks, data sites, and online gaming platforms. Its goal is to verify whether age control mechanisms have been implemented, whether the ‘data minimisation’ principle is being complied with, and whether security measures are in place to protect minors’ data.

In addition, the CNIL will examine loyalty programmes and electronic till receipts, which often involve the collection of a great deal of information about consumers.

The CNIL is known as one of the toughest supervisory authorities in Europe. In 2023, the CNIL increased its activity, pronouncing 42 sanctions, amounting to nearly €90 million in penalties. In addition, 168 warnings and 33 reminders of legal obligation were also issued. The sanctions covered small businesses to multinationals from both the private and public sectors.

However, Théodore Perez of Pinsent Masons said: “The CNIL does not intend to be more zealous than necessary. In fact, it believes that an average of 300 to 400 inspections a year is the most appropriate level for effective and comprehensive regulation, while maintaining a high level of inspection quality on a case-by-case basis.”

Annabelle Richard, technology expert at Pinsent Masons said: “On the other hand, there is an increasing tendency to sanction. But it is interesting to note a dissonance between the progressive increase in the number of sanctions and the decrease in the amounts of these same sanctions.”

Perez added: “For instance, in 2020 the CNIL imposed 14 sanctions, including 11 fines, for a total of €140 million. In 2022 it was 21 sanctions, including 19 fines, for a total of €100 million; and in 2023, 42 sanctions, including 36 fines, for a total of €90 million”.

However, this discrepancy is largely accounted for by the arrival of a new feature of CNIL procedures – simplified sanctions, Perez said. “Both classic data controllers, such as those who have already been subject to case law, and small operators should focus on the new procedure which represents a major advance in the way the CNIL operates,” he added.

It is important for firms to remember that CNIL has enormous investigative powers compared with other supervisory authorities in other sectors such as finance and communications, Perez said. “It is imperative to take careful account of the inspection topics announced for 2024. Indeed, the tendency to impose sanctions should be seen in the content of the CNIL’s desire to continually strengthen the ranks of its reams responsible for sanctions and litigation,” he added.

Along with the focuses of 2024, investigations will continue in other areas, either because the CNIL is aware that they are a source of abuse or following a complaint regarding a specific event or data breach sufficient to trigger an inspection procedure, it said.